Closed
Bug 281336
Opened 20 years ago
Closed 20 years ago
Crash with <![CDATA[[
Categories
(Core :: XBL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: csthomas, Assigned: mrbkap)
References
()
Details
(Keywords: crash)
Attachments
(2 files)
9.87 KB,
text/plain
|
Details | |
1.26 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
URL is a diff that causes mozilla to crash with a failed _CrtIsValidHeapPointer assert. If you replace: + <![CDATA[[ with + <![CDATA[ it does not crash. I could not create a testcase that reproduced the crash.
Reporter | ||
Comment 1•20 years ago
|
||
Comment 2•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b) Gecko/20050206 I couldn´t crash using this Mozilla Suite or FirefoxTrunk Build ID 2005012912, but at first test seems I´ve been using the wrong testcase, from another tab, so I wrongly commented a Talkback belonging to this bug. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB3540437Q Seems Talkback above belongs to Bug 281333 Crash [@ nsFrameItems::AddChild ]
Assignee | ||
Comment 3•20 years ago
|
||
Taking and confirming. This is the opposite problem of what Boris fixed in bug 280089. We had successfully compiled the getter, but the setter's compilation failed, so when Destroy() was called with aIsCompiled == PR_FALSE, we tried using 'delete' on the JS object, which caused MSVC's delete to assert. This probably wouldn't actually crash on a non-debug build (depending on how delete works), which may be why Hermann could not reproduce this.
Assignee: hyatt → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•20 years ago
|
||
Ah, fun. So if the setter compilation fails we should probably delete the getter ourselves....
Comment 5•20 years ago
|
||
Except in this case we have no getter, do we? So what gives?
Assignee | ||
Comment 6•20 years ago
|
||
(In reply to comment 4) We could do that. Or, in Destroy(), we could inspect (mFlags & JSOP_GETTER) and (mFlags & JSOP_SETTER), since those appear to be set in the right places. I think I prefer that solution, but I think you technically own this code, so it's your call ;-). (In reply to comment 5) That threw me off too. However, note + <property name="draggable" onget="return this._draggable;"> from the patch, has the 'onget' property.
Assignee | ||
Comment 7•20 years ago
|
||
(In reply to comment #6) > We could do that. Or, in Destroy(), we could inspect (mFlags & JSOP_GETTER) and > (mFlags & JSOP_SETTER), since those appear to be set in the right places. I Of course, I mean JSPROP_GETTER and JSPROP_SETTER. (sorry for the spam)
Comment 8•20 years ago
|
||
Hmm... Yeah, checking the getter and setter flags seems reasonable.
Assignee | ||
Comment 9•20 years ago
|
||
Basically, we make sure to use two flags for two non-dependant properties instead of one.
Attachment #173654 -
Flags: review?(bzbarsky)
Comment 10•20 years ago
|
||
Comment on attachment 173654 [details] [diff] [review] patch v1 r+sr=bzbarsky
Attachment #173654 -
Flags: superreview+
Attachment #173654 -
Flags: review?(bzbarsky)
Attachment #173654 -
Flags: review+
Assignee | ||
Comment 11•20 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•20 years ago
|
Severity: normal → critical
You need to log in
before you can comment on or make changes to this bug.
Description
•