Closed Bug 245572 Opened 20 years ago Closed 20 years ago

Crash displaying www.thewebtier.com/template.jsp?selected=4 [@ nsCSSValue::Reset ]

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: rontilby, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: crash, verified1.7, Whiteboard: fixed-aviary1.0)

Crash Data

Attachments

(2 files, 1 obsolete file)

Stacktrace Mozilla debug build 20040516
7.74 KB, text/plain
Details
patch
1.15 KB, patch
bryner
: review+
bryner
: superreview+
chofmann
: approval1.7+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040603
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040603

Linked to URL from google search results.
Page displayed, then Mozilla crashed.
Talkback IDs: TB74569Q, TB74559W using Mozilla nightly 2004060208
Talkback ID: TB74619Y using Mozilla nightly 2004060308

Reproducible: Always
Steps to Reproduce:
1.load http://www.thewebtier.com/template.jsp?selected=4
2.wait a few seconds
3.crash

Actual Results:  
crash

Expected Results:  
not crash
Confirming with build 2004-06-04-07, Windows XP.
Status: UNCONFIRMED → NEW
Ever confirmed: true
apologies for my broken Linux box (GDB returns some variable not being
available), hope this is useful anyway:

(gdb) frame 2
#2  0x4137a3bc in nsCSSDeclaration::RemoveProperty(nsCSSProperty)
(this=Variable "this" is not available.
)
    at nsCSSDeclaration.cpp:139
139	    data.ClearProperty(aProperty);
(gdb) p aProperty
$2 = eCSSProperty_UNKNOWN
Keywords: crash
OS: Windows 2000 → All
Summary: Crash displaying www.thewebtier.com/template.jsp?selected=4 → Crash displaying www.thewebtier.com/template.jsp?selected=4 [@ nsCSSValue::Reset ]
TB74783H
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040603

Error message from Opera´s Javascript console:

Event thread: onload
Error:
name: TypeError
message: Statement on line 180: Expression evaluated to null or undefined and is
not convertible to Object: iframeSourceDocument.body
Backtrace:
  Line 180 of linked script http://www.thewebtier.com/tooltip.js
    children = iframeSourceDocument.body.childNodes;
  Line 215 of linked script http://www.thewebtier.com/tooltip.js
    var numbertooltips = findNumberOfTooltips();
  In unknown script
    parent.addContent();
  At unknown location
 
I think I know what is going on here. In Javascript the CSS property
CounterIncrement is set which according is defined as

CSS_PROP_NOTIMPLEMENTED(counter-increment, counter_increment, CounterIncrement)

Because Mozilla hasn't implemented this, this results in

nsresult nsCSSDeclaration::RemoveProperty(nsCSSProperty aProperty)

being called with aProperty == eCSSProperty_UNKNOWN which fails miserably. I've
added a check for this in nsCSSDeclaration::RemoveProperty and that seems to
work. Patch coming up.
OS: All → Windows 2000
Oops, changing back OS. And assigning to me.
Status: NEW → ASSIGNED
OS: Windows 2000 → All
Attached patch patch (obsolete) — Splinter Review 

    
  

        Attachment #150028 -
        Flags: review?(bzbarsky)

    
    

    
  
also crashes 1.7rc2: TB75056H
requesting blocking1.7 (bug has a patch)
Flags: blocking1.7?
Assignee: general → r.pronk
Status: ASSIGNED → NEW
Flags: blocking1.7? → blocking1.7+

    
  
Whiteboard: dbaron reviewing

    
    

    
  
I think a better solution would be to take a tiny piece of the patch in bug
243728 and just define CSS_PROP_NOTIMPLEMENTED differently.

    
    

    
  
Actually, never mind that, we should tolerate bad strings passed to setProperty
/ removeProperty, and bzbarsky can land that later.  However, I think the check
should be in the caller.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
I prefer checking in the caller.

        Attachment #150028 -
        Attachment is obsolete: true

        Attachment #150092 -
        Flags: superreview?(bzbarsky)

        Attachment #150092 -
        Flags: review?(bzbarsky)

    
    

    
  
(The reason I prefer the check in the caller is that I think when we're passing
nsCSSProperty enums around, they should already be known to be good.  There's
only one that isn't, but that should just be like a special return value from
LookupProperty.)

    
    

    
  
Yeah, I was having doubts myself whether it should be in the caller or not, but
since I didn't know how many callers there are to the callee I thought I'd just
play it safe and put it in the callee and thereby protect all callers. To me it
doesn't really matter.

    
    

    
  
There's only one caller. :-)

    
    

    
  
Confirming with build 
Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20040607

        Attachment #150092 -
        Flags: superreview?(bzbarsky)

        Attachment #150092 -
        Flags: superreview+

        Attachment #150092 -
        Flags: review?(bzbarsky)

        Attachment #150092 -
        Flags: review+

    
    

    
  
Taking bug (although thanks for your work in finding the problem).
Assignee: r.pronk → dbaron

    
    

    
  
Fix checked in to trunk, 2004-06-07 12:30 -0700.
Status: NEW → RESOLVED
Closed: 20 years ago
Component: Browser-General → DOM: CSSOM
QA Contact: general → ian
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 150092 [details] [diff] [review]
patch

a=chofmann for 1.7

        Attachment #150092 -
        Flags: approval1.7? → approval1.7+

    
    

    
  
Fix checked in to MOZILLA_1_7_BRANCH, 2004-06-07 14:18 -0700.
Keywords: fixed1.7

    
  
Whiteboard: dbaron reviewing → needed-aviary1.0

    
    

    
  
*** Bug 245895 has been marked as a duplicate of this bug. ***

    
  
Whiteboard: needed-aviary1.0 → fixed-aviary1.0

    
    

    
  
Verified as fix on latest 1.7 branch 06-24 build.
Changing keywords from fixed1.7 to verified1.7.
Leave this bug status "as is" until this bug be verified on trunk again...
Keywords: fixed1.7verified1.7
Crash Signature: [@ nsCSSValue::Reset ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: