Closed
Bug 488274
Opened 16 years ago
Closed 15 years ago
Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified and colorpicker
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla1.9.3a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta2-fixed |
status1.9.1 | --- | .6-fixed |
People
(Reporter: martijn.martijn, Assigned: jst)
Details
(5 keywords, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(3 files)
346 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
856 bytes,
patch
|
Details | Diff | Splinter Review | |
770 bytes,
patch
|
jst
:
review+
bzbarsky
:
superreview+
jst
:
approval1.9.2+
dveditz
:
approval1.9.1.6+
dveditz
:
approval1.9.0.16+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build and Firefox3.0.7 on load.
http://crash-stats.mozilla.com/report/index/41738fe7-3cb8-4456-8911-5deee2090414?p=1
0 xul.dll nsObjectLoadingContent::OnStartRequest content/base/src/nsObjectLoadingContent.cpp:540
1 xul.dll nsBaseChannel::OnStartRequest netwerk/base/src/nsBaseChannel.cpp:665
2 xul.dll nsInputStreamPump::OnStateStart netwerk/base/src/nsInputStreamPump.cpp:439
3 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:395
4 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:190
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510
6 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170
7 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:192
8 nspr4.dll PR_GetEnv
9 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107
10 firefox.exe firefox.exe@0x21a7
11 kernel32.dll BaseProcessStart
Reporter | ||
Comment 1•16 years ago
|
||
The testcase doesn't seem to crash online.
Reporter | ||
Updated•15 years ago
|
Flags: wanted1.9.2?
Flags: wanted1.9.1?
Flags: blocking1.9.2?
Flags: blocking1.9.1?
Comment 2•15 years ago
|
||
jst/jonas: can we get a blocking decision here?
Updated•15 years ago
|
Flags: wanted1.9.0.x?
Comment 3•15 years ago
|
||
#7 0x00002aaab0dfa75b in nsObjectLoadingContent::RemovedFromDocument (this=0xf4b920)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1375
#8 0x00002aaab0e92b74 in nsHTMLObjectElement::UnbindFromTree (this=0xf4b8d0, aDeep=27046, aNullParent=6)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/content/src/nsHTMLObjectElement.cpp:239
#9 0x00002aaab0de9ba1 in nsGenericElement::doRemoveChildAt (aIndex=1, aNotify=1, aKid=0xf4b8d0, aParent=0x17d51e0,
aDocument=<value optimized out>, aChildArray=@0x17d5218)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3398
#10 0x00002aaab0de9e58 in nsGenericElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3325
#11 0x00002aaab109ab84 in nsXULElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/content/src/nsXULElement.cpp:961
#12 0x00002aaab0de85cf in nsGenericElement::doRemoveChild (aOldChild=0xf4b9c8, aParent=<value optimized out>,
aDocument=<value optimized out>, aReturn=0x7fffc508bff0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4002
#13 0x00002aaab06a1ced in nsIDOMNode_RemoveChild (cx=<value optimized out>, argc=1, vp=0x1a9d678) at dom_quickstubs.cpp:2936
#14 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#15 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=1, vp=0x1a9d660, flags=0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#16 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, flags=0, argc=1, argv=0x1a9d658,
rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#17 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, argc=1, argv=0x1a9d658,
rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#18 0x00002aaab0f7fa57 in nsJSContext::CallEventHandler (this=0x1dc7150, aTarget=<value optimized out>,
aScope=<value optimized out>, aHandler=0xf0d400, aargv=0x17aa390, arv=0x7fffc508c7e0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:2026
#19 0x00002aaab0fc9b2b in nsJSEventListener::HandleEvent (this=0x11b08a0, aEvent=0x1ad2428)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/events/nsJSEventListener.cpp:247
#20 0x00002aaab0e3745f in nsEventListenerManager::HandleEventSubType (this=0x1ae4b30, aListenerStruct=0x1ae4b78,
aListener=0x11b08a0, aDOMEvent=0x1ad2428, aCurrentTarget=0x17ab800, aPhaseFlags=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1090
#21 0x00002aaab0e379e7 in nsEventListenerManager::HandleEvent (this=0x1ae4b30, aPresContext=0x0, aEvent=0x7fffc508ced0,
aDOMEvent=0x7fffc508cc00, aCurrentTarget=0x17ab800, aFlags=2, aEventStatus=0x7fffc508cc08)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1187
#22 0x00002aaab0e5b85d in nsEventTargetChainItem::HandleEvent (this=0x1acb118, aVisitor=@0x7fffc508cbf0, aFlags=2,
aMayHaveNewListenerManagers=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:227
#23 0x00002aaab0e5bacc in nsEventTargetChainItem::HandleEventTargetChain (this=0x1acb428, aVisitor=@0x7fffc508cbf0,
aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:315
#24 0x00002aaab0e5bfbe in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>,
---Type <return> to continue, or q <return> to quit---
aEvent=0x7fffc508ced0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:508
#25 0x00002aaab0de7b9e in nsGenericElement::SetAttrAndNotify (this=0x205b180, aNamespaceID=0, aName=0xa21b88,
aPrefix=<value optimized out>, aOldValue=@0x7fffc508d030, aParsedValue=<value optimized out>, aModification=0,
aFireMutation=1, aNotify=1, aValueForAfterSetAttr=0x7fffc508d190)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4406
#26 0x00002aaab0de8045 in nsGenericElement::SetAttr (this=0x205b180, aNamespaceID=0, aName=0xa21b88, aPrefix=0x0,
aValue=@0x7fffc508d190, aNotify=1)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#27 0x00002aaab0de1ad9 in nsGenericElement::SetAttribute (this=0x205b180, aName=@0x7fffc508d1b0, aValue=@0x7fffc508d190)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.h:386
#28 0x00002aaab06a4cb3 in nsIDOMElement_SetAttribute (cx=0x1bd0a80, argc=2, vp=0x1a9d620) at dom_quickstubs.cpp:2213
#29 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#30 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=0, vp=0x1a9d418, flags=0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#31 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, flags=0, argc=0, argv=0x0,
rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#32 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, argc=0, argv=0x0,
rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#33 0x00002aaab0f3eba9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x14a27d0, aBoundElement=0x177cc40)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332
#34 0x00002aaab0f4cb1d in nsBindingManager::ProcessAttachedQueue (this=0x1a97db0, aSkipSize=0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015
#35 0x00002aaab0c06d1a in PresShell::FlushPendingNotifications (this=0x2092290, aType=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsPresShell.cpp:4765
#36 0x00002aaab0dc7a8d in nsDocument::FlushPendingNotifications (this=<value optimized out>, aType=Flush_Style)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:6273
#37 0x00002aaab0dfb040 in nsObjectLoadingContent::NotifyStateChanged (this=0xf4b920,
aOldType=nsObjectLoadingContent::eType_Loading, aOldState=2097152, aSync=1)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1528
#38 0x00002aaab0dfe6a8 in AutoNotifier::Notify (this=0x7fffc508da50)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:235
#39 0x00002aaab0dfc25e in nsObjectLoadingContent::OnStartRequest (this=0xf4b920, aRequest=0x1938df0, aContext=0x0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:534
Assignee | ||
Comment 4•15 years ago
|
||
This is not an exploitable crash, just a simple null dereference crash. Opening bug to the public.
