Crash [@ nsCSSStyleSheet::GetOwnerNode] after GC

RESOLVED FIXED in mozilla1.9.1b3

Status

()

Core
CSS Parsing and Computation
P3
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: dbaron)

Tracking

(Blocks: 2 bugs, 5 keywords)

Trunk
mozilla1.9.1b3
crash, fixed1.8.1.21, fixed1.9.1, testcase, verified1.9.0.7
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 -
wanted1.9.1 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical], crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
Created attachment 358552 [details]
testcase (crashes Firefox when loaded, if Quitter is installed)

Loading the testcase causes nsCSSStyleSheet::GetOwnerNode to call some random address.

The testcase assumes you have http://www.squarefree.com/extensions/quitter.xpi installed, and uses it to trigger a GC at the right moment.
(Reporter)

Updated

9 years ago
Whiteboard: [sg:critical]
(Assignee)

Comment 1

9 years ago
Created attachment 358557 [details]
valgrind's explanation of crash

Not as helpful as I was hoping.
(Assignee)

Comment 2

9 years ago
Created attachment 358561 [details] [diff] [review]
patch

Thoughts on this approach vs. a DropStyleSheet method that just does the setting to null (and would also be called by SetStyleSheet)?
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #358561 - Flags: superreview?(bzbarsky)
Attachment #358561 - Flags: review?(bzbarsky)
(Assignee)

Updated

9 years ago
Flags: blocking1.9.1?
(Assignee)

Comment 3

9 years ago
Created attachment 358562 [details] [diff] [review]
patch

Oops, forgot to qrefresh after my last edit.
Attachment #358561 - Attachment is obsolete: true
Attachment #358562 - Flags: superreview?(bzbarsky)
Attachment #358562 - Flags: review?(bzbarsky)
Attachment #358561 - Flags: superreview?(bzbarsky)
Attachment #358561 - Flags: review?(bzbarsky)
(Assignee)

Comment 4

9 years ago
And to be clear:  what's fixing the bug is that we're now calling SetOwningNode(nsnull) at the two places in nsStyleLinkElement::DoUpdateStyleSheet that used to just do mStyleSheet = nsnull.
Comment on attachment 358562 [details] [diff] [review]
patch

Good catch.  Can we possibly write a mochitest for this?
Attachment #358562 - Flags: superreview?(bzbarsky)
Attachment #358562 - Flags: superreview+
Attachment #358562 - Flags: review?(bzbarsky)
Attachment #358562 - Flags: review+
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Attachment #358562 - Flags: approval1.9.1+
(Assignee)

Comment 6

9 years ago
http://hg.mozilla.org/mozilla-central/rev/014fe552d77a
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite?
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
(Assignee)

Comment 7

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/94fded227f9e
Keywords: fixed1.9.1
Whiteboard: [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical][needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
(Assignee)

Updated

9 years ago
Attachment #358562 - Flags: approval1.9.0.7?
Attachment #358562 - Flags: approval1.9.0.7? → approval1.9.0.7+
Comment on attachment 358562 [details] [diff] [review]
patch

Approved for 1.9.0.7, a=dveditz for release-drivers.
Flags: wanted1.9.0.x+
(Assignee)

Comment 9

9 years ago
Commited to CVS trunk (for 1.9.0.* releases), 2009-02-02 20:13 -0800.
Keywords: fixed1.9.0.7
Whiteboard: [sg:critical][needs 1.9.0.* landing] → [sg:critical]
dbaron: Is this needed for the 1.8 branch? The testcase doesn't crash because Quitter fails to GC (Components.utils.forceGC is not a function), but the 1.8 version of nsStyleLinkElement::UpdateStyleSheet has code identical to that which you patched.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next+
(Assignee)

Comment 11

9 years ago
I don't know any reason that it wouldn't be needed... so it's probably needed.
Verified that the testcase here crashes 1.9.0.6 but doesn't crash 1.9.0.7 (with quitter extension). Used Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021204 GranParadiso/3.0.7pre.
Keywords: fixed1.9.0.7 → verified1.9.0.7

Comment 13

9 years ago
Created attachment 363095 [details] [diff] [review]
1.8 version
Comment on attachment 363095 [details] [diff] [review]
1.8 version

>--- mozilla/content/base/src/nsStyleLinkElement.h.475136	2004-09-09 19:32:34.000000000 +0200
>+++ mozilla/content/base/src/nsStyleLinkElement.h	2009-02-17 18:12:08.000000000 +0100
>@@ -72,6 +72,7 @@ public:
> 
>   static void ParseLinkTypes(const nsAString& aTypes, nsStringArray& aResult);
> 
>+
> protected:
>   virtual void GetStyleSheetURL(PRBool* aIsInline,
>                                 nsIURI** aURI) = 0;

What's this added whitespace for?

Otherwise than that nit, this is probably good for checkin.
Attachment #363095 - Flags: approval1.8.1.next?
Comment on attachment 363095 [details] [diff] [review]
1.8 version

Approved for 1.8.1.21, a=dveditz for release-drivers

In the future please use the same diff options as the patch you're porting (context lines, etc). that makes comparing them much easier
Attachment #363095 - Flags: approval1.8.1.next? → approval1.8.1.next+
(Assignee)

Comment 16

9 years ago
Committed the backported patch to MOZILLA_1_8_BRANCH, 2009-02-23 09:57 -0800.  Thanks for doing the backport.
(Assignee)

Updated

9 years ago
Keywords: fixed1.8.1.21
Group: core-security

Comment 17

8 years ago
Comment on attachment 363095 [details] [diff] [review]
1.8 version

a=asac for 1.8.0
Attachment #363095 - Flags: approval1.8.0.next+

Updated

8 years ago
Flags: blocking1.8.0.next+
Crash Signature: [@ nsCSSStyleSheet::GetOwnerNode]
You need to log in before you can comment on or make changes to this bug.