Last Comment Bug 488274 - Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified and colorpicker
: Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified...
[sg:dos] null deref
: crash, testcase, verified1.9.0.16, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
-- critical (vote)
: mozilla1.9.3a1
Assigned To: Johnny Stenback (:jst,
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2009-04-14 06:44 PDT by Martijn Wargers [:mwargers]
Modified: 2011-06-13 10:01 PDT (History)
10 users (show)
jst: blocking1.9.2-
jst: wanted1.9.2+
jst: blocking1.9.1-
jst: wanted1.9.1+
samuel.sidler+old: wanted1.9.0.x+
hskupin: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (346 bytes, application/vnd.mozilla.xul+xml)
2009-04-14 06:44 PDT, Martijn Wargers [:mwargers]
no flags Details
shows where the problem is (856 bytes, patch)
2009-05-12 13:01 PDT, Olli Pettay [:smaug] (pto-ish for couple of days)
no flags Details | Diff | Splinter Review
Smaugs fix, tweaked. (770 bytes, patch)
2009-05-12 22:37 PDT, Johnny Stenback (:jst,
jst: review+
bzbarsky: superreview+
jst: approval1.9.2+
dveditz: approval1.9.1.6+
dveditz: approval1.9.0.16+
Details | Diff | Splinter Review

Description User image Martijn Wargers [:mwargers] 2009-04-14 06:44:14 PDT
Created attachment 372606 [details]

See testcase, which crashes current trunk build and Firefox3.0.7 on load.
0  	xul.dll  	nsObjectLoadingContent::OnStartRequest  	 content/base/src/nsObjectLoadingContent.cpp:540
1 	xul.dll 	nsBaseChannel::OnStartRequest 	netwerk/base/src/nsBaseChannel.cpp:665
2 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
3 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
4 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
5 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
6 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
7 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
8 	nspr4.dll 	PR_GetEnv 	
9 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
10 	firefox.exe 	firefox.exe@0x21a7 	
11 	kernel32.dll 	BaseProcessStart
Comment 1 User image Martijn Wargers [:mwargers] 2009-04-14 06:49:44 PDT
The testcase doesn't seem to crash online.
Comment 2 User image Mike Beltzner [:beltzner, not reading bugmail] 2009-05-12 11:49:16 PDT
jst/jonas: can we get a blocking decision here?
Comment 3 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-05-12 13:01:22 PDT
Created attachment 376985 [details] [diff] [review]
shows where the problem is

