Closed Bug 1089049 Opened 11 years ago Closed 11 years ago

crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
36 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox36 + fixed

People

(Reporter: alice0775, Assigned: peterv)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files, 1 obsolete file)

reduced xpi
2.01 KB, application/x-xpinstall
Details
v1
5.85 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
[Tracking Requested - why for this release]: This bug was filed from the Socorro interface and is report bp-4c7e0812-cd77-4e62-8d30-c98132141025. ============================================================= Steps To Reproduce: 1. Install certain add-ons 2. open about:addons Regression window(m-i) Good: https://hg.mozilla.org/integration/mozilla-inbound/rev/90cd5968c9ce Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 ID:20141024030110 Bad: https://hg.mozilla.org/integration/mozilla-inbound/rev/c1ab3cd59563 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 ID:20141024032212 Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=90cd5968c9ce&tochange=c1ab3cd59563
Attached file xpi (obsolete) —
Steps To Reproduce: 1. Install certain add-ons and restart 2. Click [OK][Next][Next][Next][Finish] if dialog pops up 2. Alt > Tools > Options
OS: Windows NT → Windows 7
Attached file reduced xpi
Steps To Reproduce: 1. Install the attached reduced xpi and restart 2. Open about:addons
Ah, just run the following code //------------------ var node =null; var xpathResult = document.evaluate( 'ancestor-or-self::*[local-name()="textbox"]', node, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null ); //------------------ After landing Bug 1018658 : browser crashes Before landing Bug 1018658 : throw an error
Summary: crash in nsContentUtils::CanCallerAccess(nsINode*) → crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate
Attachment #8511466 - Attachment is obsolete: true
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attached patch v1Splinter Review
Bug 1018658 made us not call the XPCOM version of XPathEvaluator from the WebIDL one, instead we go through XPathExpression's evaluate. But the WebIDL for XPathExpression and XPathEvaluator differ in their evaluate, one takes a Node and the other a Node?. They should just consistently take a Node. The dereferencing of the context node should have tipped me off, but it didn't :-/.
Attachment #8511902 - Flags: review?(bzbarsky)
Comment on attachment 8511902 [details] [diff] [review] v1 r=me
Attachment #8511902 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/f24cc6f4a15e
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
QA Whiteboard: [good first verify]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: