Closed Bug 577416 Opened 15 years ago Closed 15 years ago

[HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Windows 2000
defect

Tracking

()

RESOLVED FIXED
mozilla2.0b4
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: longsonr, Assigned: hsivonen)

References

Details

(Keywords: crash, Whiteboard: [sg:critical?][critsmash:investigating])

Crash Data

Attachments

(2 files)

No description provided.
Signature nsHtml5TreeBuilder::endTag(nsHtml5ElementName*) UUID 8fd74196-a67c-4a3c-8139-a7f9f2100707 Time 2010-07-07 23:45:24.641027 Uptime 27873 Last Crash 5346483 seconds (8.8 weeks) before submission Install Age 35378 seconds (9.8 hours) since version was first installed. Product Firefox Version 4.0b1 Build ID 20100630131607 Branch 2.0 OS Mac OS X OS Version 10.6.4 10F569 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash Address 0x7f User Comments Bug 577416 Processor Notes EMCheckCompatibility False Crashing Thread Frame Module Signature [Expand] Source 0 XUL nsHtml5TreeBuilder::endTag parser/html/nsHtml5TreeBuilder.cpp:2011 1 XUL nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:295 2 XUL nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:907 3 XUL nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:383 4 XUL nsHtml5StreamParser::ParseAvailableData parser/html/nsHtml5StreamParser.cpp:850 5 XUL nsHtml5StreamParser::DoDataAvailable parser/html/nsHtml5StreamParser.cpp:673 6 XUL nsHtml5DataAvailable::Run parser/html/nsHtml5StreamParser.cpp:705 7 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547 8 XUL NS_ProcessNextEvent_P nsThreadUtils.cpp:250 9 XUL nsThread::ThreadFunc xpcom/threads/nsThread.cpp:263 10 libnspr4.dylib _pt_root nsprpub/pr/src/pthreads/ptthread.c:228 11 libSystem.B.dylib _pthread_start 12 libSystem.B.dylib thread_start
Severity: normal → critical
Keywords: crash
Summary: [HTML5] foreignObject containing html tag crashes browser → [HTML5] foreignObject containing html tag crashes browser [@ nsHtml5TreeBuilder::endTag]
Blocks: 552908
This bug might be related to bug 574884.
Depends on: 579867
Priority: -- → P2
Not just Vista. Crashes also under Linux x64 (latest nightly). Might be related to bug #580383 too?
On Leopard, I'm getting a crash address of 0xffffffffaaaaaab6. (No clue why I'm getting a 64-bit address out of a 32-bit build.)
Group: core-security
blocking2.0: --- → ?
OS: Windows Vista → Windows 2000
Whiteboard: [sg:critical?]
Perhaps because the crash address is being assigned to a 64-bit signed value from a 32-bit signed value? We've had the same problem on Windows for a while...
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Henri, any thoughts on this critical security bug?
It depends on bug 579867, there is a patch attached on that bug that is waiting for review.
(In reply to comment #7) > Henri, any thoughts on this critical security bug? The crash goes away once the patch from bug 579867 is applied.
blocking2.0: ? → betaN+
Fixed by check in for bug 579867
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b4
Crash Signature: [@ nsHtml5TreeBuilder::endTag]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: