Closed Bug 119044 Opened 23 years ago Closed 23 years ago

Mozilla crashes on XUL/DOM

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: arman, Assigned: bryner)

Details

(Keywords: crash)

Attachments

(3 files, 1 obsolete file)

XUL file which causes crash
660 bytes, application/vnd.mozilla.xul+xml
Details
Stacktrace Linux current CVS
13.62 KB, text/plain
Details
With the check moved earlier
765 bytes, patch
caillon
: review+
caillon
: superreview+
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7) Gecko/20011221 BuildID: 2001122106 Mozilla crashes after loading attatched file and clicking on the "HELLO" button. ------ <?xml version="1.0"?> <!-- -*- sgml -*- --> <?xml-stylesheet href="chrome://global/skin/" type="text/css"?> <window xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <script> function bug(node) { res = document.createElement(node.nodeName); if (node.childNodes &amp;&amp; node.childNodes.length) { n = bug(node.childNodes[0]); res.appendChild( n ); } return res; } function go() { bug(document.getElementById("foo")); } </script> <vbox> <box id="foo"> <button label="Hello There"/> </box> <button onclick="go()" label="HELLO"/> </vbox> </window>
Keywords: crash
Adding stacktrace from todays CVS Linux. In this stacktrace, the line with "nsXULElement::SetDocument" keeps repeating. Attaching only the "bt 50" and "bt -50", the other 8596 lines are all the same (repeating "nsXULElement::SetDocument").
Confirming
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows NT → All
2002011604 Win95 TB1781821H using local file test.xul
this patch prevents the crash, such that the test case throws a script error when called. Reporter, in the test case, I think you meant to declare the variable 'res' with 'var' otherwise it will become a global and get overwritten when the function is called recursively. This causes appendChild to try to append itself.
=> bryner. The patch should follow prevailing style by including a space before the {. /be
Assignee: hyatt → bryner
jst, does this patch look ok to you?
Comment on attachment 92026 [details] [diff] [review] don't allow appendChild to insert itself or an ancestor The patch looks correct as per the DOM (3 Core WD). However from an implentation standpoint, this check should probably happen before we QI to nsIContent.
Do we have a similar check for non-XUL content? I don't see anything like this in nsGenericElement::AppendChild().
Comment on attachment 92026 [details] [diff] [review] don't allow appendChild to insert itself or an ancestor sr=jst
Attachment #92026 - Flags: superreview+
Oh, didn't see caillon's comment before I sr'ed, yes, this should happen ASAP in the the method, my sr still stands if this new code is moved...
Comment on attachment 92026 [details] [diff] [review] don't allow appendChild to insert itself or an ancestor r=bryner (i'd suggest a space between the closing ')' and the '{' though)
Attachment #92026 - Flags: review+
Comment on attachment 92026 [details] [diff] [review] don't allow appendChild to insert itself or an ancestor Please make sure that this patch is not checked in as-is. This check is happening too late. See my comment #9.
Comment on attachment 92026 [details] [diff] [review] don't allow appendChild to insert itself or an ancestor marking needs-work per caillon's comment.
Attachment #92026 - Flags: review+ → needs-work+
This has corrected spacing, moves the check earlier so we avoid cycles when this condition is met, and also adds a brief comment.
Attachment #92026 - Attachment is obsolete: true
Comment on attachment 95667 [details] [diff] [review] With the check moved earlier Going to check this in with forwarded sr=jst and r=caillon (I think bryner's r= still stands as well).
Attachment #95667 - Flags: superreview+
Attachment #95667 - Flags: review+
Landed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: