Closed
Bug 636107
Opened 14 years ago
Closed 14 years ago
Crash [@ nsEditor::CreateTxnForDeleteText ]
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
DUPLICATE
of bug 636074
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: scoobidiver, Assigned: khuey)
References
Details
(Keywords: crash, regression, Whiteboard: [sg:critical?][hardblocker][has patch])
Crash Data
Attachments
(1 obsolete file)
It is a new crash signature that first appeared in 4.0b12pre/20110220.
It is #69 top crasher in 4.0b12pre over the last 3 days.
Signature nsEditor::CreateTxnForDeleteText
UUID ffa9cc43-ad4f-40b0-a467-418f32110222
Time 2011-02-22 17:18:14.41817
Uptime 7451
Last Crash 137771 seconds (1.6 days) before submission
Install Age 7451 seconds (2.1 hours) since version was first installed.
Product Firefox
Version 4.0b12pre
Build ID 20110222030357
Branch 2.0
OS Mac OS X
OS Version 10.6.6 10J567
CPU x86
CPU Info family 6 model 23 stepping 6
Crash Reason EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address 0x68ffff00
App Notes Renderers: 0x21a00,0x20400
Frame Module Signature [Expand] Source
0 @0x68ffff00
1 XUL nsEditor::CreateTxnForDeleteText nsAutoPtr.h:969
2 XUL nsEditor::CreateTxnForDeleteCharacter editor/libeditor/base/nsEditor.cpp:4764
3 XUL nsEditor::CreateTxnForDeleteInsertionPoint editor/libeditor/base/nsEditor.cpp:4827
4 XUL nsEditor::CreateTxnForDeleteSelection editor/libeditor/base/nsEditor.cpp:4719
5 XUL nsEditor::DeleteSelectionImpl editor/libeditor/base/nsEditor.cpp:4280
6 XUL nsPlaintextEditor::DeleteSelection editor/libeditor/text/nsPlaintextEditor.cpp:788
7 XUL nsEditor::HandleKeyPressEvent editor/libeditor/base/nsEditor.cpp:5104
8 XUL nsHTMLEditor::HandleKeyPressEvent editor/libeditor/html/nsHTMLEditor.cpp:691
9 XUL nsEditorEventListener::KeyPress editor/libeditor/base/nsEditorEventListener.cpp:362
10 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:175
11 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146
12 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:395
13 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628
14 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:7066
15 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6813
16 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6492
17 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1105
18 XUL HandleEvent view/src/nsView.cpp:161
19 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1807
20 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1817
21 XUL -[ChildView processKeyDownEvent:] widget/src/cocoa/nsChildView.mm:5436
22 XUL -[ChildView keyDown:] widget/src/cocoa/nsChildView.mm:5666
23 AppKit -[NSWindow sendEvent:]
24 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2356
25 AppKit -[NSApplication sendEvent:]
26 AppKit -[NSApplication run]
27 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:746
28 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:220
29 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3766
30 firefox-bin main browser/app/nsBrowserApp.cpp:158
31 firefox-bin firefox-bin@0xa05
32 @0x0
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=657c2a92ee2b&tochange=e77f4eda0bad
The likely culprit is bug 633709.
More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=nsEditor%3A%3ACreateTxnForDeleteText
Comment 1•14 years ago
|
||
khuey is worried that this is exploitable, so marking s-g.
Group: core-security
Assignee | ||
Comment 2•14 years ago
|
||
This is bad. The problem here is that the local variable at http://hg.mozilla.org/mozilla-central/annotate/1da3405c74fd/editor/libeditor/base/nsEditor.cpp#l4825 is not initialized. We pick up some random value from the stack and then pass it down a couple functions where it finally gets swapped into the RefPtr at http://hg.mozilla.org/mozilla-central/annotate/1da3405c74fd/editor/libeditor/base/nsEditor.cpp#l2708. If it happens to non-null we end up calling Release on it when the RefPtr goes out of scope.
Calling virtual methods on a garbage ptr we got from the stack is not good.
Assignee: nobody → khuey
blocking2.0: --- → ?
OS: Mac OS X → All
Hardware: x86 → All
Assignee | ||
Comment 3•14 years ago
|
||
Assignee | ||
Comment 4•14 years ago
|
||
Comment on attachment 514458 [details] [diff] [review]
Patch.
Remove some more raw ptr usage by editor to make this safe.
Attachment #514458 -
Flags: review?(ehsan)
Comment 5•14 years ago
|
||
(In reply to comment #2)
> We pick up some random value from the stack and then pass
> it down a couple functions where it finally gets swapped into the RefPtr
Might have been beter to use .forget(...) instead of .swap(...).
Assignee | ||
Comment 6•14 years ago
|
||
Yeah, we should do that too.
Comment 7•14 years ago
|
||
Please renominate if it turns out to not be sg:crit, but based on the previous bugs like this, we're assuming it is.
blocking2.0: ? → final+
Whiteboard: [sg:critical?][hardblocker]
Updated•14 years ago
|
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][has patch]
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•14 years ago
|
Attachment #514458 -
Attachment is obsolete: true
Attachment #514458 -
Flags: review?(ehsan)
Comment 10•14 years ago
|
||
Kyle moved his patch over to bug 636074, and we'll take his patch there, FWIW.
Updated•14 years ago
|
Crash Signature: [@ nsEditor::CreateTxnForDeleteText ]
Assignee | ||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•