Closed Bug 677847 Opened 9 years ago Closed 9 years ago

Crash [@ nsContentUtils::IsEventAttributeName ] at address 0x55555555 with malloc scribble

Categories

(Core :: General, defect, blocker)

x86
All
defect
Not set
blocker

Tracking

()

VERIFIED FIXED
mozilla8
Tracking Status
firefox7 --- unaffected
firefox8 + fixed
firefox9 + fixed
status1.9.2 --- unaffected

People

(Reporter: bc, Assigned: smaug)

References

(Blocks 1 open bug, )

Details

(5 keywords, Whiteboard: [sg:critical?][qa!])

Crash Data

Attachments

(3 files)

Attached file stack
1. enable scribble on mac

2. http://vnexpress.net/RSS/GL/trang-chu.rss

   or

   http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/topsongs/limit=25/xml

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x55555555
0x054461ec in nsContentUtils::IsEventAttributeName (aName=0x25b84380, aType=1) at /work/mozilla/builds/nightly/mozilla/content/base/src/nsContentUtils.cpp:2919
2919	  if (name[0] != 'o' || name[1] != 'n')

0x55 is deleted memory in scribble

bug 675437 supposedly fixed the crash.

Windows crashes with address 0xffffffffdddddddd (also deleted memory). I don't see this on Linux.
sorry, my linux workers are backed up building atm and haven't gotten to trying to reproduce these urls. I'll check them in a moment.
Attached file linux valgrind log
==2569== Invalid read of size 4
==2569==    at 0x8E02B92: nsIAtom::GetUTF16String() (nsIAtom.h:53)

==2569== Invalid read of size 2
==2569==    at 0x91E6343: nsContentUtils::IsEventAttributeName(nsIAtom*, int) (nsContentUtils.cpp:2919)

==2569== Invalid read of size 4
==2569==    at 0xA6DD6A0: js::MarkRangeConservatively(JSTracer*, unsigned int const*, unsigned int const*) (jsgc.cpp:817)
I think I see what the problem is - haven't even tried to reproduce this yet though.
Attribute has been removed from mAttrsAndChildren, and then we call
AfterSetAttr. Nothing guarantees that nsIAtom is still alive.
The normal rules say that caller must keep the object alive,
so in this case nsTreeSanitizer, but perhaps in this case UnsetAttr
could do it. Investigating.
Assignee: nobody → Olli.Pettay
I'm going to fix this the usual way: caller needs to keep atom alive.
I checked other callers of UnsetAttr and they are safe.
http://mxr.mozilla.org/mozilla-central/source/content/xbl/src/nsXBLBinding.cpp#812
looks very much like this.
Attached patch patchSplinter Review
Bob, could you try this patch?
Attachment #552044 - Flags: review?(jst)
Attachment #552044 - Flags: feedback?(bclary)
Looks ok on mac with either of the urls.
Comment on attachment 552044 [details] [diff] [review]
patch

r=jst
Attachment #552044 - Flags: review?(jst) → review+
Attachment #552044 - Flags: feedback?(bclary)
http://hg.mozilla.org/mozilla-central/rev/52c4a8829da3
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Keywords: regression
Target Milestone: --- → mozilla8
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
given urls don't crash on 9, 10 or 11
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Group: core-security
Failed at mozilla: https://bds123.vn/cho-thue-phong-tro-nha-tro.html
How to fix the error.
You need to log in before you can comment on or make changes to this bug.