Created attachment 607962 [details] Log with failed allocations +++ This bug was initially created as a clone of Bug #733047 +++ Tested on m-c revision 08809a43e082: During OOM testing for bug 737129 I got a crash shown in the attached log. The trace is very similar to that in bug 733047 but we're not trying to execute NULL here but random memory. The log shows 6 failed allocations before the crash, and the crash location (address) varies (I had, "(bad)" and "Cannot access memory at", as well as random instructions). Could it be that one of the failed allocations leaves a pointer uninitialized here?
Not sure this is different than bug 733047, maybe it's the same and we need to raise the severity over there.
7 years ago
Component: DOM → HTML: Parser
QA Contact: general → parser
Created attachment 608404 [details] [diff] [review] Patch What happens here is that we fail to append the nsIContent* to the nsCOMArray that holds it alive, and we end up with a dead pointer floating around. The solution is to use an infallible array for mOwnedElements.
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Attachment #608404 - Flags: review?(hsivonen)
And I'm pretty sure this and bug 733047 are the same.
Comment on attachment 608404 [details] [diff] [review] Patch Thanks for figuring this out!
Attachment #608404 - Flags: review?(hsivonen) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
Comment on attachment 608404 [details] [diff] [review] Patch fwiw, I think this would be next to impossible to exploit, but the fix is safe enough that we could take it anywhere. [Approval Request Comment] Regression caused by (bug #): the HTML5 parser landing presumably User impact if declined: in certain OOM scenarios we will crash in an uncontrolled way instead of in a controlled way Testing completed (on m-c, etc.): landed on m-c Risk to taking this patch (and alternatives if risky): the risk is about as low as it gets String changes made by this patch: N/A
Comment on attachment 608404 [details] [diff] [review] Patch [Triage Comment] Approved for Aurora 13, Beta 12, and the ESR given the possible user impact and where we are in the schedule.
Attachment #608404 - Flags: approval-mozilla-esr10?
Attachment #608404 - Flags: approval-mozilla-esr10+
Attachment #608404 - Flags: approval-mozilla-beta?
Attachment #608404 - Flags: approval-mozilla-beta+
Attachment #608404 - Flags: approval-mozilla-aurora?
Attachment #608404 - Flags: approval-mozilla-aurora+
status-firefox-esr10: --- → affected
status-firefox12: --- → affected
status-firefox13: --- → affected
tracking-firefox-esr10: --- → 12+
http://hg.mozilla.org/releases/mozilla-aurora/rev/3074d3eb0f34 http://hg.mozilla.org/releases/mozilla-beta/rev/0b4ec3bcf064 http://hg.mozilla.org/releases/mozilla-esr10/rev/5dd4295eae1c
status-firefox-esr10: affected → fixed
status-firefox12: affected → fixed
status-firefox13: affected → fixed
qa- until testcase-wanted has been satisfied.
Whiteboard: [sg:high] → [sg:high][qa-]
Are this and bug 733047 the same? This one is resolved fixed but bug 733047 is not even assigned and is still open.
Christian thinks this is probably the same issue.
Christian, is there any way to verify this fix or bug 737129, which is the same overall issue?
(In reply to Al Billings [:abillings] from comment #13) > Christian, is there any way to verify this fix or bug 737129, which is the > same overall issue? Not really, bug if this is not fixed, then it will pop up again during OOM testing. I'm not doing that right now though since I'm too busy with other stuff :/
You need to log in before you can comment on or make changes to this bug.