Closed Bug 763626 Opened 13 years ago Closed 13 years ago

Crash [@ nsDOMTokenList::ToString] with itemRef, GC

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 + fixed
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: dzbarsky)

References

Details

(4 keywords, Whiteboard: [advisory-tracking-])

Attachments

(3 files, 1 obsolete file)

testcase (requires pref) (requires extension for GC)
195 bytes, text/html
Details
stack trace
11.24 KB, text/plain
Details
Patch with test
2.37 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
1. Set user_pref("dom.new_bindings", false); 2. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 3. Load the testcase. Result: Crash [@ nsDOMTokenList::ToString]
Attached file stack trace
That's really odd. Why do the bindings matter? In any case, the key part is that the element went away and didn't null itself out on the domtokenlist. nsDOMSettableTokenListPropertyDestructor should null out the mElement on the list, I bet.
Ah, yeah, should DropReference().
I'll write a patch in a little bit.
Attached patch Patch (obsolete) — Splinter Review
Is there a way to convert that testcase to a crashtest?
Assignee: nobody → dzbarsky
Status: NEW → ASSIGNED
Attachment #632026 - Flags: review?(bzbarsky)
Comment on attachment 632026 [details] [diff] [review] Patch r=me, though can list really be null here? As far as tests.. you should be able to make a mochitest out of it.
Attachment #632026 - Flags: review?(bzbarsky) → review+
Attached patch Patch with testSplinter Review
You're right, the Element should keep the nsDOMSettableTokenList alive
Attachment #632026 - Attachment is obsolete: true
Attachment #632042 - Flags: review?(bzbarsky)
Comment on attachment 632042 [details] [diff] [review] Patch with test r=me
Attachment #632042 - Flags: review?(bzbarsky) → review+
Flags: in-testsuite+
Target Milestone: --- → mozilla16
Merged to mc by mbrubeck: https://hg.mozilla.org/mozilla-central/rev/a2ad5ae1ed47
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
From the blocking bug 591467 notation I'm assuming you mean this is a regression from that feature, and I've therefore marked previous releases as "unaffected". If this is incorrect and we need this security fix on those branches please update the status(es) to "affected".
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
Keywords: regression, sec-high
Not tracking this for advisories since 15 and earlier are unaffected.
Whiteboard: [advisory-tracking-]
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: