Closed Bug 680687 Opened 13 years ago Closed 13 years ago

Crash [@ nsSVGSwitchElement::FindActiveChild] after GC

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox7 - unaffected
firefox8 - unaffected
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: crash, testcase, verified-beta, Whiteboard: [sg:critical?][qa!] possible regression from 335998?)

Crash Data

Attachments

(3 files)

testcase (requires extension for GC) (crashes when loaded)
453 bytes, image/svg+xml
Details
stack trace (mac, debug, gdb)
10.37 KB, text/plain
Details
Follow the COM rules
6.63 KB, patch
jst
: review+
Details | Diff | Splinter Review
1. Install https://www.squarefree.com/extensions/domFuzzLite2.xpi 2. Load the testcase. Result: Debug: Crash [@ nsSVGSwitchElement::FindActiveChild] calling 0x0 ? Opt: Crash [@ nsNodeUtils::ContentRemoved] calling bogus ? The GC pattern makes me wonder if this is related to bug 335998 being fixed.
Um, nsSVGSwitchElement overrides InsertChildAt/RemoveChildAt
Assignee: nobody → Olli.Pettay
The changes shouldn't be in hot paths, and this is the right thing to do. Yet, it is unfortunate to add new Addref/releases.
Attachment #554672 - Flags: review?(jst)
...so I patched all the cases I found where similar problem could occur, not only nsGenericElement.
And note, in parser eTreeOpAppendChildrenToNewParent it is really the node which needs to be strong.
Whiteboard: [sg:critical?] possible regression from 335998?
Attachment #554672 - Flags: review?(jst) → review+
http://hg.mozilla.org/mozilla-central/rev/071d9c997f3d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Olli, this is something we could take in 8, right?
status-firefox10: --- → fixed
status-firefox7: --- → wontfix
status-firefox8: --- → affected
status-firefox9: --- → fixed
tracking-firefox10: --- → +
tracking-firefox7: --- → +
tracking-firefox8: --- → +
tracking-firefox9: --- → +
I could not reproduce the crash using the testcase on Firefox 8 (beta), is it possible this was introduced by something in Firefox 9 rather than bug 335998 as Jesse guessed? Didn't see any script errors running the testcase so I think I ran it correctly, but I'd be happier if Jesse concurred. It's also possible something else that landed on both Fx9 and 8 masked/fixed this, or something that landed earlier on Fx9 that un-masked the underlying problem.
The patch for bug 335998 is not in FF8.
I don't see any reason to take this to FF8.
Whiteboard: [sg:critical?] possible regression from 335998? → [sg:critical?][qa+] possible regression from 335998?
Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111122 Firefox/11.0a1. I verified by following the steps in Comment 0.
Status: RESOLVED → VERIFIED
(In reply to Marcia Knous [:marcia] from comment #12) > Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) > Gecko/20111122 Firefox/11.0a1. I verified by following the steps in Comment > 0. Thanks Marcia. If you have time, could you please also verify on Firefox 9 and 10?
Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0. The extension is not compatible with Aurora, so I am not sure if forcing compat would be a fair test.
Keywords: verified-beta
Whiteboard: [sg:critical?][qa+] possible regression from 335998? → [sg:critical?][qa!] possible regression from 335998?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: