Closed Bug 680687 Opened 9 years ago Closed 9 years ago

Crash [@ nsSVGSwitchElement::FindActiveChild] after GC

Categories

(Core :: SVG, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox7 - unaffected
firefox8 - unaffected
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, verified-beta, Whiteboard: [sg:critical?][qa!] possible regression from 335998?)

Crash Data

Attachments

(3 files)

1. Install https://www.squarefree.com/extensions/domFuzzLite2.xpi
2. Load the testcase.

Result:
  Debug: Crash [@ nsSVGSwitchElement::FindActiveChild] calling 0x0 ?
  Opt:   Crash [@ nsNodeUtils::ContentRemoved]         calling bogus ?

The GC pattern makes me wonder if this is related to bug 335998 being fixed.
Um, nsSVGSwitchElement overrides InsertChildAt/RemoveChildAt
Assignee: nobody → Olli.Pettay
The changes shouldn't be in hot paths, and this is the right thing to do.
Yet, it is unfortunate to add new Addref/releases.
Attachment #554672 - Flags: review?(jst)
...so I patched all the cases I found where similar problem could occur,
not only nsGenericElement.
And note, in parser eTreeOpAppendChildrenToNewParent
it is really the node which needs to be strong.
Whiteboard: [sg:critical?] possible regression from 335998?
Attachment #554672 - Flags: review?(jst) → review+
http://hg.mozilla.org/mozilla-central/rev/071d9c997f3d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Olli, this is something we could take in 8, right?
I could not reproduce the crash using the testcase on Firefox 8 (beta), is it possible this was introduced by something in Firefox 9 rather than bug 335998 as Jesse guessed? Didn't see any script errors running the testcase so I think I ran it correctly, but I'd be happier if Jesse concurred. It's also possible something else that landed on both Fx9 and 8 masked/fixed this, or something that landed earlier on Fx9 that un-masked the underlying problem.
The patch for bug 335998 is not in FF8.
I don't see any reason to take this to FF8.
Whiteboard: [sg:critical?] possible regression from 335998? → [sg:critical?][qa+] possible regression from 335998?
Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111122 Firefox/11.0a1. I verified by following the steps in Comment 0.
Status: RESOLVED → VERIFIED
(In reply to Marcia Knous [:marcia] from comment #12)
> Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1)
> Gecko/20111122 Firefox/11.0a1. I verified by following the steps in Comment
> 0.

Thanks Marcia. If you have time, could you please also verify on Firefox 9 and 10?
Verified fixed using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0. The extension is not compatible with Aurora, so I am not sure if forcing compat would be a fair test.
Keywords: verified-beta
Whiteboard: [sg:critical?][qa+] possible regression from 335998? → [sg:critical?][qa!] possible regression from 335998?
Group: core-security
You need to log in before you can comment on or make changes to this bug.