#7  0x00002aaab0dfa75b in nsObjectLoadingContent::RemovedFromDocument (this=0xf4b920)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1375
#8  0x00002aaab0e92b74 in nsHTMLObjectElement::UnbindFromTree (this=0xf4b8d0, aDeep=27046, aNullParent=6)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/content/src/nsHTMLObjectElement.cpp:239
#9  0x00002aaab0de9ba1 in nsGenericElement::doRemoveChildAt (aIndex=1, aNotify=1, aKid=0xf4b8d0, aParent=0x17d51e0, 
    aDocument=<value optimized out>, aChildArray=@0x17d5218)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3398
#10 0x00002aaab0de9e58 in nsGenericElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3325
#11 0x00002aaab109ab84 in nsXULElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/content/src/nsXULElement.cpp:961
#12 0x00002aaab0de85cf in nsGenericElement::doRemoveChild (aOldChild=0xf4b9c8, aParent=<value optimized out>, 
    aDocument=<value optimized out>, aReturn=0x7fffc508bff0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4002
#13 0x00002aaab06a1ced in nsIDOMNode_RemoveChild (cx=<value optimized out>, argc=1, vp=0x1a9d678) at dom_quickstubs.cpp:2936
#14 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#15 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=1, vp=0x1a9d660, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#16 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, flags=0, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#17 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#18 0x00002aaab0f7fa57 in nsJSContext::CallEventHandler (this=0x1dc7150, aTarget=<value optimized out>, 
    aScope=<value optimized out>, aHandler=0xf0d400, aargv=0x17aa390, arv=0x7fffc508c7e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:2026
#19 0x00002aaab0fc9b2b in nsJSEventListener::HandleEvent (this=0x11b08a0, aEvent=0x1ad2428)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/events/nsJSEventListener.cpp:247
#20 0x00002aaab0e3745f in nsEventListenerManager::HandleEventSubType (this=0x1ae4b30, aListenerStruct=0x1ae4b78, 
    aListener=0x11b08a0, aDOMEvent=0x1ad2428, aCurrentTarget=0x17ab800, aPhaseFlags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1090
#21 0x00002aaab0e379e7 in nsEventListenerManager::HandleEvent (this=0x1ae4b30, aPresContext=0x0, aEvent=0x7fffc508ced0, 
    aDOMEvent=0x7fffc508cc00, aCurrentTarget=0x17ab800, aFlags=2, aEventStatus=0x7fffc508cc08)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1187
#22 0x00002aaab0e5b85d in nsEventTargetChainItem::HandleEvent (this=0x1acb118, aVisitor=@0x7fffc508cbf0, aFlags=2, 
    aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:227
#23 0x00002aaab0e5bacc in nsEventTargetChainItem::HandleEventTargetChain (this=0x1acb428, aVisitor=@0x7fffc508cbf0, 
    aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:315
#24 0x00002aaab0e5bfbe in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    aEvent=0x7fffc508ced0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:508
#25 0x00002aaab0de7b9e in nsGenericElement::SetAttrAndNotify (this=0x205b180, aNamespaceID=0, aName=0xa21b88, 
    aPrefix=<value optimized out>, aOldValue=@0x7fffc508d030, aParsedValue=<value optimized out>, aModification=0, 
    aFireMutation=1, aNotify=1, aValueForAfterSetAttr=0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4406
#26 0x00002aaab0de8045 in nsGenericElement::SetAttr (this=0x205b180, aNamespaceID=0, aName=0xa21b88, aPrefix=0x0, 
    aValue=@0x7fffc508d190, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#27 0x00002aaab0de1ad9 in nsGenericElement::SetAttribute (this=0x205b180, aName=@0x7fffc508d1b0, aValue=@0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.h:386
#28 0x00002aaab06a4cb3 in nsIDOMElement_SetAttribute (cx=0x1bd0a80, argc=2, vp=0x1a9d620) at dom_quickstubs.cpp:2213
#29 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#30 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=0, vp=0x1a9d418, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#31 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, flags=0, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#32 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#33 0x00002aaab0f3eba9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x14a27d0, aBoundElement=0x177cc40)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332
#34 0x00002aaab0f4cb1d in nsBindingManager::ProcessAttachedQueue (this=0x1a97db0, aSkipSize=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015
#35 0x00002aaab0c06d1a in PresShell::FlushPendingNotifications (this=0x2092290, aType=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsPresShell.cpp:4765
#36 0x00002aaab0dc7a8d in nsDocument::FlushPendingNotifications (this=<value optimized out>, aType=Flush_Style)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:6273
#37 0x00002aaab0dfb040 in nsObjectLoadingContent::NotifyStateChanged (this=0xf4b920, 
    aOldType=nsObjectLoadingContent::eType_Loading, aOldState=2097152, aSync=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1528
#38 0x00002aaab0dfe6a8 in AutoNotifier::Notify (this=0x7fffc508da50)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:235
#39 0x00002aaab0dfc25e in nsObjectLoadingContent::OnStartRequest (this=0xf4b920, aRequest=0x1938df0, aContext=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:534
Comment 4 User image Johnny Stenback (:jst, 2009-05-12 21:12:18 PDT
This is not an exploitable crash, just a simple null dereference crash. Opening bug to the public.
Comment 5 User image Johnny Stenback (:jst, 2009-05-12 22:35:08 PDT
I don't think we should block on this, but I'd like to see a patch approved. I think what we want to do here is exactly what smaug's patch does, except w/o warning and throwing a better error. Updated patch coming up.
Comment 6 User image Johnny Stenback (:jst, 2009-05-12 22:37:06 PDT
Created attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Comment 7 User image Martijn Wargers [:mwargers] 2009-05-26 03:21:07 PDT
Is the fix ready to be checked in?
Comment 8 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2009-05-26 03:25:48 PDT
It doesn't block 3.5 and also doesn't have approval1.9.1. So given by the tree rules it cannot be checked in right now.
Comment 9 User image Martijn Wargers [:mwargers] 2009-08-10 16:30:06 PDT
Is the fix now ready to be checked in?
Comment 10 User image Martijn Wargers [:mwargers] 2009-10-01 13:45:03 PDT
Can the fix be checked in?
Comment 11 User image Dão Gottwald [:dao] 2009-10-02 06:49:33 PDT
Comment 12 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2009-10-06 07:02:49 PDT
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091003 Minefield/3.7a1pre ID:20091003031247

I'm not able to crash any build on Windows but any branch on OS X and Linux crashes immediately when loading the testcase. Can we get in the crashtest too?

Johnny, can we request approvals on your patch for the remaining branches?
Comment 13 User image Johnny Stenback (:jst, 2009-10-06 09:55:20 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Sure. This is adding a null pointer check, perfectly safe. We should take this for older releases...
Comment 14 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2009-10-06 14:26:07 PDT
As that in my comment above it still crashes on 1.9.2 and 1.9.1 too. This bug is not marked as blocking so we would also need flags for both branches too.
Comment 15 User image Samuel Sidler (old account; do not CC) 2009-10-07 10:28:10 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Not for Pushing out approval request.
Comment 16 User image Daniel Veditz [:dveditz] 2009-10-16 10:35:07 PDT
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Approved for and, a=dveditz for release-drivers
Comment 18 User image Samuel Sidler (old account; do not CC) 2009-11-16 09:09:03 PST
Johnny: Can we get this landed on 1.9.0 asap?
Comment 19 User image Johnny Stenback (:jst, 2009-11-16 18:56:03 PST
Fixed in CVS.
Comment 20 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2009-11-17 01:19:55 PST
Verified fixed on 1.9.2 and 1.9.1 with builds on Linux and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre ID:20091114033807

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20091108 Shiretoko/3.5.6pre ID:20091108030959
Comment 21 User image Al Billings [:abillings] 2009-11-23 12:22:08 PST
Verified for using Martijn's testcase with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Testcase crashes on load on the same system.

Note You need to log in before you can comment on or make changes to this bug.