Closed Bug 731087 Opened 13 years ago Closed 6 years ago

OOM Crash [@ nsScannerBufferList] due to fallible allocation in nsScannerBufferList

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash)

Crash Data

The following source part (m-c revision 66e4d53697c2) indirectly uses fallible allocation through the nsScannerBufferList class: http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#240 The call to AllocBufferFromString here is fallible and will cause a crash on OOM: nsScannerBufferList (buf=0x0, this=0x2aaabcb834d0) at ../../../dist/include/nsScannerString.h:162 162 PR_APPEND_LINK(buf, &mBuffers); #0 nsScannerBufferList (buf=0x0, this=0x2aaabcb834d0) at ../../../dist/include/nsScannerString.h:162 #1 nsScannerSubstring::Rebind (this=0x2aaabcb83480, aString=<optimized out>) at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsScannerString.cpp:240 #2 0x00002aaaac5edc9f in CNewlineToken::AllocNewline () at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsHTMLTokens.cpp:1532 #3 0x00002aaaac5f43f1 in Initialize () at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsParserModule.cpp:115 #4 0x00002aaaad282391 in nsComponentManagerImpl::KnownModule::Load (this=0x2aaabc0fd5a0) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:732 #5 0x00002aaaad2827d0 in nsFactoryEntry::GetFactory (this=<optimized out>) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:1738 #6 0x00002aaaad282cd3 in CreateInstance (aResult=0x7fffffff7978, aIID=..., aDelegate=0x0, aClass=..., this=<optimized out>) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:974 #7 nsComponentManagerImpl::CreateInstance (this=<optimized out>, aClass=..., aDelegate=0x0, aIID=..., aResult=0x7fffffff7978) at /srv/repos/browser/mozilla-central/xpcom/components/nsComponentManager.cpp:929 The crash itself is harmless but we should handle this situation anyway. I propose we should either convert all alloc methods of nsScannerBufferList to be infallible in general, or if that is not possible, add a second set of infallible methods (like moz_xmalloc).
This is the old parser, right? If so, I think this is RESOLVED DONTCAREITSGOINGAWAYANYWAYS ;-)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #1) > This is the old parser, right? If so, I think this is RESOLVED > DONTCAREITSGOINGAWAYANYWAYS ;-) Sadly, nsScanner is staying until I get around to rewriting our XML code path too. It's on my todo list after exorcising the old HTML parser.
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.