Ubuntu
firefox package

MASTER firefox crashed [@ nsAttrAndChildArray::Clear] [@ ~nsAttrAndChildArray]

Bug #72919 reported by coder2000
12
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
Critical
firefox (Ubuntu)
Fix Released
High
Mozilla Bugs

Bug Description

DistroRelease: Ubuntu 6.10
Package: firefox 2.0+0dfsg-0ubuntu3

Good stacktrace

I have no idea if this is a similar bug to others or not but when I visit some sites firefox just quits. The current stacktrace indicates something with the javascript.

Extract from retraced stacktrace:
...
 #3 <signal handler called>
 #4 nsAttrAndChildArray::Clear (this=0xb60c79c)
 #5 ~nsAttrAndChildArray (this=0xb60c79c)
 #6 ~nsGenericElement (this=0xb60c788)
 #7 ~nsHTMLImageElement (this=0xb60c788)
 #8 nsGenericElement::Release (this=0xb35a998)
 #9 nsHTMLImageElement::Release (this=0xb60c788)
 #10 ReleaseObjects (aElement=0xb35a998) at nsCOMArray.cpp:152
 #11 nsVoidArray::EnumerateForwards (this=0xb6dee08,
 #12 nsCOMArray_base::Clear (this=0xb6dee08)
 #13 nsBaseContentList::Reset (this=0xb6dee00)
...

See original description
Revision history for this message
In , georgi (guninski) wrote :

Created attachment 217404
crash

Revision history for this message
In , georgi (guninski) wrote :

stack

#0 0x0000000000865fb8 in ?? ()
#1 0x00002aaab0e8e6ad in nsAttrAndChildArray::Clear (this=0x1330ad0)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsAttrAndChildArray.cpp:647
#2 0x00002aaab0e8e713 in ~nsAttrAndChildArray (this=0x1330ad0)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsAttrAndChildArray.cpp:133
#3 0x00002aaab0ef3ba0 in ~nsGenericElement (this=0x1330aa0)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsGenericElement.cpp:870
#4 0x00002aaab0f72827 in nsGenericHTMLElement::~nsGenericHTMLElement$base ()
    at ../../../../dist/include/dom/nsIDOMElement.h:24
#5 0x00002aaab0f81c10 in ~nsHTMLBodyElement (this=0x1330aa0)
    at /opt/joro/suite-cvs/mozilla/content/html/content/src/nsHTMLBodyElement.cpp:294
#6 0x00002aaab0eed76d in nsGenericElement::Release (this=0x1330aa0)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsGenericElement.cpp:3141
#7 0x00002aaab0f81c6f in nsHTMLBodyElement::Release (this=0x1330aa0)
    at /opt/joro/suite-cvs/mozilla/content/html/content/src/nsHTMLBodyElement.cpp:298
#8 0x00002aaab0e8e6c1 in nsAttrAndChildArray::Clear (this=0x1316f90)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsAttrAndChildArray.cpp:648
#9 0x00002aaab0e8e713 in ~nsAttrAndChildArray (this=0x1316f90)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsAttrAndChildArray.cpp:133
#10 0x00002aaab0ef3ba0 in ~nsGenericElement (this=0x1316f60)
    at /opt/joro/suite-cvs/mozilla/content/base/src/nsGenericElement.cpp:870

Revision history for this message
In , Jruderman (jruderman) wrote :

Crashes with a scary stack trace on Mac too. Top of the stack:

Thread 0 Crashed:
0 <<00000000>> 0xc0000000 0 + -1073741824
1 org.mozilla.firefox 0x005693a8 nsAttrAndChildArray::~nsAttrAndChildArray [unified]() + 36

Revision history for this message
In , georgi (guninski) wrote :

sure, the seamonkey stack is scary on linux

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

sicking, any idea what could be up here? We're running the JS from under BindToTree, sadly, but we should be handling this particular setup right, I'd think....

roc, we should try to figure out how to plug this case into your new setup. :(

Revision history for this message
In , L. David Baron (dbaron) wrote :

mrbkap has a patch

Revision history for this message
In , L. David Baron (dbaron) wrote :

The problem was an extra release in the content sink caused by SinkContext::OpenContainer incrementing mStackPos much later than where it stuck things on the stack -- the parent.document.write in the iframe appends to the parent between those two points (inside the AppendChildTo call), which messes up the sink context's stack.

