Closed
Bug 265772
Opened 20 years ago
Closed 20 years ago
[FIXr]PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray
Categories
(Core :: XPCOM, defect, P1)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla1.8alpha5
People
(Reporter: dewildt, Assigned: bzbarsky)
References
Details
(Keywords: assertion)
Attachments
(1 file)
1.03 KB,
patch
|
darin.moz
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
In PresShell::PushCurrentEventInfo are event data stored in stacks. It is possible that a null pointer is stored in mCurrentEventContentStack (nsCOMArray<nsIContent>). PresShell::PopCurrentEventInfo will fail to remove the null pointer with RemoveObjectAt because the nsCOMMArray removes the content only removed if it is not null. (http://lxr.mozilla.org/seamonkey/source/xpcom/ds/nsCOMArray.cpp#136) This will result in an assertion when the presshell is detructed. This is reproducable by opening the source view of a page.
Yikes. nsCOMArray_base::RemoveObjectAt is broken, IMO.
Assignee | ||
Comment 2•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #163157 -
Flags: superreview?(dbaron)
Attachment #163157 -
Flags: review?(darin)
Attachment #163157 -
Flags: superreview?(dbaron) → superreview+
Updated•20 years ago
|
Assignee: nobody → bzbarsky
Component: Layout: Misc Code → XPCOM
Reporter | ||
Comment 3•20 years ago
|
||
Could "element" maybe be put to the inside of the "if" statement? (Or directly into "NS_IF_RELEASE" ?)
Reporter | ||
Comment 4•20 years ago
|
||
(In reply to comment #3) > Could "element" maybe be put to the inside of the "if" statement? Of course not. Getting the content of a removed array element is a bad idea. Sorry for the spam
Updated•20 years ago
|
Attachment #163157 -
Flags: review?(darin) → review+
Assignee | ||
Updated•20 years ago
|
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray → [FIXr]PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray
Target Milestone: --- → mozilla1.8alpha5
Assignee | ||
Comment 5•20 years ago
|
||
Fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 244666 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•