737875 - OOM Crash [@ nsQueryInterfaceWithError::operator] trying to execute random memory

Status: RESOLVED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[Christian Holler (:decoder)]

Attachment: Log with failed allocations

+++ This bug was initially created as a clone of Bug #733047 +++

Tested on m-c revision 08809a43e082: During OOM testing for bug 737129 I got a crash shown in the attached log. The trace is very similar to that in bug 733047 but we're not trying to execute NULL here but random memory.

The log shows 6 failed allocations before the crash, and the crash location (address) varies (I had, "(bad)" and "Cannot access memory at", as well as random instructions).

Could it be that one of the failed allocations leaves a pointer uninitialized here?

Comment 1

[Daniel Veditz [:dveditz]]

Not sure this is different than bug 733047, maybe it's the same and we need to raise the severity over there.

Comment 2

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

Attachment: Patch

What happens here is that we fail to append the nsIContent* to the nsCOMArray that holds it alive, and we end up with a dead pointer floating around.  The solution is to use an infallible array for mOwnedElements.

Comment 3

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

And I'm pretty sure this and bug 733047 are the same.

Comment 4

[Henri Sivonen (:hsivonen)]

Comment on attachment 608404 [details] [diff] [review]
Patch

Thanks for figuring this out!

Comment 5

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

http://hg.mozilla.org/mozilla-central/rev/8042c37b8100

Comment 6

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

Comment on attachment 608404 [details] [diff] [review]
Patch

fwiw, I think this would be next to impossible to exploit, but the fix is safe enough that we could take it anywhere.

[Approval Request Comment]
Regression caused by (bug #): the HTML5 parser landing presumably
User impact if declined: in certain OOM scenarios we will crash in an uncontrolled way instead of in a controlled way
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): the risk is about as low as it gets
String changes made by this patch: N/A

Comment 7

[Alex Keybl [:akeybl]]

Comment on attachment 608404 [details] [diff] [review]
Patch

[Triage Comment]
Approved for Aurora 13, Beta 12, and the ESR given the possible user impact and where we are in the schedule.

Comment 8

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

http://hg.mozilla.org/releases/mozilla-aurora/rev/3074d3eb0f34
http://hg.mozilla.org/releases/mozilla-beta/rev/0b4ec3bcf064
http://hg.mozilla.org/releases/mozilla-esr10/rev/5dd4295eae1c

Comment 9

[u279076]

qa- until testcase-wanted has been satisfied.

Comment 10

[Al Billings [:abillings - ex-MoCo]]

Are this and bug 733047 the same? This one is resolved fixed but bug 733047 is not even assigned and is still open.

Comment 11

[Al Billings [:abillings - ex-MoCo]]

Christian thinks this is probably the same issue.

Comment 13

[Al Billings [:abillings - ex-MoCo]]

Christian, is there any way to verify this fix or bug 737129, which is the same overall issue?

Comment 14

[Christian Holler (:decoder)]

(In reply to Al Billings [:abillings] from comment #13)
> Christian, is there any way to verify this fix or bug 737129, which is the
> same overall issue?

Not really, bug if this is not fixed, then it will pop up again during OOM testing. I'm not doing that right now though since I'm too busy with other stuff :/