Closed Bug 265772 Opened 20 years ago Closed 20 years ago

[FIXr]PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray

Categories

(Core :: XPCOM, defect, P1)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8alpha5

People

(Reporter: dewildt, Assigned: bzbarsky)

References

Details

(Keywords: assertion)

Attachments

(1 file)

Agreed
1.03 KB, patch
darin.moz
: review+
dbaron
: superreview+
Details | Diff | Splinter Review 
In PresShell::PushCurrentEventInfo are event data stored in stacks. It is
possible that a null pointer is stored in mCurrentEventContentStack
(nsCOMArray<nsIContent>). 
PresShell::PopCurrentEventInfo will fail to remove the null pointer with
RemoveObjectAt because the nsCOMMArray removes the content only removed if it is
not null. (http://lxr.mozilla.org/seamonkey/source/xpcom/ds/nsCOMArray.cpp#136)

This will result in an assertion when the presshell is detructed.

This is reproducable by opening the source view of a page.
Yikes.  nsCOMArray_base::RemoveObjectAt is broken, IMO.
Attached patch AgreedSplinter Review 

    
  

        Attachment #163157 -
        Flags: superreview?(dbaron)

        Attachment #163157 -
        Flags: review?(darin)

        Attachment #163157 -
        Flags: superreview?(dbaron) → superreview+
Assignee: nobody → bzbarsky
Component: Layout: Misc Code → XPCOM

    
    

    
  
Could "element" maybe be put to the inside of the "if" statement?
(Or directly into "NS_IF_RELEASE" ?)

    
    

    
  
(In reply to comment #3)
> Could "element" maybe be put to the inside of the "if" statement?

Of course not.
Getting the content of a removed array element is a bad idea.

Sorry for the spam



    
  

        Attachment #163157 -
        Flags: review?(darin) → review+

    
  
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray → [FIXr]PresShell::PopCurrentEventInfo fails if a null pointer is stored/pushed to nsCOMArray
Target Milestone: --- → mozilla1.8alpha5

    
    

    
  
Fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
*** Bug 244666 has been marked as a duplicate of this bug. ***

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: