Closed
Bug 577416
Opened 15 years ago
Closed 15 years ago
[HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]
Categories
(Core :: DOM: HTML Parser, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla2.0b4
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: longsonr, Assigned: hsivonen)
References
Details
(Keywords: crash, Whiteboard: [sg:critical?][critsmash:investigating])
Crash Data
Attachments
(2 files)
No description provided.
Signature nsHtml5TreeBuilder::endTag(nsHtml5ElementName*)
UUID 8fd74196-a67c-4a3c-8139-a7f9f2100707
Time 2010-07-07 23:45:24.641027
Uptime 27873
Last Crash 5346483 seconds (8.8 weeks) before submission
Install Age 35378 seconds (9.8 hours) since version was first installed.
Product Firefox
Version 4.0b1
Build ID 20100630131607
Branch 2.0
OS Mac OS X
OS Version 10.6.4 10F569
CPU x86
CPU Info GenuineIntel family 6 model 23 stepping 6
Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address 0x7f
User Comments Bug 577416
Processor Notes
EMCheckCompatibility False
Crashing Thread
Frame Module Signature [Expand] Source
0 XUL nsHtml5TreeBuilder::endTag parser/html/nsHtml5TreeBuilder.cpp:2011
1 XUL nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:295
2 XUL nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:907
3 XUL nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:383
4 XUL nsHtml5StreamParser::ParseAvailableData parser/html/nsHtml5StreamParser.cpp:850
5 XUL nsHtml5StreamParser::DoDataAvailable parser/html/nsHtml5StreamParser.cpp:673
6 XUL nsHtml5DataAvailable::Run parser/html/nsHtml5StreamParser.cpp:705
7 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547
8 XUL NS_ProcessNextEvent_P nsThreadUtils.cpp:250
9 XUL nsThread::ThreadFunc xpcom/threads/nsThread.cpp:263
10 libnspr4.dylib _pt_root nsprpub/pr/src/pthreads/ptthread.c:228
11 libSystem.B.dylib _pthread_start
12 libSystem.B.dylib thread_start
Severity: normal → critical
Keywords: crash
Summary: [HTML5] foreignObject containing html tag crashes browser → [HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]
Comment 2•15 years ago
|
||
This bug might be related to bug 574884.
Not just Vista.
Crashes also under Linux x64 (latest nightly).
Might be related to bug #580383 too?
Comment 4•15 years ago
|
||
On Leopard, I'm getting a crash address of 0xffffffffaaaaaab6. (No clue why I'm getting a 64-bit address out of a 32-bit build.)
Group: core-security
blocking2.0: --- → ?
OS: Windows Vista → Windows 2000
Whiteboard: [sg:critical?]
Comment 5•15 years ago
|
||
Perhaps because the crash address is being assigned to a 64-bit signed value from a 32-bit signed value? We've had the same problem on Windows for a while...
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Comment 7•15 years ago
|
||
Henri, any thoughts on this critical security bug?
Comment 8•15 years ago
|
||
It depends on bug 579867, there is a patch attached on that bug that is waiting for review.
Assignee | ||
Comment 9•15 years ago
|
||
(In reply to comment #7)
> Henri, any thoughts on this critical security bug?
The crash goes away once the patch from bug 579867 is applied.
Updated•15 years ago
|
blocking2.0: ? → betaN+
Reporter | ||
Comment 10•15 years ago
|
||
Fixed by check in for bug 579867
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b4
Updated•14 years ago
|
Crash Signature: [@ nsHtml5TreeBuilder::endTag]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•