468970 - Crash [@ nsElementSH::PostCreate] with svg, mathml, bindings, contenteditable and accessing element

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P2)

Description

[Martijn Wargers (dead)]

Attachment: binding needed for testcase

See upcoming testcase, which crashes current trunk build after 500ms.
It also crashes Firefox 3 (so marking security sensitive for now), but not Firefox 2. I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/2b809063-0f9a-41b5-ba29-dc3572081210?p=1
0  	 	@0x2c08bd4  	
1 	xul.dll 	nsElementSH::PostCreate 	dom/src/base/nsDOMClassInfo.cpp:7566
2 	xul.dll 	XPCWrappedNative::GetNewOrUsed 	js/src/xpconnect/src/xpcwrappednative.cpp:546
3 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/src/xpconnect/src/xpcconvert.cpp:1123
4 	xul.dll 	xpc_qsXPCOMObjectToJsval 	js/src/xpconnect/src/xpcquickstubs.cpp:763
5 	xul.dll 	nsIDOMDocument_GetElementById 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:1829
6 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:5118
7 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1331
8 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1388
9 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5245
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:1989
11 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/src/base/nsGlobalWindow.cpp:7661
12 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/src/base/nsGlobalWindow.cpp:7993
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:420
14 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:512
15 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
16 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
17 	nspr4.dll 	PR_GetEnv 	
18 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
19 	firefox.exe 	firefox.exe@0x2197 	
20 	kernel32.dll 	BaseProcessStart

Comment 1

[Martijn Wargers (dead)]

Attachment: testcase

Comment 2

[Benjamin Smedberg]

Blame points to http://hg.mozilla.org/mozilla-central/annotate/85507cfcdda8/dom/src/base/nsDOMClassInfo.cpp#l7566 which is the end of a scope. This probably means that we're over-releasing a nsStyleContext (or possibly the xblservice, but that seems unlikely).

If I have time, I'll try to run a refcount balance on this to see if I can pinpoint something useful.

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

A debug build also asserts in editor: ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file /home/mrbkap/work/main/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 389

Comment 4

[Johnny Stenback (:jst)]

Benjamin, it'd be great if you did have time to look into this further. If not, please feel free to give it to Jonas. Marking this a P2 blocker since it's likely exploitable crash, and it is a regression.

Comment 5

[Benjamin Smedberg]

I can reproduce the assertion but not the crash, trunk and branch.

Comment 6

[Benjamin Smedberg]

In nsHTMLEditRules::BeforeEdit the call to
mHTMLEditor->GetStartNodeAndOffset is failing, because
the call to enumerator->CurrentItem is failing
http://mxr.mozilla.org/mozilla/source/editor/libeditor/base/nsEditor.cpp#4057

I'm happy to help more with guidance, but I'm not sure where to go from here.

Comment 7

[Martijn Wargers (dead)]

This was fixed on trunk between 2008-12-20 and 2008-12-21:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-20+03%3A00%3A00&enddate=2008-12-21+05%3A30%3A00
So I guess fixed by bug 466057.

Comment 8

[Martijn Wargers (dead)]

Attachment: zipped up testcase