Closed
Bug 893537
Opened 11 years ago
Closed 11 years ago
Crash when removing srcdoc attribute from iframe
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: jkitch, Assigned: jkitch)
References
Details
(Keywords: crash)
Attachments
(2 files, 1 obsolete file)
269 bytes,
text/html
|
Details | |
3.17 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
There appears to be a crash related to removing the srcdoc attribute from an iframe.
Steps to reproduce:
1. Compile/run a debug build of Nightly.
2. Load the attached testcase
3. Reload the page
Result
Null-deref crash in content/base/src/nsContentUtils:6111
> if (aForceOwner) {
> nsAutoCString uriStr;
> aURI->GetSpec(uriStr);
> if(!uriStr.EqualsLiteral("about:srcdoc")) {
> nsCOMPtr<nsIURI> ownerURI;
> nsresult rv = aLoadingPrincipal->GetURI(getter_AddRefs(ownerURI)); //offending line
> MOZ_ASSERT(NS_SUCCEEDED(rv) && SchemeIs(ownerURI, NS_NULLPRINCIPAL_SCHEME));
> }
> }
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jkitch.bug
Assignee | ||
Comment 2•11 years ago
|
||
I've identified the cause. nsSHEntry instances are reused when the nsIWebNavigation::LOAD_FLAGS_REPLACE_HISTORY flag is set. Before this patch, mIsSrcdocEntry wasn't touched by the Create() function, so the previous srcdoc status is inherited by the new entry, causing it to be wrongly flagged as a srcdoc entry. Because the URI is correctly updated to the new URI, the exception to deal with srcdoc entries in nsContentUtils::SetUpChannelOwner() isn't triggered, resulting in the crash. The attached patch resets mIsSrcdocEntry whenever the nsSHEntry instance is reused. Regarding the original testcase: The testcase needs to be run from a local disk as https/the mixed content blocker appears to be affecting the outcome. The browser must also be a debug build. (It may also need Windows, I haven't tried other platforms).
Attachment #776312 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 3•11 years ago
|
||
Removed some commented out, legacy test code.
Attachment #776312 -
Attachment is obsolete: true
Attachment #776312 -
Flags: review?(bzbarsky)
Attachment #776318 -
Flags: review?(bzbarsky)
Comment 4•11 years ago
|
||
Comment on attachment 776318 [details] [diff] [review] fix + test r=me
Attachment #776318 -
Flags: review?(bzbarsky) → review+
Updated•11 years ago
|
Keywords: checkin-needed
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/964be82efbf3
Flags: in-testsuite+
Keywords: checkin-needed
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/964be82efbf3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Updated•11 years ago
|
tracking-firefox25:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•