Closed Bug 281336 Opened 20 years ago Closed 20 years ago

Crash with <![CDATA[[

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: csthomas, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files)

stack
9.87 KB, text/plain
Details
patch v1
1.26 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
URL is a diff that causes mozilla to crash with a failed _CrtIsValidHeapPointer
assert.  If you replace:
+          <![CDATA[[
with
+          <![CDATA[
it does not crash.  I could not create a testcase that reproduced the crash.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b) Gecko/20050206

I couldn´t crash using this Mozilla Suite or FirefoxTrunk Build ID 2005012912,
but at first test seems I´ve been using the wrong testcase, from another tab, so
I wrongly commented a Talkback belonging to this bug.
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB3540437Q
Seems Talkback above belongs to Bug 281333 Crash [@ nsFrameItems::AddChild ] 
Taking and confirming. This is the opposite problem of what Boris fixed in bug
280089. We had successfully compiled the getter, but the setter's compilation
failed, so when Destroy() was called with aIsCompiled == PR_FALSE, we tried
using 'delete' on the JS object, which caused MSVC's delete to assert. This
probably wouldn't actually crash on a non-debug build (depending on how delete
works), which may be why Hermann could not reproduce this.
Assignee: hyatt → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Ah, fun.  So if the setter compilation fails we should probably delete the
getter ourselves....
Except in this case we have no getter, do we?  So what gives?
(In reply to comment 4)
We could do that. Or, in Destroy(), we could inspect (mFlags & JSOP_GETTER) and
(mFlags & JSOP_SETTER), since those appear to be set in the right places. I
think I prefer that solution, but I think you technically own this code, so it's
your call ;-).

(In reply to comment 5)
That threw me off too. However, note
+      <property name="draggable" onget="return this._draggable;">
from the patch, has the 'onget' property.
(In reply to comment #6)
> We could do that. Or, in Destroy(), we could inspect (mFlags & JSOP_GETTER) and
> (mFlags & JSOP_SETTER), since those appear to be set in the right places. I

Of course, I mean JSPROP_GETTER and JSPROP_SETTER. (sorry for the spam)
Hmm... Yeah, checking the getter and setter flags seems reasonable.
Attached patch patch v1Splinter Review 
Basically, we make sure to use two flags for two non-dependant properties
instead of one.
Attachment #173654 - Flags: review?(bzbarsky)
Comment on attachment 173654 [details] [diff] [review]
patch v1

r+sr=bzbarsky
Attachment #173654 - Flags: superreview+
Attachment #173654 - Flags: review?(bzbarsky)
Attachment #173654 - Flags: review+
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Severity: normal → critical
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: