Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 488274 - Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified and colorpicker
: Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified...
[sg:dos] null deref
: crash, testcase, verified1.9.0.16, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla1.9.3a1
Assigned To: Johnny Stenback (:jst,
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2009-04-14 06:44 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
10 users (show)
jst: blocking1.9.2-
jst: wanted1.9.2+
jst: blocking1.9.1-
jst: wanted1.9.1+
samuel.sidler+old: wanted1.9.0.x+
hskupin: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (346 bytes, application/vnd.mozilla.xul+xml)
2009-04-14 06:44 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
shows where the problem is (856 bytes, patch)
2009-05-12 13:01 PDT, Olli Pettay [:smaug]
no flags Details | Diff | Splinter Review
Smaugs fix, tweaked. (770 bytes, patch)
2009-05-12 22:37 PDT, Johnny Stenback (:jst,
jst: review+
bzbarsky: superreview+
jst: approval1.9.2+
dveditz: approval1.9.1.6+
dveditz: approval1.9.0.16+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2009-04-14 06:44:14 PDT
Created attachment 372606 [details]

See testcase, which crashes current trunk build and Firefox3.0.7 on load.
0  	xul.dll  	nsObjectLoadingContent::OnStartRequest  	 content/base/src/nsObjectLoadingContent.cpp:540
1 	xul.dll 	nsBaseChannel::OnStartRequest 	netwerk/base/src/nsBaseChannel.cpp:665
2 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
3 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
4 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
5 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
6 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
7 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
8 	nspr4.dll 	PR_GetEnv 	
9 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
10 	firefox.exe 	firefox.exe@0x21a7 	
11 	kernel32.dll 	BaseProcessStart
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-04-14 06:49:44 PDT
The testcase doesn't seem to crash online.
Comment 2 Mike Beltzner [:beltzner, not reading bugmail] 2009-05-12 11:49:16 PDT
jst/jonas: can we get a blocking decision here?
Comment 3 Olli Pettay [:smaug] 2009-05-12 13:01:22 PDT
Created attachment 376985 [details] [diff] [review]
shows where the problem is

