Closed
Bug 761507
Opened 12 years ago
Closed 12 years ago
Crash with adoptNode, requiredExtensions
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
VERIFIED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | + | fixed |
firefox16 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: longsonr)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [advisory-tracking-])
Crash Data
Attachments
(3 files)
403 bytes,
image/svg+xml
|
Details | |
11.11 KB,
text/plain
|
Details | |
4.56 KB,
patch
|
dholbert
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Might be related to bug 761499, whose testcase is a subset of this one.
Reporter | ||
Comment 1•12 years ago
|
||
Assignee | ||
Comment 2•12 years ago
|
||
Assignee: nobody → longsonr
Attachment #630218 -
Flags: review?(dholbert)
Comment 3•12 years ago
|
||
Comment on attachment 630218 [details] [diff] [review] patch Cool -- so this keeps these attributes' values (stored in the node's property-table) alive when we move their nodes between documents. Looks like none of these values have document pointers or node pointers or anything like that, so this looks fine. r=me.
Attachment #630218 -
Flags: review?(dholbert) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec7c7be7c70d
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla16
Assignee | ||
Updated•12 years ago
|
status-firefox15:
--- → affected
tracking-firefox15:
--- → ?
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 630218 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): String or UUID changes made by this patch:
Attachment #630218 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
Blocks: 754592
Keywords: regression
Assignee | ||
Updated•12 years ago
|
Attachment #630218 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 6•12 years ago
|
||
Comment on attachment 630218 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #):754592 User impact if declined: crashes when using svg elements together with adoptNode Testing completed (on m-c, etc.): landing with reftest Risk to taking this patch (and alternatives if risky): low risk as the code paths are already exercised elsewhere. Could back out bug 754592 as an alternative. String or UUID changes made by this patch: none
Attachment #630218 -
Flags: approval-mozilla-aurora?
Comment 7•12 years ago
|
||
crash automation hit this testcase on Aurora, Nightly with Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 37 stepping 1 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xffffffffdddddddd Thread 0 (crashed) 0 xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 192 + 0x5] eip = 0x683aa89c esp = 0x0025b6b8 ebp = 0x0025b6bc ebx = 0x00000001 esi = 0x00000000 edi = 0x03f300f8 eax = 0x05b148b8 ecx = 0xdddddddd edx = 0x00000001 efl = 0x00010202 nsTArray_base<nsTArrayDefaultAllocator>::Length() | mozilla::SVGStringList::GetValue(nsAString_internal&) mozilla::SVGAttrValueWrapper::ToString(mozilla::SVGStringList const*, nsAString_internal&) nsAttrValue::ToString(nsAString_internal&) nsGenericElement::GetAttr(int, nsIAtom*, nsAString_internal&) nsGenericElement::GetAttribute(nsAString_internal const&, nsAString_internal&) A couple of the crashes showed ABORT: Tear-off objects remain in hashtable at shutdown.: 'mTable.Count() == 0'
Group: core-security
Keywords: sec-critical
Comment 8•12 years ago
|
||
See also bug 760996, an ASAN bug that might be a dupe of this (or at least might be fixed by this).
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ec7c7be7c70d
Comment 12•12 years ago
|
||
Verified with testcase. 6/6 Trunk build crashes and 6/7 nightly trunk does not.
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
tracking-firefox16:
--- → +
Updated•12 years ago
|
Blocks: CVE-2012-3970
Comment 13•12 years ago
|
||
Comment on attachment 630218 [details] [diff] [review] patch [Triage Comment] Early enough in the cycle to take a forward regression fix here. Approved for Aurora 15.
Attachment #630218 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 14•12 years ago
|
||
Daniel, can you land this on Aurora for me please?
Comment 15•12 years ago
|
||
Sure.
Comment 16•12 years ago
|
||
Pushed to aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/3f11ba211a4b
Updated•12 years ago
|
Whiteboard: [advisory-tracking-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•