Closed Bug 307839 Opened 19 years ago Closed 19 years ago

MathML/DOM crash [@ nsMathMLContainerFrame::GetType]

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: rbs)

References

Details

(Keywords: crash, testcase, verified1.8)

Crash Data

Attachments

(3 files)

reduced testcase
(deleted), application/xhtml+xml
Details
fix
(deleted), patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review
Testcase2
(deleted), application/xhtml+xml
Details 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908
Firefox/1.6a1

TB9203727M
Attached file reduced testcase (deleted) — 

    
    

    
  
Assuming this crash is due to calling GetType on a deleted frame, bz thinks this
isn't an exploitable crash in opt builds, because frames are arena-allocated and
the arena isn't recycled until the page goes away.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix (deleted)
        — Splinter Review
      

    


  
Move the null checks inside functions. This way we can take away the early
returns in the other codes and give them a chance to continue updating the
remaing states of the frames, even when the underlying markup is invalid.

        Attachment #195691 -
        Flags: superreview?(bzbarsky)

        Attachment #195691 -
        Flags: review?(bzbarsky)

        Attachment #195691 -
        Flags: superreview?(bzbarsky)

        Attachment #195691 -
        Flags: superreview+

        Attachment #195691 -
        Flags: review?(bzbarsky)

        Attachment #195691 -
        Flags: review+

    
  

        Attachment #195691 -
        Flags: approval1.8b5?

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase2 (deleted)
        — 
      

    


  
With this testcase, I get approximately crashes with the same stacktrace:
TB9278959K TB9278831M
So this is probably also fixed with the patch.

    
    

    
  
Checked in the trunk yesterday. So today's builds now have the fix.
Status: NEW → RESOLVED
Closed: 19 years ago
OS: MacOS X → All
Hardware: Macintosh → All
Resolution: --- → FIXED

    
    

    
  
Yup, verified with 2005-09-12 build.
Status: RESOLVED → VERIFIED

    
  

        Attachment #195691 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Checked in the 1.8 branch.
Keywords: fixed1.8

    
    

    
  
v.fixed on branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5)
Gecko/20050928 Firefox/1.4, testcases don't crash and no crashes since 9/12 in
Talkback data.
Keywords: fixed1.8verified1.8

    
    

    
  
Crashtests checked in.
Flags: in-testsuite+
Crash Signature: [@ nsMathMLContainerFrame::GetType]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: