Closed
Bug 151745
Opened 23 years ago
Closed 23 years ago
nsXMLElement::Init() called with unstable ref-count
Categories
(Core :: XML, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla1.1beta
People
(Reporter: alex, Assigned: hjtoi-bugzilla)
Details
Attachments
(1 file, 1 obsolete file)
|
1.53 KB,
patch
|
peterv
:
review+
hjtoi-bugzilla
:
superreview+
|
Details | Diff | Splinter Review |
In two instances in nsXMLElement.cpp we create a fresh nsXMLElement and call
its Init()-method with a ref-count of 0. This leads to a crash if we do any
QI'ing & and subsequent releasing in Init(), as we have to do in the SVG
implementation.
Solution: stabilize by AddRef'ing before calling Init().
Patch to follow.
|
Reporter | |
Comment 1•23 years ago
|
||
|
Assignee | |
Comment 2•23 years ago
|
||
Thanks, I added some null pointer checks to these methods as well.
Attachment #87649 -
Attachment is obsolete: true
|
||
Comment 3•23 years ago
|
||
Comment on attachment 87703 [details] [diff] [review]
Some additional fixes
>- return it->QueryInterface(NS_GET_IID(nsIDOMNode), (void**) aReturn);
>+ rv = it->QueryInterface(NS_GET_IID(nsIDOMNode), (void**) aReturn);
You could use CallQueryInterface here I think. r=peterv.
Attachment #87703 -
Flags: review+
|
|
Assignee | |
Comment 4•23 years ago
|
||
Comment on attachment 87703 [details] [diff] [review]
Some additional fixes
sr=heikki
Attachment #87703 -
Flags: superreview+
|
|
Assignee | |
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago
Priority: -- → P3
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.1beta
|
|
Assignee | |
Comment 5•23 years ago
|
||
Fixed.
It looks like this patch caused a massive increase in leaks on the brad-fast
tinderbox on MozillaTest. Others haven't cycled yet.
Comment on attachment 87703 [details] [diff] [review]
Some additional fixes
>Index: content/xml/content/src/nsXMLElement.cpp
>===================================================================
>RCS file: /cvsroot/mozilla/content/xml/content/src/nsXMLElement.cpp,v
>retrieving revision 1.82
>diff -u -r1.82 nsXMLElement.cpp
>--- content/xml/content/src/nsXMLElement.cpp 14 Jun 2002 18:52:16 -0000 1.82
>+++ content/xml/content/src/nsXMLElement.cpp 14 Jun 2002 18:57:51 -0000
>@@ -72,17 +72,20 @@
> nsresult
> NS_NewXMLElement(nsIContent** aInstancePtrResult, nsINodeInfo *aNodeInfo)
> {
>+ NS_ENSURE_ARG_POINTER(aInstancePtrResult);
Why bother with a null check? If anyone passes null for an out param they
deserve to crash.
>+ *aInstancePtrResult = nsnull;
>+
> nsXMLElement* it = new nsXMLElement();
>
> if (!it) {
> return NS_ERROR_OUT_OF_MEMORY;
> }
>
>+ NS_ADDREF(it);
I think you need to remove the NS_ADDREF below to balance this one.
> nsresult rv = it->Init(aNodeInfo);
>
> if (NS_FAILED(rv)) {
>- delete it;
>-
>+ NS_RELEASE(it);
> return rv;
> }
>
|
|
Assignee | |
Comment 8•23 years ago
|
||
Oops, checked in this now:
- NS_ADDREF(*aInstancePtrResult);
-
|
|
||
Updated•23 years ago
|
QA Contact: petersen → rakeshmishra
You need to log in
before you can comment on or make changes to this bug.
Description
•