Closed Bug 497013 Opened 10 years ago Closed 10 years ago

Crash [@ SinkContext::~SinkContext] with document.write in -moz-binding

Categories

(Core :: HTML: Parser, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .4+
status1.9.1 --- .4-fixed

People

(Reporter: martijn.martijn, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

Attached file zipped up testcase
See zipped up testcase, which crashes Firefox 3 and current trunk build, when visiting the file named 'testcase.htm', wait a little while and then press the back button.

Breakpad report for trunk:
http://crash-stats.mozilla.com/report/index/ded73808-0a0f-412e-ac81-deadc2090608
0  	mozcrt19.dll  	arena_dalloc_small  	 obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4425
1 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4548
2 	mozcrt19.dll 	free 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6387
3 	xul.dll 	SinkContext::~SinkContext 	content/html/document/src/nsHTMLContentSink.cpp:649
4 	xul.dll 	HTMLContentSink::~HTMLContentSink 	content/html/document/src/nsHTMLContentSink.cpp:1569
5 	xul.dll 	HTMLContentSink::`scalar deleting destructor' 	
6 	xul.dll 	HTMLContentSink::Release 	content/html/document/src/nsHTMLContentSink.cpp:1596
7 	nspr4.dll 	nspr4.dll@0x858f 


Breakpad report for Firefox3.0.x:
http://crash-stats.mozilla.com/report/index/946e6a17-c797-4ec9-953d-b95de2090608?p=1
0  	xul.dll  	SinkContext::FlushTags  	 mozilla/content/html/document/src/nsHTMLContentSink.cpp:1341
1 	xul.dll 	HTMLContentSink::DidBuildModel 	mozilla/content/html/document/src/nsHTMLContentSink.cpp:1811
2 	xul.dll 	CNavDTD::DidBuildModel 	mozilla/parser/htmlparser/src/CNavDTD.cpp:466
3 	xul.dll 	nsParser::DidBuildModel 	mozilla/parser/htmlparser/src/nsParser.cpp:1006
Attachment #382212 - Attachment mime type: application/zip → application/java-archive
In a debug build mSink looks like a deleted or corrupt object.
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Whiteboard: [sg:critical?]
Who can own this?
Flags: wanted1.9.1.x+
Whiteboard: [sg:critical?] → [sg:critical?][needs owner]
Assignee: nobody → mrbkap
Attached patch FixSplinter Review
Attachment #390981 - Flags: superreview?(jonas)
Attachment #390981 - Flags: review?(jonas)
The reason this fixes this bug is because the call to mSink->OpenHead can flush tags, which runs XBL constructors. The XBL constructor in this case does a document.write, re-entering the parser. However, by that point, the parser thinks the head has already been pushed, so it tells the sink to close the head. But the sink hasn't yet opened the head anyway, so things get out of sync and badness ensues.
Attachment #390981 - Flags: superreview?(jonas)
Attachment #390981 - Flags: superreview+
Attachment #390981 - Flags: review?(jonas)
Attachment #390981 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/aa0ee4e7b713
Whiteboard: [sg:critical?][needs owner] → [sg:critical?]
(In reply to comment #5)
> http://hg.mozilla.org/mozilla-central/rev/aa0ee4e7b713

By that line, you mean this bug is fixed?
Oops, yes.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
blocking1.9.1: --- → .4+
Flags: blocking1.9.0.15?
Flags: blocking1.9.0.15? → blocking1.9.0.15+
Attachment #390981 - Flags: approval1.9.0.15?
Attachment #390981 - Flags: approval1.9.0.15? → approval1.9.0.15+
Comment on attachment 390981 [details] [diff] [review]
Fix

Approved for 1.9.0.15, a=dveditz

Shouldn't this work for the 1.9.1 branch, too? If it does and you want to land it tonight then go ahead and do so. Add the approval request and I'll formally dot the i's after the fact tomorrow morning.
Attachment #390981 - Flags: approval1.9.1.4?
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cbe1f21a26c0

Checking in parser/htmlparser/src/CNavDTD.cpp;
/cvsroot/mozilla/parser/htmlparser/src/CNavDTD.cpp,v  <--  CNavDTD.cpp
new revision: 3.508; previous revision: 3.507
done
Comment on attachment 390981 [details] [diff] [review]
Fix

Approved for 1.9.1.4, a=dveditz
Attachment #390981 - Flags: approval1.9.1.4? → approval1.9.1.4+
Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.15pre) Gecko/2009092404 GranParadiso/3.0.15pre.

Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090924 Shiretoko/3.5.4pre.
Group: core-security
Crash Signature: [@ SinkContext::~SinkContext]
You need to log in before you can comment on or make changes to this bug.