Closed Bug 1089049 Opened 5 years ago Closed 5 years ago

crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate

Categories

(Core :: DOM: Core & HTML, defect, critical)

36 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox36 + fixed

People

(Reporter: alice0775, Assigned: peterv)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files, 1 obsolete file)

2.01 KB, application/x-xpinstall
Details
v1
5.85 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
[Tracking Requested - why for this release]:

This bug was filed from the Socorro interface and is 
report bp-4c7e0812-cd77-4e62-8d30-c98132141025.
=============================================================

Steps To Reproduce:
1. Install certain add-ons
2. open about:addons


Regression window(m-i)
Good:
https://hg.mozilla.org/integration/mozilla-inbound/rev/90cd5968c9ce
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 ID:20141024030110
Bad:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c1ab3cd59563
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 ID:20141024032212
Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=90cd5968c9ce&tochange=c1ab3cd59563
Attached file xpi (obsolete) —
Steps To Reproduce:
1. Install certain add-ons and restart
2. Click [OK][Next][Next][Next][Finish] if dialog pops up
2. Alt > Tools > Options
OS: Windows NT → Windows 7
Attached file reduced xpi
Steps To Reproduce:
1. Install the attached reduced xpi and restart
2. Open about:addons
Ah, just run the following code

//------------------
var node =null;	
var xpathResult = document.evaluate(
  'ancestor-or-self::*[local-name()="textbox"]',
  node,
  null,
  XPathResult.FIRST_ORDERED_NODE_TYPE,
  null
);
//------------------

After landing Bug 1018658 :  browser crashes
Before landing Bug 1018658 : throw an error
Summary: crash in nsContentUtils::CanCallerAccess(nsINode*) → crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate
Attachment #8511466 - Attachment is obsolete: true
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attached patch v1Splinter Review
Bug 1018658 made us not call the XPCOM version of XPathEvaluator from the WebIDL one, instead we go through XPathExpression's evaluate. But the WebIDL for XPathExpression and XPathEvaluator differ in their evaluate, one takes a Node and the other a Node?. They should just consistently take a Node. The dereferencing of the context node should have tipped me off, but it didn't :-/.
Attachment #8511902 - Flags: review?(bzbarsky)
Comment on attachment 8511902 [details] [diff] [review]
v1

r=me
Attachment #8511902 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/f24cc6f4a15e
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
QA Whiteboard: [good first verify]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.