Closed
Bug 677847
Opened 14 years ago
Closed 14 years ago
Crash [@ nsContentUtils::IsEventAttributeName ] at address 0x55555555 with malloc scribble
Categories
(Core :: General, defect)
Tracking
()
VERIFIED
FIXED
mozilla8
| Tracking | Status | |
|---|---|---|
| firefox7 | --- | unaffected |
| firefox8 | + | fixed |
| firefox9 | + | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: bc, Assigned: smaug)
References
()
Details
(5 keywords, Whiteboard: [sg:critical?][qa!])
Crash Data
Attachments
(3 files)
1. enable scribble on mac
2. http://vnexpress.net/RSS/GL/trang-chu.rss
or
http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/topsongs/limit=25/xml
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x55555555
0x054461ec in nsContentUtils::IsEventAttributeName (aName=0x25b84380, aType=1) at /work/mozilla/builds/nightly/mozilla/content/base/src/nsContentUtils.cpp:2919
2919 if (name[0] != 'o' || name[1] != 'n')
0x55 is deleted memory in scribble
bug 675437 supposedly fixed the crash.
Windows crashes with address 0xffffffffdddddddd (also deleted memory). I don't see this on Linux.
| Reporter | ||
Comment 1•14 years ago
|
||
sorry, my linux workers are backed up building atm and haven't gotten to trying to reproduce these urls. I'll check them in a moment.
| Reporter | ||
Comment 2•14 years ago
|
||
==2569== Invalid read of size 4
==2569== at 0x8E02B92: nsIAtom::GetUTF16String() (nsIAtom.h:53)
==2569== Invalid read of size 2
==2569== at 0x91E6343: nsContentUtils::IsEventAttributeName(nsIAtom*, int) (nsContentUtils.cpp:2919)
==2569== Invalid read of size 4
==2569== at 0xA6DD6A0: js::MarkRangeConservatively(JSTracer*, unsigned int const*, unsigned int const*) (jsgc.cpp:817)
| Assignee | ||
Comment 3•14 years ago
|
||
I think I see what the problem is - haven't even tried to reproduce this yet though.
Attribute has been removed from mAttrsAndChildren, and then we call
AfterSetAttr. Nothing guarantees that nsIAtom is still alive.
The normal rules say that caller must keep the object alive,
so in this case nsTreeSanitizer, but perhaps in this case UnsetAttr
could do it. Investigating.
Assignee: nobody → Olli.Pettay
| Assignee | ||
Comment 4•14 years ago
|
||
I'm going to fix this the usual way: caller needs to keep atom alive.
I checked other callers of UnsetAttr and they are safe.
http://mxr.mozilla.org/mozilla-central/source/content/xbl/src/nsXBLBinding.cpp#812
looks very much like this.
| Assignee | ||
Comment 5•14 years ago
|
||
Bob, could you try this patch?
Attachment #552044 -
Flags: review?(jst)
Attachment #552044 -
Flags: feedback?(bclary)
| Reporter | ||
Comment 6•14 years ago
|
||
Looks ok on mac with either of the urls.
Comment 7•14 years ago
|
||
Comment on attachment 552044 [details] [diff] [review]
patch
r=jst
Attachment #552044 -
Flags: review?(jst) → review+
| Assignee | ||
Updated•14 years ago
|
Attachment #552044 -
Flags: feedback?(bclary)
| Assignee | ||
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Updated•14 years ago
|
status-firefox9:
--- → fixed
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Keywords: regression
Target Milestone: --- → mozilla8
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 9•13 years ago
|
||
given urls don't crash on 9, 10 or 11
Status: RESOLVED → VERIFIED
Keywords: verified-aurora,
verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•