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Created attachment 217628
Fix

This fixes the problem, as dbaron said.

Revision history for this message
In , Jst (jst) wrote :

Comment on attachment 217628
Fix

r=jst

Revision history for this message
In , L. David Baron (dbaron) wrote :

I have to say, it would be nice if...

  if (mStackPos <= 0) {
    NS_ERROR("container w/o parent");

    return NS_ERROR_FAILURE;
  }

... were at the beginning of the function, before we potentially create and leak a node.

It would also be nice if the ++mStackPos were really *right* next to the code where we fill in mStack[mStackPos]. (I don't care whether the latter moves up or the former moves down, but it might matter.)

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Created attachment 217630
With that change

I'm convinced.

Revision history for this message
In , Jst (jst) wrote :

Comment on attachment 217630
With that change

Yeah, looks better.

Revision history for this message
In , Jonas-sicking (jonas-sicking) wrote :

Comment on attachment 217630
With that change

> nsresult rv;
> if (mStackPos + 1 > mStackSize) {
> rv = GrowStack();
> if (NS_FAILED(rv)) {
> return rv;
> }
> }
>
>+ if (mStackPos <= 0) {
>+ NS_ERROR("container w/o parent");
>+
>+ return NS_ERROR_FAILURE;
>+ }

But switch these two checks around.

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Comment on attachment 217630
With that change

jst reviewed this.

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Fix checked into trunk.

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Comment on attachment 217630
With that change

This fixes a use of free'd memory.

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

Comment on attachment 217630
With that change

Taking some liberties here... ;)

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Fix checked into the 1.8 branch.

Revision history for this message
In , georgi (guninski) wrote :

seems fixed in today trunk.

but a very similar abuse from xbl:
Bug 332807
xul iframe doing parent.document.open() - open this
https://bugzilla.mozilla.org/attachment.cgi?id=217441

still works.

Revision history for this message
In , Mrbkap (mrbkap) wrote :

(In reply to comment #19)
> but a very similar abuse from xbl:

This was a bug in the HTML content sink code, and the fix was also in the HTML content sink code. Therefore, abuses from XBL would be unaffected by such a fix :-(.

Revision history for this message
In , Dveditz (dveditz) wrote :

Comment on attachment 217630
With that change

approved for 1.8.0 branch, a=dveditz for drivers

Revision history for this message
In , Mrbkap (mrbkap) wrote :

Checked into the 1.8.0 branch.

Revision history for this message
In , Twalker (twalker) wrote :

verified with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060504 Firefox/1.5.0.4

Revision history for this message
coder2000 (coder2000) wrote : Javascript crash

I have no idea if this is a similar bug to others or not but when I visit some sites firefox just quits. The current stacktrace indicates something with the javascript.

Revision history for this message
coder2000 (coder2000) wrote :
David Farning (dfarning)
description: updated
Changed in firefox:
status: Unconfirmed → Confirmed
David Farning (dfarning)
Changed in firefox:
assignee: nobody → mozillateam
importance: Undecided → Medium
David Farning (dfarning)
Changed in firefox:
assignee: mozillateam → mozilla-bugs
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Re: Crash nsAttrAndChildArray::Clear

Sorry for this late response.

Attaching symbolized stacktrace from original report. Changing Summary to MASTER

Changed in firefox:
importance: Medium → High
description: updated
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

Probably upstream's https://bugzilla.mozilla.org/show_bug.cgi?id=332971

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Fix Released
Hilario J. Montoliu (hjmf) (hmontoliu)
Changed in firefox:
status: Confirmed → In Progress
Revision history for this message
Alexander Sack (asac) wrote :

fixed for a while in ffox 2 and ffox 3.

Changed in firefox:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.