Closed Bug 479499 Opened 14 years ago Closed 10 years ago

The testcase from bug 460706 can hang

Categories

(Core :: XML, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.1 --- ?

People

(Reporter: martijn.martijn, Assigned: mrbkap)

References

()

Details

(Keywords: hang, testcase, Whiteboard: [sg:dos])

Attachments

(2 files)

The testcase from bug 460706, https://bugzilla.mozilla.org/attachment.cgi?id=343855 , can hang.
It doesn't happen always, if it doesn't happen for you, try reloading it a couple of times.
Marking this bug security sensitive, since bug 460706 is also security sensitive.
Attached file testcase
Testcase that automatically reloads after a couple of hundred ms. This is pretty quickly hanging in current trunk build for me.
Attached patch Proposed fixSplinter Review
This is a non-exploitable hang.

I'm not exactly sure how this happens, but we end up with start being past end. I think it might have to do with mExpatBuffered + start.size_forward() allowing us to jump past |end|, but I haven't proved it.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #363424 - Flags: superreview?(peterv)
Attachment #363424 - Flags: review?(peterv)
Attachment #363424 - Flags: superreview?(peterv)
Attachment #363424 - Flags: superreview+
Attachment #363424 - Flags: review?(peterv)
Attachment #363424 - Flags: review+
Comment on attachment 363424 [details] [diff] [review]
Proposed fix

We also use end in the block for NS_FAILED(mInternalState). It's ok to not update it there I think, we're looking for a newline in the buffer that we tried to parse. We'll just use less than the data that we do have at our disposal but since it's for error reporting that's no big deal.
http://hg.mozilla.org/mozilla-central/rev/f364b7f1b082
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I'm going to wait to enable the crashtest for this bug (and bug 460706) until I have a chance to run it.
Flags: in-testsuite?
Crashtest enabled.
Flags: in-testsuite? → in-testsuite+
This crashtest is hanging on mozilla-central right now.  See, e.g. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1236077322.1236085244.18044.gz

I think we should disable it, and re-open this bug.
Backed out, re-disabling the test: 

http://hg.mozilla.org/mozilla-central/rev/c395bb2cf30a
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Group: core-security
Whiteboard: [sg:dos]
Blake: Any update here? Hanging on that testcase isn't much better than crashing. :)
status1.9.1: --- → ?
Flags: wanted1.9.0.x?
Sure it is, you can't exploit a hang! :) I'll look into this as soon as I get a chance.
Trying again... https://hg.mozilla.org/integration/mozilla-inbound/rev/e2d470f1c616
Status: REOPENED → RESOLVED
Closed: 14 years ago10 years ago
Flags: wanted1.9.0.x?
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.