Closed
Bug 497013
Opened 15 years ago
Closed 15 years ago
Crash [@ SinkContext::~SinkContext] with document.write in -moz-binding
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| blocking1.9.1 | --- | .4+ |
| status1.9.1 | --- | .4-fixed |
People
(Reporter: martijn.martijn, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
|
780 bytes,
application/java-archive
|
Details | |
|
1.82 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.9.1.4+
dveditz
:
approval1.9.0.15+
|
Details | Diff | Splinter Review |
See zipped up testcase, which crashes Firefox 3 and current trunk build, when visiting the file named 'testcase.htm', wait a little while and then press the back button.
Breakpad report for trunk:
http://crash-stats.mozilla.com/report/index/ded73808-0a0f-412e-ac81-deadc2090608
0 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4425
1 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4548
2 mozcrt19.dll free obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6387
3 xul.dll SinkContext::~SinkContext content/html/document/src/nsHTMLContentSink.cpp:649
4 xul.dll HTMLContentSink::~HTMLContentSink content/html/document/src/nsHTMLContentSink.cpp:1569
5 xul.dll HTMLContentSink::`scalar deleting destructor'
6 xul.dll HTMLContentSink::Release content/html/document/src/nsHTMLContentSink.cpp:1596
7 nspr4.dll nspr4.dll@0x858f
Breakpad report for Firefox3.0.x:
http://crash-stats.mozilla.com/report/index/946e6a17-c797-4ec9-953d-b95de2090608?p=1
0 xul.dll SinkContext::FlushTags mozilla/content/html/document/src/nsHTMLContentSink.cpp:1341
1 xul.dll HTMLContentSink::DidBuildModel mozilla/content/html/document/src/nsHTMLContentSink.cpp:1811
2 xul.dll CNavDTD::DidBuildModel mozilla/parser/htmlparser/src/CNavDTD.cpp:466
3 xul.dll nsParser::DidBuildModel mozilla/parser/htmlparser/src/nsParser.cpp:1006
|
||
Updated•15 years ago
|
Attachment #382212 -
Attachment mime type: application/zip → application/java-archive
|
|
||
Comment 1•15 years ago
|
||
In a debug build mSink looks like a deleted or corrupt object.
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Whiteboard: [sg:critical?]
|
||
Comment 2•15 years ago
|
||
Who can own this?
status1.9.1:
--- → wanted
Flags: wanted1.9.1.x+
Whiteboard: [sg:critical?] → [sg:critical?][needs owner]
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → mrbkap
|
|
Assignee | |
Comment 3•15 years ago
|
||
Attachment #390981 -
Flags: superreview?(jonas)
Attachment #390981 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 4•15 years ago
|
||
The reason this fixes this bug is because the call to mSink->OpenHead can flush tags, which runs XBL constructors. The XBL constructor in this case does a document.write, re-entering the parser. However, by that point, the parser thinks the head has already been pushed, so it tells the sink to close the head. But the sink hasn't yet opened the head anyway, so things get out of sync and badness ensues.
Attachment #390981 -
Flags: superreview?(jonas)
Attachment #390981 -
Flags: superreview+
Attachment #390981 -
Flags: review?(jonas)
Attachment #390981 -
Flags: review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
Whiteboard: [sg:critical?][needs owner] → [sg:critical?]
|
Reporter | |
Comment 6•15 years ago
|
||
(In reply to comment #5)
> http://hg.mozilla.org/mozilla-central/rev/aa0ee4e7b713
By that line, you mean this bug is fixed?
|
|
Assignee | |
Comment 7•15 years ago
|
||
Oops, yes.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
blocking1.9.1: --- → .4+
Flags: blocking1.9.0.15?
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.0.15? → blocking1.9.0.15+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #390981 -
Flags: approval1.9.0.15?
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
|
|
||
Updated•15 years ago
|
Attachment #390981 -
Flags: approval1.9.0.15? → approval1.9.0.15+
|
|
||
Comment 8•15 years ago
|
||
Comment on attachment 390981 [details] [diff] [review]
Fix
Approved for 1.9.0.15, a=dveditz
Shouldn't this work for the 1.9.1 branch, too? If it does and you want to land it tonight then go ahead and do so. Add the approval request and I'll formally dot the i's after the fact tomorrow morning.
|
|
Assignee | |
Updated•15 years ago
|
Attachment #390981 -
Flags: approval1.9.1.4?
|
|
Assignee | |
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cbe1f21a26c0
Checking in parser/htmlparser/src/CNavDTD.cpp;
/cvsroot/mozilla/parser/htmlparser/src/CNavDTD.cpp,v <-- CNavDTD.cpp
new revision: 3.508; previous revision: 3.507
done
Keywords: fixed1.9.0.15
|
|
||
Comment 10•15 years ago
|
||
Comment on attachment 390981 [details] [diff] [review]
Fix
Approved for 1.9.1.4, a=dveditz
Attachment #390981 -
Flags: approval1.9.1.4? → approval1.9.1.4+
|
||
Comment 11•15 years ago
|
||
Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.15pre) Gecko/2009092404 GranParadiso/3.0.15pre.
Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090924 Shiretoko/3.5.4pre.
|
|
||
Updated•15 years ago
|
Group: core-security
|
||
Updated•13 years ago
|
Crash Signature: [@ SinkContext::~SinkContext]
You need to log in
before you can comment on or make changes to this bug.
Description
•