Group: core-security
Assignee | ||
Comment 5•15 years ago
|
||
I don't think we should block on this, but I'd like to see a patch approved. I think what we want to do here is exactly what smaug's patch does, except w/o warning and throwing a better error. Updated patch coming up.
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → jst
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•15 years ago
|
||
Attachment #377088 -
Flags: superreview?(bzbarsky)
Attachment #377088 -
Flags: review+
Assignee | ||
Updated•15 years ago
|
Attachment #377088 -
Attachment is patch: true
Attachment #377088 -
Attachment mime type: application/octet-stream → text/plain
Updated•15 years ago
|
Whiteboard: [sg:dos] null deref
Updated•15 years ago
|
Attachment #377088 -
Flags: superreview?(bzbarsky) → superreview+
Reporter | ||
Comment 7•15 years ago
|
||
Is the fix ready to be checked in?
Comment 8•15 years ago
|
||
It doesn't block 3.5 and also doesn't have approval1.9.1. So given by the tree rules it cannot be checked in right now.
Reporter | ||
Comment 9•15 years ago
|
||
Is the fix now ready to be checked in?
Reporter | ||
Comment 10•15 years ago
|
||
Can the fix be checked in?
Updated•15 years ago
|
Keywords: checkin-needed
Comment 11•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Comment 12•15 years ago
|
||
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091003 Minefield/3.7a1pre ID:20091003031247
I'm not able to crash any build on Windows but any branch on OS X and Linux crashes immediately when loading the testcase. Can we get in the crashtest too?
Johnny, can we request approvals on your patch for the remaining branches?
Status: RESOLVED → VERIFIED
status1.9.1:
--- → ?
Flags: in-testsuite?
OS: Windows XP → All
Hardware: x86 → All
Assignee | ||
Comment 13•15 years ago
|
||
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Sure. This is adding a null pointer check, perfectly safe. We should take this for older releases...
Attachment #377088 -
Flags: approval1.9.0.16?
Attachment #377088 -
Flags: approval1.9.0.15?
Comment 14•15 years ago
|
||
As that in my comment above it still crashes on 1.9.2 and 1.9.1 too. This bug is not marked as blocking so we would also need flags for both branches too.
Assignee | ||
Updated•15 years ago
|
Attachment #377088 -
Flags: approval1.9.2+
Attachment #377088 -
Flags: approval1.9.1.4?
Comment 15•15 years ago
|
||
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Not for 1.9.1.4. Pushing out approval request.
Attachment #377088 -
Flags: approval1.9.1.5?
Attachment #377088 -
Flags: approval1.9.1.4?
Attachment #377088 -
Flags: approval1.9.0.15?
Updated•15 years ago
|
Attachment #377088 -
Flags: approval1.9.1.5?
Attachment #377088 -
Flags: approval1.9.1.5+
Attachment #377088 -
Flags: approval1.9.0.16?
Attachment #377088 -
Flags: approval1.9.0.16+
Comment 16•15 years ago
|
||
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Approved for 1.9.1.5 and 1.9.0.16, a=dveditz for release-drivers
Updated•15 years ago
|
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Keywords: checkin-needed
Comment 17•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/623cf3215288
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a269181aa86a
status1.9.2:
--- → final-fixed
Whiteboard: [sg:dos] null deref → [sg:dos] null deref [needs 1.9.0 landing]
Comment 18•15 years ago
|
||
Johnny: Can we get this landed on 1.9.0 asap?
Updated•15 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:dos] null deref [needs 1.9.0 landing] → [sg:dos] null deref
Comment 20•15 years ago
|
||
Verified fixed on 1.9.2 and 1.9.1 with builds on Linux and OS X:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre ID:20091114033807
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.6pre) Gecko/20091108 Shiretoko/3.5.6pre ID:20091108030959
Keywords: verified1.9.1,
verified1.9.2
Comment 21•15 years ago
|
||
Verified for 1.9.0.16 using Martijn's testcase with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Testcase crashes 1.9.0.15 on load on the same system.
Keywords: fixed1.9.0.16 → verified1.9.0.16
Updated•13 years ago
|
Crash Signature: [@ nsObjectLoadingContent::OnStartRequest]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•