Closed Bug 394337 Opened 17 years ago Closed 17 years ago

Crash [@gklayout!nsBindingManager::GetNestedInsertionPoint]

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: pvnick, Unassigned)

References

Details

(Keywords: crash, regression, verified1.8.1.12, Whiteboard: [sg:dupe 396613] null-deref)

Crash Data

Attachments

(1 file)

testcase
(deleted), text/html
Details
Attached file testcase (deleted) β€” 
Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6

Details:
eax=0012c8b8 ebx=7ffd6000 ecx=00000000 edx=00000000 esi=00000000 edi=00011970
eip=01c8e535 esp=0012c85c ebp=0012c870 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
*** WARNING: Unable to verify checksum for C:\mozilla\mozilla\firefox-debug\dist\bin\components\gklayout.dll
gklayout!nsBindingManager::GetNestedInsertionPoint+0x15:
01c8e535 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????


Disassembly:
gklayout!nsBindingManager::GetNestedInsertionPoint+0x15:
01c8e535 8b11            mov     edx,dword ptr [ecx]
01c8e537 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
01c8e53a ff9298000000    call    dword ptr [edx+98h]
01c8e540 3b4508          cmp     eax,dword ptr [ebp+8]
01c8e543 7507            jne     gklayout!nsBindingManager::GetNestedInsertionPoint+0x2c (01c8e54c)
01c8e545 33c0            xor     eax,eax
01c8e547 e991000000      jmp     gklayout!nsBindingManager::GetNestedInsertionPoint+0xbd (01c8e5dd)
01c8e54c 8d45f8          lea     eax,[ebp-8]

Stack trace:
gklayout!nsBindingManager::GetNestedInsertionPoint(
                        class nsIContent * aParent = 0x024323c0, 
                        class nsIContent * aChild = 0x00000000, 
                        class nsIContent ** aResult = 0x0012c8b8)
gklayout!nsBindingManager::ContentAppended(
                        class nsIDocument * aDocument = 0x034e88e8, 
                        class nsIContent * aContainer = 0x024323c0, 
                        int aNewIndexInContainer = 8)
gklayout!nsDocument::ContentAppended(
                        class nsIContent * aContainer = 0x024323c0, 
                        int aNewIndexInContainer = 8)
gklayout!nsHTMLDocument::ContentAppended(
                        class nsIContent * aContainer = 0x024323c0, 
                        int aNewIndexInContainer = 8)
gklayout!doInsertChildAt(
                        class nsIContent * aKid = 0x039dacd0, 
                        unsigned int aIndex = 8, 
                        int aNotify = 1, 
                        class nsIContent * aParent = 0x024323c0, 
                        class nsIDocument * aDocument = 0x034e88e8, 
                        class nsAttrAndChildArray * aChildArray = 0x024323d8)
gklayout!nsGenericElement::InsertChildAt(
                        class nsIContent * aKid = 0x039dacd0, 
                        unsigned int aIndex = 8, 
                        int aNotify = 1)
gklayout!nsContentOrDocument::InsertChildAt(
                        class nsIContent * aKid = 0x039dacd0, 
                        unsigned int aIndex = 8, 
                        int aNotify = 1, 
                        class nsAttrAndChildArray * aChildArray = 0x024323d8)
gklayout!nsGenericElement::doReplaceOrInsertBefore(
                        int aReplace = 0, 
                        class nsIDOMNode * aNewChild = 0x039dacec, 
                        class nsIDOMNode * aRefChild = 0x00000000, 
                        class nsIContent * aParent = 0x024323c0, 
                        class nsIDocument * aDocument = 0x034e88e8, 
                        class nsAttrAndChildArray * aChildArray = 0x024323d8, 
                        class nsIDOMNode ** aReturn = 0x0012cd1c)
gklayout!nsGenericElement::InsertBefore(
                        class nsIDOMNode * aNewChild = 0x039dacec, 
                        class nsIDOMNode * aRefChild = 0x00000000, 
                        class nsIDOMNode ** aReturn = 0x0012cd1c)
gklayout!nsHTMLHeadElement::InsertBefore(
                        class nsIDOMNode * aNewChild = 0x039dacec, 
                        class nsIDOMNode * aRefChild = 0x00000000, 
                        class nsIDOMNode ** aReturn = 0x0012cd1c)
gklayout!nsGenericElement::AppendChild(
                        class nsIDOMNode * aNewChild = 0x039dacec, 
                        class nsIDOMNode ** aReturn = 0x0012cd1c)
gklayout!nsHTMLHeadElement::AppendChild(
                        class nsIDOMNode * aNewChild = 0x039dacec, 
                        class nsIDOMNode ** aReturn = 0x0012cd1c)
xpcom_core!XPTC_InvokeByIndex(
                        class nsISupports * that = 0x024323dc, 
                        unsigned int methodIndex = 0x12, 
                        unsigned int paramCount = 2, 
                        struct nsXPTCVariant * params = 0x0012cd0c)
xpc3250!XPCWrappedNative::CallMethod(
                        class XPCCallContext * ccx = 0x0012ce88, 
                        XPCWrappedNative::CallMode mode = CALL_METHOD (0))
xpc3250!XPC_WN_CallMethod(
                        struct JSContext * cx = 0x032e6ce8, 
                        struct JSObject * obj = 0x02b50de8, 
                        unsigned int argc = 1, 
                        long * argv = 0x039bee74, 
                        long * vp = 0x0012cfe8)
js3250!js_Invoke(
                        struct JSContext * cx = 0x032e6ce8, 
                        unsigned int argc = 1, 
                        unsigned int flags = 0)
js3250!js_Interpret(
                        struct JSContext * cx = 0x032e6ce8, 
                        unsigned char * pc = 0x03585887 ":", 
                        long * result = 0x0012db34)
js3250!js_Invoke(
                        struct JSContext * cx = 0x032e6ce8, 
                        unsigned int argc = 1, 
                        unsigned int flags = 2)
xpc3250!nsXPCWrappedJSClass::CallMethod(
                        class nsXPCWrappedJS * wrapper = 0x039e1598, 
                        unsigned short methodIndex = 3, 
                        class nsXPTMethodInfo * info = 0x02421268, 
                        struct nsXPTCMiniVariant * nativeParams = 0x0012ded4)
xpc3250!nsXPCWrappedJS::CallMethod(
                        unsigned short methodIndex = 3, 
                        class nsXPTMethodInfo * info = 0x02421268, 
                        struct nsXPTCMiniVariant * params = 0x0012ded4)
Component: General → XBL
QA Contact: general → xbl
I see a (short) mention of this crash in bug 343951.
Maybe bug 343730 has also something to do with this?
Keywords: regression
This is a consistent null-deref crash. We should be able to un-hide this one, right?
Keywords: crash
Whiteboard: [sg:nse] null-deref
I think I could probably make this crash in nastier ways...  That said, the fix for bug 396613 might help here.
Depends on: 396613
I haven't analyzed this bug too much so I don't know if it's exploitable, but keep http://download.watchfire.com/whitepapers/Dangling-Pointer.pdf in mind
The patch in bug 396613 does fix this.
Fixed on branch by checkin for bug 396613.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Flags: in-testsuite?
Verified in branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. No crash with testcase, which crashes 2.0.0.11.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12verified1.8.1.12
Whiteboard: [sg:nse] null-deref → [sg:dupe 396613] null-deref
Group: security
Crash Signature: [@gklayout!nsBindingManager::GetNestedInsertionPoint]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: