Last Comment Bug 761507 - Crash with adoptNode, requiredExtensions
: Crash with adoptNode, requiredExtensions
Status: VERIFIED FIXED
[advisory-tracking-]
: crash, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: SVG (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla16
Assigned To: Robert Longson
:
Mentors:
: 761499 (view as bug list)
Depends on:
Blocks: 754592 CVE-2012-3970 761021 761499
  Show dependency treegraph
 
Reported: 2012-06-04 22:39 PDT by Jesse Ruderman
Modified: 2012-09-23 15:48 PDT (History)
7 users (show)
longsonr: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
+
fixed
unaffected


Attachments
testcase (crashes Firefox when loaded) (403 bytes, image/svg+xml)
2012-06-04 22:39 PDT, Jesse Ruderman
no flags Details
stack trace (11.11 KB, text/plain)
2012-06-04 22:39 PDT, Jesse Ruderman
no flags Details
patch (4.56 KB, patch)
2012-06-05 10:24 PDT, Robert Longson
dholbert: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review

Description Jesse Ruderman 2012-06-04 22:39:04 PDT
Created attachment 630075 [details]
testcase (crashes Firefox when loaded)

Might be related to bug 761499, whose testcase is a subset of this one.
Comment 1 Jesse Ruderman 2012-06-04 22:39:40 PDT
Created attachment 630076 [details]
stack trace
Comment 2 Robert Longson 2012-06-05 10:24:10 PDT
Created attachment 630218 [details] [diff] [review]
patch
Comment 3 Daniel Holbert [:dholbert] 2012-06-05 14:07:48 PDT
Comment on attachment 630218 [details] [diff] [review]
patch

Cool -- so this keeps these attributes' values (stored in the node's property-table) alive when we move their nodes between documents.

Looks like none of these values have document pointers or node pointers or anything like that, so this looks fine.

r=me.
Comment 5 Robert Longson 2012-06-06 01:17:49 PDT
Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:
Comment 6 Robert Longson 2012-06-06 01:22:38 PDT
Comment on attachment 630218 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #):754592 
User impact if declined: crashes when using svg elements together with adoptNode
Testing completed (on m-c, etc.): landing with reftest
Risk to taking this patch (and alternatives if risky): low risk as the code paths are already exercised elsewhere. Could back out bug 754592 as an alternative.
String or UUID changes made by this patch: none
Comment 7 Bob Clary [:bc:] 2012-06-06 12:11:13 PDT
crash automation hit this testcase on Aurora, Nightly with

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddddd

Thread 0 (crashed)
 0  xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 192 + 0x5]
    eip = 0x683aa89c   esp = 0x0025b6b8   ebp = 0x0025b6bc   ebx = 0x00000001
    esi = 0x00000000   edi = 0x03f300f8   eax = 0x05b148b8   ecx = 0xdddddddd
    edx = 0x00000001   efl = 0x00010202

nsTArray_base<nsTArrayDefaultAllocator>::Length() | mozilla::SVGStringList::GetValue(nsAString_internal&) mozilla::SVGAttrValueWrapper::ToString(mozilla::SVGStringList const*, nsAString_internal&) nsAttrValue::ToString(nsAString_internal&) nsGenericElement::GetAttr(int, nsIAtom*, nsAString_internal&) nsGenericElement::GetAttribute(nsAString_internal const&, nsAString_internal&)

A couple of the crashes showed ABORT: Tear-off objects remain in hashtable at shutdown.: 'mTable.Count() == 0'
Comment 8 Daniel Holbert [:dholbert] 2012-06-06 12:28:10 PDT
See also bug 760996, an ASAN bug that might be a dupe of this (or at least might be fixed by this).
Comment 9 Ed Morley [:emorley] 2012-06-07 05:55:31 PDT
https://hg.mozilla.org/mozilla-central/rev/ec7c7be7c70d
Comment 10 Daniel Holbert [:dholbert] 2012-06-07 10:22:43 PDT
*** Bug 760996 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Holbert [:dholbert] 2012-06-07 11:29:18 PDT
*** Bug 761499 has been marked as a duplicate of this bug. ***
Comment 12 Al Billings [:abillings] 2012-06-08 16:14:40 PDT
Verified with testcase. 6/6 Trunk build crashes and 6/7 nightly trunk does not.
Comment 13 Alex Keybl [:akeybl] 2012-06-11 12:50:21 PDT
Comment on attachment 630218 [details] [diff] [review]
patch

[Triage Comment]
Early enough in the cycle to take a forward regression fix here. Approved for Aurora 15.
Comment 14 Robert Longson 2012-06-11 12:51:27 PDT
Daniel, can you land this on Aurora for me please?
Comment 15 Daniel Holbert [:dholbert] 2012-06-11 12:57:47 PDT
Sure.
Comment 16 Daniel Holbert [:dholbert] 2012-06-11 13:01:22 PDT
Pushed to aurora:
  https://hg.mozilla.org/releases/mozilla-aurora/rev/3f11ba211a4b

Note You need to log in before you can comment on or make changes to this bug.