Closed Bug 199851 Opened 22 years ago Closed 21 years ago

xbl method without body element causes crash

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: justin, Assigned: hyatt)

Details

Attachments

(1 file)

test case to cause moz to crash
674 bytes, application/x-tar
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4a) Gecko/20030201 If an xbl element has a method defined, but that method has no body element then mozilla will crash. Example: <method name="func"> </method> See attachment (coming soon) Reproducible: Always Steps to Reproduce: Expected Results: Mozilla should either spew a warning or not bind the xbl element.
This is a very simple test case to crash mozilla (cvs pull from 2003-03-22) Simply run it via: ./run-mozilla.sh ./mozilla -chrome file:///path/to/case.xul
For your viewing pleasure, the backtrace... #0 0x420ae561 in nanosleep () from /lib/i686/libc.so.6 #1 0x4012c83c in nanosleep () from /lib/i686/libpthread.so.0 #2 0x420ae439 in sleep () from /lib/i686/libc.so.6 #3 0x0807014e in ah_crap_handler(int) (signum=11) at nsSigHandlers.cpp:149 #4 0x41a4ecaa in nsMathMLmsqrtFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) (this=0xb, aPresContext=0x7, aDesiredSize=@0x0, aReflowState=@0x2b, aStatus=@0x2b) at nsMathMLmsqrtFrame.cpp:254 #5 0x4012e47e in __pthread_sighandler () from /lib/i686/libpthread.so.0 #6 <signal handler called> #7 0x41560338 in nsIsIndexFrame::CreateAnonymousContent(nsIPresContext*, nsISupportsArray&) (this=0x83100d0, aPresContext=0x8370538, aChildList=@0x830fe50) at nsIsIndexFrame.cpp:257 #8 0xbfffc1a0 in ?? () #9 0x4155ffe2 in nsIsIndexFrame::CreateAnonymousContent(nsIPresContext*, nsISupportsArray&) (this=0x83100d0, aPresContext=0x8370538, aChildList=@0x830fe50) at nsIsIndexFrame.cpp:234 #10 0x4156157f in nsIsIndexFrame::OnSubmit(nsIPresContext*) (this=0x830fe50, aPresContext=0x8360a30) at nsIsIndexFrame.cpp:481 #11 0x41560f51 in nsIsIndexFrame::OnSubmit(nsIPresContext*) (this=0x830fe50, aPresContext=0x8360a30) at nsIsIndexFrame.cpp:423 #12 0x41560e0a in nsIsIndexFrame::OnSubmit(nsIPresContext*) (this=0x830fe50, aPresContext=0x8360a30) at nsIsIndexFrame.cpp:409 #13 0x4155109e in nsImageControlFrame::GetAccessible(nsIAccessible**) ( this=0x8360a30, aAccessible=0x8361180) at nsImageControlFrame.cpp:228 #14 0x4154c086 in non-virtual thunk to nsTextControlFrame::SetSuggestedSize(int, int) () at nsTextControlFrame.cpp:3216 #15 0x41571e3c in nsCSSFrameConstructor::BuildScrollFrame(nsIPresShell*, nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, nsIFrame*, nsIFrame*, nsIFrame*&, nsStyleContext*&, nsIFrame*) (this=0x816f828, aPresShell=0x8361180, aPresContext=0x8362198, aState=@0x0, aContent=0xbfffc740, aContentStyle=0xbfffc738, aScrolledFrame=0xbfffc6a8, aParentFrame=0x411a08ef, aContentParentFrame=0x80a5b10, aNewFrame=@0x80a506c, aScrolledContentStyle=@0xbfffc6b8, aScrollPortFrame=0x808738e) at nsCSSFrameConstructor.cpp:6273 #16 0x411a09ca in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #17 0x411a086b in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #18 0x411a6a68 in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #19 0x41340c8c in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #20 0x411181e2 in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #21 0x415759d4 in nsCSSFrameConstructor::GetAbsoluteContainingBlock(nsIPresContext*, nsIFrame*) (this=0x81595f0, aPresContext=0x839b078, aFrame=0xbfffcd80) at nsCSSFrameConstructor.cpp:7741 #22 0x415708ad in nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell*, nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int&) (this=0x839d338, aPresShell=0x83705e0, aPresContext=0xbfffd130, aState=@0xbfffd2d0, aContent=0x44c, aParentFrame=0x417d5238, aTag=0xbfffcef8, aNameSpaceID=1096808804, aStyleContext=0x8310040, aFrameItems=@0x1, aXBLBaseTag=1098335493, aHaltProcessing=@0x415ff86a) at nsCSSFrameConstructor.cpp:5683 #23 0x413794c3 in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #24 0x412b4d79 in gResLog () from /prj/moztrunk/mozilla/dist/bin/components/libgklayout.so #25 0x4153bac9 in nsGfxButtonControlFrame (this=0x839b078) at nsGfxButtonControlFrame.cpp:66 #26 0x4152dc39 in nsComboboxControlFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) (this=0x839b698, aPresContext=0x0, aDesiredSize=@0xbfffd458, aReflowState=@0x41f41a67, aStatus=@0x839d948) at nsComboboxControlFrame.cpp:1457 #27 0x41f220bd in CViewSourceHTML (this=0x839d948) at nsViewSourceHTML.cpp:332 #28 0x41f40785 in big2_getAtts (enc=0x839bef8, ptr=0x0, attsMax=-1073752932, atts=0x41f414e0) at xmltok_impl.c:1460 #29 0x41f4181a in doParseXmlDecl (encodingFinder=0x839bef8, isGeneralTextEntity=1, enc=0x1, ptr=0x1 <Address 0x1 out of bounds>, end=0x839d948 "
Fixed by patch in bug 210298
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: