Closed Bug 233955 Opened 21 years ago Closed 21 years ago

[FIXr]DOM L3 Core Crash in nsDocument::RenameNode

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: bc, Assigned: bzbarsky)

References

Details

(Keywords: crash)

Attachments

(2 files)

documentrenamenode27.zip
32.35 KB, application/zip
Details
Fix
944 bytes, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
Running the DOM 3 L3 Core TS crashes with the following stack nsDocument::RenameNode(nsDocument * const 0x03a110bc, nsIDOMNode * 0x00000000, const nsAString & {...}, const nsAString & {...}, nsIDOMNode * * 0x0012dbc0) line 3522 + 7 bytes XPTC_InvokeByIndex(nsISupports * 0x03a110bc, unsigned int 28, unsigned int 4, nsXPTCVariant * 0x0012db90) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2022 + 42 bytes XPC_WN_CallMethod(JSContext * 0x039c4e60, JSObject * 0x031a7ee8, unsigned int 3, long * 0x04129610, long * 0x0012de60) line 1272 + 14 bytes js_Invoke(JSContext * 0x039c4e60, unsigned int 3, unsigned int 0) line 941 + 23 bytes js_Interpret(JSContext * 0x039c4e60, long * 0x0012e84c) line 2962 + 15 bytes js_Execute(JSContext * 0x039c4e60, JSObject * 0x0218e530, JSScript * 0x03fbfbc8, JSStackFrame * 0x0012f110, unsigned int 32, long * 0x0012e84c) line 1155 + 13 bytes obj_eval(JSContext * 0x039c4e60, JSObject * 0x03939260, unsigned int 1, long * 0x04129538, long * 0x0012e84c) line 1068 + 27 bytes js_Invoke(JSContext * 0x039c4e60, unsigned int 1, unsigned int 0) line 941 + 23 bytes js_Interpret(JSContext * 0x039c4e60, long * 0x0012f180) line 2962 + 15 bytes js_Invoke(JSContext * 0x039c4e60, unsigned int 1, unsigned int 0) line 958 + 13 bytes js_Interpret(JSContext * 0x039c4e60, long * 0x0012fac8) line 2962 + 15 bytes js_Execute(JSContext * 0x039c4e60, JSObject * 0x03939260, JSScript * 0x0402e710, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fac8) line 1155 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x039c4e60, JSObject * 0x03939260, JSPrincipals * 0x03a688b4, const unsigned short * 0x03a96ec0, unsigned int 26, const char * 0x04161608, unsigned int 158, long * 0x0012fac8) line 3543 + 25 bytes nsJSContext::EvaluateString(const nsAString & {...}, void * 0x03939260, nsIPrincipal * 0x03a688b0, const char * 0x04161608, unsigned int 158, const char * 0x00c84430, nsAString & {...}, int * 0x0012fbe0) line 880 + 85 bytes GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x04161590) line 5130 + 114 bytes GlobalWindowImpl::TimerCallback(nsITimer * 0x04161680, void * 0x04161590) line 5508 nsTimerImpl::Fire() line 382 + 17 bytes nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x01feeb48) line 616 nsAppShell::Run(nsAppShell * const 0x00a5c788) line 142 nsAppShellService::Run(nsAppShellService * const 0x00a5c4d8) line 484 main1(int 1, char * * 0x002e2638, nsISupports * 0x009af5d8) line 1291 + 32 bytes main(int 1, char * * 0x002e2638) line 1678 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e814c7()
I guess I own this.
Assignee: general → caillon
zip file with test case.
Attached patch FixSplinter Review
Comment on attachment 141208 [details] [diff] [review] Fix Gotta love that test suite passing null to renameNode.... ;)
Attachment #141208 - Flags: superreview?(jst)
Attachment #141208 - Flags: review?(jst)
Comment on attachment 141208 [details] [diff] [review] Fix r+sr=jst
Attachment #141208 - Flags: superreview?(jst)
Attachment #141208 - Flags: superreview+
Attachment #141208 - Flags: review?(jst)
Attachment #141208 - Flags: review+
Assignee: caillon → bzbarsky
Keywords: crash
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Summary: DOM L3 Core Crash in nsDocument::RenameNode → [FIXr]DOM L3 Core Crash in nsDocument::RenameNode
Target Milestone: --- → mozilla1.7beta
Comment on attachment 141208 [details] [diff] [review] Fix >Index: content/base/src/nsDocument.cpp >=================================================================== >RCS file: /cvsroot/mozilla/content/base/src/nsDocument.cpp,v >retrieving revision 3.481 >diff -u -p -d -u -8 -r3.481 nsDocument.cpp >--- content/base/src/nsDocument.cpp 11 Feb 2004 02:22:43 -0000 3.481 >+++ content/base/src/nsDocument.cpp 12 Feb 2004 02:40:21 -0000 >@@ -3513,16 +3513,18 @@ nsDocument::NormalizeDocument() > } > > NS_IMETHODIMP > nsDocument::RenameNode(nsIDOMNode *aNode, > const nsAString& namespaceURI, > const nsAString& qualifiedName, > nsIDOMNode **aReturn) > { >+ NS_ENSURE_ARG_POINTER(aNode); >+ I don't think we want to warn or throw here.
I can see not warning, but I think we absolutely want to throw. Worst-case, we should throw NOT_SUPPORTED_ERR, since the arg is not an element or attribute node.
OK, I can switch to that before landing.
Fix checked in for 1.7b
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
verified in my cvs debug build.
Status: RESOLVED → VERIFIED
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: