Closed Bug 677847 Opened 13 years ago Closed 13 years ago

Crash [@ nsContentUtils::IsEventAttributeName ] at address 0x55555555 with malloc scribble

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla8
Tracking Flags:
Tracking Status
firefox7 --- unaffected
firefox8 + fixed
firefox9 + fixed
status1.9.2 --- unaffected

People

(Reporter: bc, Assigned: smaug)

References

(
URL
)

Details

(5 keywords, Whiteboard: [sg:critical?][qa!])

Crash Data

Attachments

(3 files)

stack
17.40 KB, text/plain
Details
linux valgrind log
27.34 KB, text/plain
Details
patch
978 bytes, patch
jst
: review+
Details | Diff | Splinter Review
Attached file stack 
1. enable scribble on mac

2. http://vnexpress.net/RSS/GL/trang-chu.rss

   or

   http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/topsongs/limit=25/xml

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x55555555
0x054461ec in nsContentUtils::IsEventAttributeName (aName=0x25b84380, aType=1) at /work/mozilla/builds/nightly/mozilla/content/base/src/nsContentUtils.cpp:2919
2919	  if (name[0] != 'o' || name[1] != 'n')

0x55 is deleted memory in scribble

bug 675437 supposedly fixed the crash.

Windows crashes with address 0xffffffffdddddddd (also deleted memory). I don't see this on Linux.
sorry, my linux workers are backed up building atm and haven't gotten to trying to reproduce these urls. I'll check them in a moment.
Attached file linux valgrind log 
==2569== Invalid read of size 4
==2569==    at 0x8E02B92: nsIAtom::GetUTF16String() (nsIAtom.h:53)

==2569== Invalid read of size 2
==2569==    at 0x91E6343: nsContentUtils::IsEventAttributeName(nsIAtom*, int) (nsContentUtils.cpp:2919)

==2569== Invalid read of size 4
==2569==    at 0xA6DD6A0: js::MarkRangeConservatively(JSTracer*, unsigned int const*, unsigned int const*) (jsgc.cpp:817)
I think I see what the problem is - haven't even tried to reproduce this yet though.
Attribute has been removed from mAttrsAndChildren, and then we call
AfterSetAttr. Nothing guarantees that nsIAtom is still alive.
The normal rules say that caller must keep the object alive,
so in this case nsTreeSanitizer, but perhaps in this case UnsetAttr
could do it. Investigating.
Assignee: nobody → Olli.Pettay
I'm going to fix this the usual way: caller needs to keep atom alive.
I checked other callers of UnsetAttr and they are safe.
http://mxr.mozilla.org/mozilla-central/source/content/xbl/src/nsXBLBinding.cpp#812
looks very much like this.
Attached patch patchSplinter Review 
Bob, could you try this patch?
Attachment #552044 - Flags: review?(jst)
Attachment #552044 - Flags: feedback?(bclary)
Looks ok on mac with either of the urls.
Comment on attachment 552044 [details] [diff] [review]
patch

r=jst
Attachment #552044 - Flags: review?(jst) → review+
Attachment #552044 - Flags: feedback?(bclary)
http://hg.mozilla.org/mozilla-central/rev/52c4a8829da3
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Blocks: 482909
Whiteboard: [sg:critical?]
status-firefox8: affectedfixed
status-firefox9: --- → fixed
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Keywords: regression
Target Milestone: --- → mozilla8
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
given urls don't crash on 9, 10 or 11
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: