Closed
Bug 677847
Opened 13 years ago
Closed 13 years ago
Crash [@ nsContentUtils::IsEventAttributeName ] at address 0x55555555 with malloc scribble
Categories
(Core :: General, defect)
Tracking
()
VERIFIED
FIXED
mozilla8
Tracking | Status | |
---|---|---|
firefox7 | --- | unaffected |
firefox8 | + | fixed |
firefox9 | + | fixed |
status1.9.2 | --- | unaffected |
People
(Reporter: bc, Assigned: smaug)
References
()
Details
(5 keywords, Whiteboard: [sg:critical?][qa!])
Crash Data
Attachments
(3 files)
1. enable scribble on mac 2. http://vnexpress.net/RSS/GL/trang-chu.rss or http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/topsongs/limit=25/xml Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x55555555 0x054461ec in nsContentUtils::IsEventAttributeName (aName=0x25b84380, aType=1) at /work/mozilla/builds/nightly/mozilla/content/base/src/nsContentUtils.cpp:2919 2919 if (name[0] != 'o' || name[1] != 'n') 0x55 is deleted memory in scribble bug 675437 supposedly fixed the crash. Windows crashes with address 0xffffffffdddddddd (also deleted memory). I don't see this on Linux.
Reporter | ||
Comment 1•13 years ago
|
||
sorry, my linux workers are backed up building atm and haven't gotten to trying to reproduce these urls. I'll check them in a moment.
Reporter | ||
Comment 2•13 years ago
|
||
==2569== Invalid read of size 4 ==2569== at 0x8E02B92: nsIAtom::GetUTF16String() (nsIAtom.h:53) ==2569== Invalid read of size 2 ==2569== at 0x91E6343: nsContentUtils::IsEventAttributeName(nsIAtom*, int) (nsContentUtils.cpp:2919) ==2569== Invalid read of size 4 ==2569== at 0xA6DD6A0: js::MarkRangeConservatively(JSTracer*, unsigned int const*, unsigned int const*) (jsgc.cpp:817)
Assignee | ||
Comment 3•13 years ago
|
||
I think I see what the problem is - haven't even tried to reproduce this yet though. Attribute has been removed from mAttrsAndChildren, and then we call AfterSetAttr. Nothing guarantees that nsIAtom is still alive. The normal rules say that caller must keep the object alive, so in this case nsTreeSanitizer, but perhaps in this case UnsetAttr could do it. Investigating.
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 4•13 years ago
|
||
I'm going to fix this the usual way: caller needs to keep atom alive. I checked other callers of UnsetAttr and they are safe. http://mxr.mozilla.org/mozilla-central/source/content/xbl/src/nsXBLBinding.cpp#812 looks very much like this.
Assignee | ||
Comment 5•13 years ago
|
||
Bob, could you try this patch?
Attachment #552044 -
Flags: review?(jst)
Attachment #552044 -
Flags: feedback?(bclary)
Reporter | ||
Comment 6•13 years ago
|
||
Looks ok on mac with either of the urls.
Comment 7•13 years ago
|
||
Comment on attachment 552044 [details] [diff] [review] patch r=jst
Attachment #552044 -
Flags: review?(jst) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #552044 -
Flags: feedback?(bclary)
Assignee | ||
Comment 8•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/52c4a8829da3
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Whiteboard: [sg:critical?]
Updated•13 years ago
|
status-firefox9:
--- → fixed
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Keywords: regression
Target Milestone: --- → mozilla8
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 9•13 years ago
|
||
given urls don't crash on 9, 10 or 11
Status: RESOLVED → VERIFIED
Keywords: verified-aurora,
verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Updated•13 years ago
|
Group: core-security
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•