Closed Bug 887499 Opened 11 years ago Closed 11 years ago

Crash after GC makes HTMLOptionsCollection outlive its HTMLSelectElement

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: jruderman, Assigned: Ms2ger)

Details

(Keywords: crash, testcase)

Attachments

(3 files, 3 obsolete files)

Attached file testcase
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Load the testcase Result: Crash #5 0x00000001026454f1 in mozilla::dom::HTMLOptionsCollection::Add 359 mSelect->Add(aElement, aBefore, aError); (gdb) p mSelect $1 = (Cannot access memory at address 0x0
Attached file stack
This isn't s-s, I think; the select nulls out the collection's pointer. We just need to make it a strong CC'd reference. I can do that later.
Group: core-security
Attached patch Patch v1 (obsolete) — Splinter Review
Assignee: nobody → Ms2ger
Status: NEW → ASSIGNED
Attachment #768832 - Flags: review?(bugs)
Comment on attachment 768832 [details] [diff] [review] Patch v1 Technically there should be a null check in HTMLOptionsCollection::Add, but in practice we should be safe even without it.
Attachment #768832 - Flags: review?(bugs) → review+
Attached patch Patch v2 (obsolete) — Splinter Review
Turns out that v1 crashed all over: https://tbpl.mozilla.org/?tree=Try&rev=4b94243819a7
Attachment #768832 - Attachment is obsolete: true
Attachment #769641 - Flags: review?(bugs)
Comment on attachment 769641 [details] [diff] [review] Patch v2 Sounds like we should null check mOptions somewhere, not leave it out from unlink.
Attachment #769641 - Flags: review?(bugs) → review-
Attached patch Patch v3 (obsolete) — Splinter Review
This looks better.
Attachment #769641 - Attachment is obsolete: true
Attachment #770120 - Flags: review?(bugs)
Comment on attachment 770120 [details] [diff] [review] Patch v3 mOptions handling is just assuming it is not null. So, I think we just need to add null checks to optionscollection. Sorry about not realizing that before.
Attachment #770120 - Flags: review?(bugs) → review-
Assignee: Ms2ger → nobody
Attached patch Patch v4Splinter Review
Assignee: nobody → Ms2ger
Attachment #770120 - Attachment is obsolete: true
Attachment #788642 - Flags: review?(bugs)
Attachment #788642 - Flags: review?(bugs) → review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: