Closed
Bug 322725
Opened 19 years ago
Closed 19 years ago
Restore from bfcache crashes with non-HTML <object> [@ PresShell::EnumeratePlugins] [@ StartPluginInstance]
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: Biesinger)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files)
(deleted),
application/xml
|
Details | |
(deleted),
application/xml
|
Details | |
(deleted),
patch
|
bryner
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060103 Firefox/1.6a1 Steps to reproduce: 1. Load a testcase. 2. Load another page in the same tab (e.g. your home page). 3. Press Back. Result: Crash. Stack from a nightly build: 0 PresShell::Freeze() + 420 1 PresShell::EnumeratePlugins(nsIDOMDocument*, nsString const&, void (*)(PresShell*, nsIContent*)) + 236 2 PresShell::Thaw() + 132 3 nsDocShell::RestoreFromHistory() + 2744 4 nsDocShell::CaptureState() + 668 5 PL_HandleEvent + 36 6 PL_ProcessPendingEvents + 128 Security-sensitive due to suspicious stack -- how does PresShell::Freeze end up on the top of the stack? PresShell::EnumeratePlugins only appears to call GetElementsByTagName and (through the callback) StartPluginInstance. In a debug build, there are two assertion failures, and the stack makes more sense: StartPluginInstance is at the top, and the rest is the same. ###!!! ASSERTION: Object nodes must implement nsIObjectLoadingContent: 'objlc', file /Users/admin/trunk/mozilla/layout/base/nsPresShell.cpp, line 6234 Break: at file /Users/admin/trunk/mozilla/layout/base/nsPresShell.cpp, line 6234 ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 849 Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849 I think the problem is that EnumeratePlugins assumes that anything with the tagname "object" that QI's to nsIContent is safe to pass to its callback, but StartPluginInstance assumes that its argument can QI's to nsIObjectLoadingContent. Possible fixes: (A) Make EnumeratePlugins use GetElementsByTagNameNS, so it only sees <html:object>, not all <object> elements. (B) Make StartPluginInstance test for nsIObjectLoadingContent instead of asserting and then crashing.
Reporter | ||
Comment 1•19 years ago
|
||
Reporter | ||
Comment 2•19 years ago
|
||
Assignee | ||
Comment 3•19 years ago
|
||
>(A) Make EnumeratePlugins use GetElementsByTagNameNS, so it only sees
><html:object>, not all <object> elements.
That'll fail in HTML documents, where everything is in the null namespace.
Assignee | ||
Updated•19 years ago
|
OS: MacOS X → All
Hardware: Macintosh → All
Assignee | ||
Comment 4•19 years ago
|
||
I wish this code didn't use tag names at all and just called this for all content nodes that implement nsIObjectLoadingContent
Assignee: nobody → cbiesinger
Status: NEW → ASSIGNED
Attachment #207894 -
Flags: superreview?(bzbarsky)
Attachment #207894 -
Flags: review?
Assignee | ||
Updated•19 years ago
|
Attachment #207894 -
Flags: review? → review?(bryner)
Updated•19 years ago
|
Attachment #207894 -
Flags: review?(bryner) → review+
Comment 5•19 years ago
|
||
Comment on attachment 207894 [details] [diff] [review] patch sr=bzbarsky
Attachment #207894 -
Flags: superreview?(bzbarsky) → superreview+
Assignee | ||
Comment 6•19 years ago
|
||
fixed on trunk, not needed on branch. Checking in layout/base/nsPresShell.cpp; /cvsroot/mozilla/layout/base/nsPresShell.cpp,v <-- nsPresShell.cpp new revision: 3.890; previous revision: 3.889 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
Reporter | ||
Comment 7•19 years ago
|
||
> Security-sensitive due to suspicious stack -- how does PresShell::Freeze end up
> on the top of the stack? PresShell::EnumeratePlugins only appears to call
> GetElementsByTagName and (through the callback) StartPluginInstance.
I now think the Mac OS X crash reporter is on crack and this should be public.
Reporter | ||
Updated•19 years ago
|
Group: security
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Updated•13 years ago
|
Crash Signature: [@ PresShell::EnumeratePlugins]
[@ StartPluginInstance]
You need to log in
before you can comment on or make changes to this bug.
Description
•