#7  0x00002aaab0dfa75b in nsObjectLoadingContent::RemovedFromDocument (this=0xf4b920)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1375
#8  0x00002aaab0e92b74 in nsHTMLObjectElement::UnbindFromTree (this=0xf4b8d0, aDeep=27046, aNullParent=6)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/content/src/nsHTMLObjectElement.cpp:239
#9  0x00002aaab0de9ba1 in nsGenericElement::doRemoveChildAt (aIndex=1, aNotify=1, aKid=0xf4b8d0, aParent=0x17d51e0, 
    aDocument=<value optimized out>, aChildArray=@0x17d5218)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3398
#10 0x00002aaab0de9e58 in nsGenericElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3325
#11 0x00002aaab109ab84 in nsXULElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/content/src/nsXULElement.cpp:961
#12 0x00002aaab0de85cf in nsGenericElement::doRemoveChild (aOldChild=0xf4b9c8, aParent=<value optimized out>, 
    aDocument=<value optimized out>, aReturn=0x7fffc508bff0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4002
#13 0x00002aaab06a1ced in nsIDOMNode_RemoveChild (cx=<value optimized out>, argc=1, vp=0x1a9d678) at dom_quickstubs.cpp:2936
#14 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#15 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=1, vp=0x1a9d660, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#16 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, flags=0, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#17 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#18 0x00002aaab0f7fa57 in nsJSContext::CallEventHandler (this=0x1dc7150, aTarget=<value optimized out>, 
    aScope=<value optimized out>, aHandler=0xf0d400, aargv=0x17aa390, arv=0x7fffc508c7e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:2026
#19 0x00002aaab0fc9b2b in nsJSEventListener::HandleEvent (this=0x11b08a0, aEvent=0x1ad2428)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/events/nsJSEventListener.cpp:247
#20 0x00002aaab0e3745f in nsEventListenerManager::HandleEventSubType (this=0x1ae4b30, aListenerStruct=0x1ae4b78, 
    aListener=0x11b08a0, aDOMEvent=0x1ad2428, aCurrentTarget=0x17ab800, aPhaseFlags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1090
#21 0x00002aaab0e379e7 in nsEventListenerManager::HandleEvent (this=0x1ae4b30, aPresContext=0x0, aEvent=0x7fffc508ced0, 
    aDOMEvent=0x7fffc508cc00, aCurrentTarget=0x17ab800, aFlags=2, aEventStatus=0x7fffc508cc08)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1187
#22 0x00002aaab0e5b85d in nsEventTargetChainItem::HandleEvent (this=0x1acb118, aVisitor=@0x7fffc508cbf0, aFlags=2, 
    aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:227
#23 0x00002aaab0e5bacc in nsEventTargetChainItem::HandleEventTargetChain (this=0x1acb428, aVisitor=@0x7fffc508cbf0, 
    aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:315
#24 0x00002aaab0e5bfbe in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    aEvent=0x7fffc508ced0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:508
#25 0x00002aaab0de7b9e in nsGenericElement::SetAttrAndNotify (this=0x205b180, aNamespaceID=0, aName=0xa21b88, 
    aPrefix=<value optimized out>, aOldValue=@0x7fffc508d030, aParsedValue=<value optimized out>, aModification=0, 
    aFireMutation=1, aNotify=1, aValueForAfterSetAttr=0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4406
#26 0x00002aaab0de8045 in nsGenericElement::SetAttr (this=0x205b180, aNamespaceID=0, aName=0xa21b88, aPrefix=0x0, 
    aValue=@0x7fffc508d190, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#27 0x00002aaab0de1ad9 in nsGenericElement::SetAttribute (this=0x205b180, aName=@0x7fffc508d1b0, aValue=@0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.h:386
#28 0x00002aaab06a4cb3 in nsIDOMElement_SetAttribute (cx=0x1bd0a80, argc=2, vp=0x1a9d620) at dom_quickstubs.cpp:2213
#29 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#30 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=0, vp=0x1a9d418, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#31 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, flags=0, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#32 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#33 0x00002aaab0f3eba9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x14a27d0, aBoundElement=0x177cc40)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332
#34 0x00002aaab0f4cb1d in nsBindingManager::ProcessAttachedQueue (this=0x1a97db0, aSkipSize=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015
#35 0x00002aaab0c06d1a in PresShell::FlushPendingNotifications (this=0x2092290, aType=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsPresShell.cpp:4765
#36 0x00002aaab0dc7a8d in nsDocument::FlushPendingNotifications (this=<value optimized out>, aType=Flush_Style)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:6273
#37 0x00002aaab0dfb040 in nsObjectLoadingContent::NotifyStateChanged (this=0xf4b920, 
    aOldType=nsObjectLoadingContent::eType_Loading, aOldState=2097152, aSync=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1528
#38 0x00002aaab0dfe6a8 in AutoNotifier::Notify (this=0x7fffc508da50)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:235
#39 0x00002aaab0dfc25e in nsObjectLoadingContent::OnStartRequest (this=0xf4b920, aRequest=0x1938df0, aContext=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:534
Comment 4 Johnny Stenback (:jst, 2009-05-12 21:12:18 PDT
This is not an exploitable crash, just a simple null dereference crash. Opening bug to the public.
Comment 5 Johnny Stenback (:jst, 2009-05-12 22:35:08 PDT
I don't think we should block on this, but I'd like to see a patch approved. I think what we want to do here is exactly what smaug's patch does, except w/o warning and throwing a better error. Updated patch coming up.
Comment 6 Johnny Stenback (:jst, 2009-05-12 22:37:06 PDT
Created attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Comment 7 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-05-26 03:21:07 PDT
Is the fix ready to be checked in?
Comment 8 Henrik Skupin (:whimboo) 2009-05-26 03:25:48 PDT
It doesn't block 3.5 and also doesn't have approval1.9.1. So given by the tree rules it cannot be checked in right now.
Comment 9 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-08-10 16:30:06 PDT
Is the fix now ready to be checked in?
Comment 10 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-10-01 13:45:03 PDT
Can the fix be checked in?
Comment 11 Dão Gottwald [:dao] 2009-10-02 06:49:33 PDT
Comment 12 Henrik Skupin (:whimboo) 2009-10-06 07:02:49 PDT
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091003 Minefield/3.7a1pre ID:20091003031247

I'm not able to crash any build on Windows but any branch on OS X and Linux crashes immediately when loading the testcase. Can we get in the crashtest too?

Johnny, can we request approvals on your patch for the remaining branches?
Comment 13 Johnny Stenback (:jst, 2009-10-06 09:55:20 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Sure. This is adding a null pointer check, perfectly safe. We should take this for older releases...
Comment 14 Henrik Skupin (:whimboo) 2009-10-06 14:26:07 PDT
As that in my comment above it still crashes on 1.9.2 and 1.9.1 too. This bug is not marked as blocking so we would also need flags for both branches too.
Comment 15 Samuel Sidler (old account; do not CC) 2009-10-07 10:28:10 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Not for Pushing out approval request.
Comment 16 Daniel Veditz [:dveditz] 2009-10-16 10:35:07 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Approved for and, a=dveditz for release-drivers
Comment 18 Samuel Sidler (old account; do not CC) 2009-11-16 09:09:03 PST
Johnny: Can we get this landed on 1.9.0 asap?
Comment 19 Johnny Stenback (:jst, 2009-11-16 18:56:03 PST
Fixed in CVS.
Comment 20 Henrik Skupin (:whimboo) 2009-11-17 01:19:55 PST
Verified fixed on 1.9.2 and 1.9.1 with builds on Linux and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre ID:20091114033807

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20091108 Shiretoko/3.5.6pre ID:20091108030959
Comment 21 Al Billings [:abillings] 2009-11-23 12:22:08 PST
Verified for using Martijn's testcase with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Testcase crashes on load on the same system.

Note You need to log in before you can comment on or make changes to this bug.