Closed
Bug 887499
Opened 11 years ago
Closed 11 years ago
Crash after GC makes HTMLOptionsCollection outlive its HTMLSelectElement
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: jruderman, Assigned: Ms2ger)
Details
(Keywords: crash, testcase)
Attachments
(3 files, 3 obsolete files)
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Load the testcase
Result: Crash
#5 0x00000001026454f1 in mozilla::dom::HTMLOptionsCollection::Add
359 mSelect->Add(aElement, aBefore, aError);
(gdb) p mSelect
$1 = (Cannot access memory at address 0x0
Reporter | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 2•11 years ago
|
||
This isn't s-s, I think; the select nulls out the collection's pointer. We just need to make it a strong CC'd reference. I can do that later.
Reporter | ||
Updated•11 years ago
|
Group: core-security
Assignee | ||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Comment on attachment 768832 [details] [diff] [review]
Patch v1
Technically there should be a null check in HTMLOptionsCollection::Add, but in practice we should be safe even without it.
Attachment #768832 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Turns out that v1 crashed all over:
https://tbpl.mozilla.org/?tree=Try&rev=4b94243819a7
Attachment #768832 -
Attachment is obsolete: true
Attachment #769641 -
Flags: review?(bugs)
Comment 6•11 years ago
|
||
Comment on attachment 769641 [details] [diff] [review]
Patch v2
Sounds like we should null check mOptions somewhere, not leave it out from unlink.
Attachment #769641 -
Flags: review?(bugs) → review-
Assignee | ||
Comment 7•11 years ago
|
||
This looks better.
Attachment #769641 -
Attachment is obsolete: true
Attachment #770120 -
Flags: review?(bugs)
Comment 8•11 years ago
|
||
Comment on attachment 770120 [details] [diff] [review]
Patch v3
mOptions handling is just assuming it is not null. So, I think we just need to add null checks to optionscollection. Sorry about not realizing that before.
Attachment #770120 -
Flags: review?(bugs) → review-
Assignee | ||
Updated•11 years ago
|
Assignee: Ms2ger → nobody
Assignee | ||
Comment 9•11 years ago
|
||
Assignee: nobody → Ms2ger
Attachment #770120 -
Attachment is obsolete: true
Attachment #788642 -
Flags: review?(bugs)
Updated•11 years ago
|
Attachment #788642 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•