Closed Bug 497013 Opened 12 years ago Closed 12 years ago

Crash [@ SinkContext::~SinkContext] with document.write in -moz-binding


(Core :: DOM: HTML Parser, defect)

Windows XP
Not set



Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .4+
status1.9.1 --- .4-fixed


(Reporter: martijn.martijn, Assigned: mrbkap)


(4 keywords, Whiteboard: [sg:critical?])

Crash Data


(2 files)

Attached file zipped up testcase
See zipped up testcase, which crashes Firefox 3 and current trunk build, when visiting the file named 'testcase.htm', wait a little while and then press the back button.

Breakpad report for trunk:
0  	mozcrt19.dll  	arena_dalloc_small  	 obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4425
1 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4548
2 	mozcrt19.dll 	free 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6387
3 	xul.dll 	SinkContext::~SinkContext 	content/html/document/src/nsHTMLContentSink.cpp:649
4 	xul.dll 	HTMLContentSink::~HTMLContentSink 	content/html/document/src/nsHTMLContentSink.cpp:1569
5 	xul.dll 	HTMLContentSink::`scalar deleting destructor' 	
6 	xul.dll 	HTMLContentSink::Release 	content/html/document/src/nsHTMLContentSink.cpp:1596
7 	nspr4.dll 	nspr4.dll@0x858f 

Breakpad report for Firefox3.0.x:
0  	xul.dll  	SinkContext::FlushTags  	 mozilla/content/html/document/src/nsHTMLContentSink.cpp:1341
1 	xul.dll 	HTMLContentSink::DidBuildModel 	mozilla/content/html/document/src/nsHTMLContentSink.cpp:1811
2 	xul.dll 	CNavDTD::DidBuildModel 	mozilla/parser/htmlparser/src/CNavDTD.cpp:466
3 	xul.dll 	nsParser::DidBuildModel 	mozilla/parser/htmlparser/src/nsParser.cpp:1006
Attachment #382212 - Attachment mime type: application/zip → application/java-archive
In a debug build mSink looks like a deleted or corrupt object.
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Whiteboard: [sg:critical?]
Who can own this?
Flags: wanted1.9.1.x+
Whiteboard: [sg:critical?] → [sg:critical?][needs owner]
Assignee: nobody → mrbkap
Attached patch FixSplinter Review
Attachment #390981 - Flags: superreview?(jonas)
Attachment #390981 - Flags: review?(jonas)
The reason this fixes this bug is because the call to mSink->OpenHead can flush tags, which runs XBL constructors. The XBL constructor in this case does a document.write, re-entering the parser. However, by that point, the parser thinks the head has already been pushed, so it tells the sink to close the head. But the sink hasn't yet opened the head anyway, so things get out of sync and badness ensues.
Attachment #390981 - Flags: superreview?(jonas)
Attachment #390981 - Flags: superreview+
Attachment #390981 - Flags: review?(jonas)
Attachment #390981 - Flags: review+
Whiteboard: [sg:critical?][needs owner] → [sg:critical?]
(In reply to comment #5)

By that line, you mean this bug is fixed?
Oops, yes.
Closed: 12 years ago
Resolution: --- → FIXED
blocking1.9.1: --- → .4+
Flags: blocking1.9.0.15?
Flags: blocking1.9.0.15? → blocking1.9.0.15+
Attachment #390981 - Flags: approval1.9.0.15?
Attachment #390981 - Flags: approval1.9.0.15? → approval1.9.0.15+
Comment on attachment 390981 [details] [diff] [review]

Approved for, a=dveditz

Shouldn't this work for the 1.9.1 branch, too? If it does and you want to land it tonight then go ahead and do so. Add the approval request and I'll formally dot the i's after the fact tomorrow morning.
Attachment #390981 - Flags: approval1.9.1.4?

Checking in parser/htmlparser/src/CNavDTD.cpp;
/cvsroot/mozilla/parser/htmlparser/src/CNavDTD.cpp,v  <--  CNavDTD.cpp
new revision: 3.508; previous revision: 3.507
Comment on attachment 390981 [details] [diff] [review]

Approved for, a=dveditz
Attachment #390981 - Flags: approval1.9.1.4? → approval1.9.1.4+
Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/2009092404 GranParadiso/3.0.15pre.

Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20090924 Shiretoko/3.5.4pre.
Group: core-security
Crash Signature: [@ SinkContext::~SinkContext]
You need to log in before you can comment on or make changes to this bug.