Closed Bug 737875 Opened 12 years ago Closed 12 years ago

OOM Crash [@ nsQueryInterfaceWithError::operator] trying to execute random memory

Categories

(Core :: DOM: HTML Parser, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox12 --- fixed
firefox13 --- fixed
firefox-esr10 12+ fixed

People

(Reporter: decoder, Assigned: khuey)

References

Details

(Keywords: crash, Whiteboard: [sg:high][qa-])

Crash Data

Attachments

(2 files)

+++ This bug was initially created as a clone of Bug #733047 +++

Tested on m-c revision 08809a43e082: During OOM testing for bug 737129 I got a crash shown in the attached log. The trace is very similar to that in bug 733047 but we're not trying to execute NULL here but random memory.

The log shows 6 failed allocations before the crash, and the crash location (address) varies (I had, "(bad)" and "Cannot access memory at", as well as random instructions).

Could it be that one of the failed allocations leaves a pointer uninitialized here?
Not sure this is different than bug 733047, maybe it's the same and we need to raise the severity over there.
Whiteboard: [sg:high]
Component: DOM → HTML: Parser
QA Contact: general → parser
Attached patch PatchSplinter Review
What happens here is that we fail to append the nsIContent* to the nsCOMArray that holds it alive, and we end up with a dead pointer floating around.  The solution is to use an infallible array for mOwnedElements.
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Attachment #608404 - Flags: review?(hsivonen)
And I'm pretty sure this and bug 733047 are the same.
Comment on attachment 608404 [details] [diff] [review]
Patch

Thanks for figuring this out!
Attachment #608404 - Flags: review?(hsivonen) → review+
http://hg.mozilla.org/mozilla-central/rev/8042c37b8100
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
Comment on attachment 608404 [details] [diff] [review]
Patch

fwiw, I think this would be next to impossible to exploit, but the fix is safe enough that we could take it anywhere.

[Approval Request Comment]
Regression caused by (bug #): the HTML5 parser landing presumably
User impact if declined: in certain OOM scenarios we will crash in an uncontrolled way instead of in a controlled way
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): the risk is about as low as it gets
String changes made by this patch: N/A
Attachment #608404 - Flags: approval-mozilla-esr10?
Attachment #608404 - Flags: approval-mozilla-beta?
Attachment #608404 - Flags: approval-mozilla-aurora?
Comment on attachment 608404 [details] [diff] [review]
Patch

[Triage Comment]
Approved for Aurora 13, Beta 12, and the ESR given the possible user impact and where we are in the schedule.
Attachment #608404 - Flags: approval-mozilla-esr10?
Attachment #608404 - Flags: approval-mozilla-esr10+
Attachment #608404 - Flags: approval-mozilla-beta?
Attachment #608404 - Flags: approval-mozilla-beta+
Attachment #608404 - Flags: approval-mozilla-aurora?
Attachment #608404 - Flags: approval-mozilla-aurora+
qa- until testcase-wanted has been satisfied.
Whiteboard: [sg:high] → [sg:high][qa-]
Are this and bug 733047 the same? This one is resolved fixed but bug 733047 is not even assigned and is still open.
Christian thinks this is probably the same issue.
Christian, is there any way to verify this fix or bug 737129, which is the same overall issue?
(In reply to Al Billings [:abillings] from comment #13)
> Christian, is there any way to verify this fix or bug 737129, which is the
> same overall issue?

Not really, bug if this is not fixed, then it will pop up again during OOM testing. I'm not doing that right now though since I'm too busy with other stuff :/
Group: core-security
You need to log in before you can comment on or make changes to this bug.