Closed Bug 577416 Opened 12 years ago Closed 11 years ago

[HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Windows 2000
defect

Tracking

()

RESOLVED FIXED
mozilla2.0b4
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: longsonr, Assigned: hsivonen)

References

Details

(Keywords: crash, Whiteboard: [sg:critical?][critsmash:investigating])

Crash Data

Attachments

(2 files)

No description provided.
Signature	nsHtml5TreeBuilder::endTag(nsHtml5ElementName*)
UUID	8fd74196-a67c-4a3c-8139-a7f9f2100707
Time 	2010-07-07 23:45:24.641027
Uptime	27873
Last Crash	5346483 seconds (8.8 weeks) before submission
Install Age	35378 seconds (9.8 hours) since version was first installed.
Product	Firefox
Version	4.0b1
Build ID	20100630131607
Branch	2.0
OS	Mac OS X
OS Version	10.6.4 10F569
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x7f
User Comments	Bug 577416
Processor Notes 	
EMCheckCompatibility	False
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	nsHtml5TreeBuilder::endTag 	parser/html/nsHtml5TreeBuilder.cpp:2011
1 	XUL 	nsHtml5Tokenizer::emitCurrentTagToken 	parser/html/nsHtml5Tokenizer.cpp:295
2 	XUL 	nsHtml5Tokenizer::stateLoop 	parser/html/nsHtml5Tokenizer.cpp:907
3 	XUL 	nsHtml5Tokenizer::tokenizeBuffer 	parser/html/nsHtml5Tokenizer.cpp:383
4 	XUL 	nsHtml5StreamParser::ParseAvailableData 	parser/html/nsHtml5StreamParser.cpp:850
5 	XUL 	nsHtml5StreamParser::DoDataAvailable 	parser/html/nsHtml5StreamParser.cpp:673
6 	XUL 	nsHtml5DataAvailable::Run 	parser/html/nsHtml5StreamParser.cpp:705
7 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
8 	XUL 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
9 	XUL 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:263
10 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:228
11 	libSystem.B.dylib 	_pthread_start 	
12 	libSystem.B.dylib 	thread_start
Severity: normal → critical
Keywords: crash
Summary: [HTML5] foreignObject containing html tag crashes browser → [HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]
Blocks: 552908
This bug might be related to bug 574884.
Depends on: 579867
Priority: -- → P2
Not just Vista.
Crashes also under Linux x64 (latest nightly).

Might be related to bug #580383 too?
On Leopard, I'm getting a crash address of 0xffffffffaaaaaab6.  (No clue why I'm getting a 64-bit address out of a 32-bit build.)
Group: core-security
blocking2.0: --- → ?
OS: Windows Vista → Windows 2000
Whiteboard: [sg:critical?]
Perhaps because the crash address is being assigned to a 64-bit signed value from a 32-bit signed value?  We've had the same problem on Windows for a while...
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Henri, any thoughts on this critical security bug?
It depends on bug 579867, there is a patch attached on that bug that is waiting for review.
(In reply to comment #7)
> Henri, any thoughts on this critical security bug?

The crash goes away once the patch from bug 579867 is applied.
blocking2.0: ? → betaN+
Fixed by check in for bug 579867
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b4
Crash Signature: [@ nsHtml5TreeBuilder::endTag]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.