Closed Bug 731087 Opened 11 years ago Closed 4 years ago

OOM Crash [@ nsScannerBufferList] due to fallible allocation in nsScannerBufferList

Categories

(Core :: DOM: HTML Parser, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash)

Crash Data

The following source part (m-c revision 66e4d53697c2) indirectly uses fallible allocation through the nsScannerBufferList class:

http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#240

The call to AllocBufferFromString here is fallible and will cause a crash on OOM:

nsScannerBufferList (buf=0x0, this=0x2aaabcb834d0) at ../../../dist/include/nsScannerString.h:162
162               PR_APPEND_LINK(buf, &mBuffers);
#0  nsScannerBufferList (buf=0x0, this=0x2aaabcb834d0) at ../../../dist/include/nsScannerString.h:162
#1  nsScannerSubstring::Rebind (this=0x2aaabcb83480, aString=<optimized out>) at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsScannerString.cpp:240
#2  0x00002aaaac5edc9f in CNewlineToken::AllocNewline () at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsHTMLTokens.cpp:1532
#3  0x00002aaaac5f43f1 in Initialize () at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsParserModule.cpp:115
#4  0x00002aaaad282391 in nsComponentManagerImpl::KnownModule::Load (this=0x2aaabc0fd5a0) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:732
#5  0x00002aaaad2827d0 in nsFactoryEntry::GetFactory (this=<optimized out>) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:1738
#6  0x00002aaaad282cd3 in CreateInstance (aResult=0x7fffffff7978, aIID=..., aDelegate=0x0, aClass=..., this=<optimized out>) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:974
#7  nsComponentManagerImpl::CreateInstance (this=<optimized out>, aClass=..., aDelegate=0x0, aIID=..., aResult=0x7fffffff7978) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:929


The crash itself is harmless but we should handle this situation anyway. I propose we should either convert all alloc methods of nsScannerBufferList to be infallible in general, or if that is not possible, add a second set of infallible methods (like moz_xmalloc).
This is the old parser, right?  If so, I think this is RESOLVED DONTCAREITSGOINGAWAYANYWAYS ;-)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #1)
> This is the old parser, right?  If so, I think this is RESOLVED
> DONTCAREITSGOINGAWAYANYWAYS ;-)

Sadly, nsScanner is staying until I get around to rewriting our XML code path too. It's on my todo list after exorcising the old HTML parser.
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.