OOM Crash [@ nsQueryInterfaceWithError::operator] trying to execute random memory

RESOLVED FIXED in Firefox 12



7 years ago
3 years ago


(Reporter: decoder, Assigned: khuey)


(Blocks: 1 bug, {crash})

Dependency tree / graph

Firefox Tracking Flags

(firefox12 fixed, firefox13 fixed, firefox-esr1012+ fixed)


(Whiteboard: [sg:high][qa-], crash signature)


(2 attachments)



7 years ago
Created attachment 607962 [details]
Log with failed allocations

+++ This bug was initially created as a clone of Bug #733047 +++

Tested on m-c revision 08809a43e082: During OOM testing for bug 737129 I got a crash shown in the attached log. The trace is very similar to that in bug 733047 but we're not trying to execute NULL here but random memory.

The log shows 6 failed allocations before the crash, and the crash location (address) varies (I had, "(bad)" and "Cannot access memory at", as well as random instructions).

Could it be that one of the failed allocations leaves a pointer uninitialized here?
Not sure this is different than bug 733047, maybe it's the same and we need to raise the severity over there.
Whiteboard: [sg:high]
Component: DOM → HTML: Parser
QA Contact: general → parser
Created attachment 608404 [details] [diff] [review]

What happens here is that we fail to append the nsIContent* to the nsCOMArray that holds it alive, and we end up with a dead pointer floating around.  The solution is to use an infallible array for mOwnedElements.
Assignee: nobody → khuey
Attachment #608404 - Flags: review?(hsivonen)
And I'm pretty sure this and bug 733047 are the same.
Comment on attachment 608404 [details] [diff] [review]

Thanks for figuring this out!
Attachment #608404 - Flags: review?(hsivonen) → review+
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
Comment on attachment 608404 [details] [diff] [review]

fwiw, I think this would be next to impossible to exploit, but the fix is safe enough that we could take it anywhere.

[Approval Request Comment]
Regression caused by (bug #): the HTML5 parser landing presumably
User impact if declined: in certain OOM scenarios we will crash in an uncontrolled way instead of in a controlled way
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): the risk is about as low as it gets
String changes made by this patch: N/A
Attachment #608404 - Flags: approval-mozilla-esr10?
Attachment #608404 - Flags: approval-mozilla-beta?
Attachment #608404 - Flags: approval-mozilla-aurora?

Comment 7

7 years ago
Comment on attachment 608404 [details] [diff] [review]

[Triage Comment]
Approved for Aurora 13, Beta 12, and the ESR given the possible user impact and where we are in the schedule.
Attachment #608404 - Flags: approval-mozilla-esr10?
Attachment #608404 - Flags: approval-mozilla-esr10+
Attachment #608404 - Flags: approval-mozilla-beta?
Attachment #608404 - Flags: approval-mozilla-beta+
Attachment #608404 - Flags: approval-mozilla-aurora?
Attachment #608404 - Flags: approval-mozilla-aurora+


7 years ago
status-firefox-esr10: --- → affected
status-firefox12: --- → affected
status-firefox13: --- → affected
tracking-firefox-esr10: --- → 12+
qa- until testcase-wanted has been satisfied.
Whiteboard: [sg:high] → [sg:high][qa-]
Are this and bug 733047 the same? This one is resolved fixed but bug 733047 is not even assigned and is still open.
Christian thinks this is probably the same issue.
Duplicate of this bug: 733047
Christian, is there any way to verify this fix or bug 737129, which is the same overall issue?

Comment 14

7 years ago
(In reply to Al Billings [:abillings] from comment #13)
> Christian, is there any way to verify this fix or bug 737129, which is the
> same overall issue?

Not really, bug if this is not fixed, then it will pop up again during OOM testing. I'm not doing that right now though since I'm too busy with other stuff :/
Group: core-security
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.