Crash with adoptNode, requiredExtensions

VERIFIED FIXED in Firefox 15

Status

()

Core
SVG
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: Robert Longson)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla16
crash, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14 unaffected, firefox15+ fixed, firefox16+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [advisory-tracking-], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 630075 [details]
testcase (crashes Firefox when loaded)

Might be related to bug 761499, whose testcase is a subset of this one.
(Reporter)

Comment 1

5 years ago
Created attachment 630076 [details]
stack trace
(Assignee)

Comment 2

5 years ago
Created attachment 630218 [details] [diff] [review]
patch
Assignee: nobody → longsonr
Attachment #630218 - Flags: review?(dholbert)
(Assignee)

Updated

5 years ago
Blocks: 761499
Comment on attachment 630218 [details] [diff] [review]
patch

Cool -- so this keeps these attributes' values (stored in the node's property-table) alive when we move their nodes between documents.

Looks like none of these values have document pointers or node pointers or anything like that, so this looks fine.

r=me.
Attachment #630218 - Flags: review?(dholbert) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec7c7be7c70d
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla16
(Assignee)

Updated

5 years ago
status-firefox15: --- → affected
tracking-firefox15: --- → ?
(Assignee)

Comment 5

5 years ago
Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:
Attachment #630218 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

5 years ago
Blocks: 754592
Keywords: regression
(Assignee)

Updated

5 years ago
Attachment #630218 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 6

5 years ago
Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #):754592 
User impact if declined: crashes when using svg elements together with adoptNode
Testing completed (on m-c, etc.): landing with reftest
Risk to taking this patch (and alternatives if risky): low risk as the code paths are already exercised elsewhere. Could back out bug 754592 as an alternative.
String or UUID changes made by this patch: none
Attachment #630218 - Flags: approval-mozilla-aurora?

Comment 7

5 years ago
crash automation hit this testcase on Aurora, Nightly with

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddddd

Thread 0 (crashed)
 0  xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 192 + 0x5]
    eip = 0x683aa89c   esp = 0x0025b6b8   ebp = 0x0025b6bc   ebx = 0x00000001
    esi = 0x00000000   edi = 0x03f300f8   eax = 0x05b148b8   ecx = 0xdddddddd
    edx = 0x00000001   efl = 0x00010202

nsTArray_base<nsTArrayDefaultAllocator>::Length() | mozilla::SVGStringList::GetValue(nsAString_internal&) mozilla::SVGAttrValueWrapper::ToString(mozilla::SVGStringList const*, nsAString_internal&) nsAttrValue::ToString(nsAString_internal&) nsGenericElement::GetAttr(int, nsIAtom*, nsAString_internal&) nsGenericElement::GetAttribute(nsAString_internal const&, nsAString_internal&)

A couple of the crashes showed ABORT: Tear-off objects remain in hashtable at shutdown.: 'mTable.Count() == 0'
Group: core-security
Keywords: sec-critical
See also bug 760996, an ASAN bug that might be a dupe of this (or at least might be fixed by this).

Comment 9

5 years ago
https://hg.mozilla.org/mozilla-central/rev/ec7c7be7c70d
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
Duplicate of this bug: 760996
Duplicate of this bug: 761499
Verified with testcase. 6/6 Trunk build crashes and 6/7 nightly trunk does not.
Status: RESOLVED → VERIFIED
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
tracking-firefox15: ? → +
tracking-firefox16: --- → +
Blocks: 760996
Comment on attachment 630218 [details] [diff] [review]
patch

[Triage Comment]
Early enough in the cycle to take a forward regression fix here. Approved for Aurora 15.
Attachment #630218 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 14

5 years ago
Daniel, can you land this on Aurora for me please?
Sure.
Pushed to aurora:
  https://hg.mozilla.org/releases/mozilla-aurora/rev/3f11ba211a4b
status-firefox15: affected → fixed
Whiteboard: [advisory-tracking-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.