Closed
Bug 269881
Opened 20 years ago
Closed 20 years ago
Crash with malformed SVG if it has an onload
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Unassigned)
References
()
Details
(Keywords: crash)
Minimal testcase is in the URL field...
#0 0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const (
this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47
#1 0x4008bbac in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) (
this=0xbfffdd50, qi={mRawPtr = 0x87ced18}, iid=@0x40b298d4) at nsCOMPtr.cpp:96
#2 0x40b14909 in nsCOMPtr<nsISupports>::operator=(nsQueryInterface)
(this=0xbfffdd50,
rhs={mRawPtr = 0x87ced18}) at nsCOMPtr.h:880
#3 0x40b0cfba in XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*,
XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) (ccx=@0xbfffde20,
Object=0x87ced18, Scope=0x86ce1e8, Interface=0x80e8c08,
resultWrapper=0xbfffddbc)
at
/home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:229
#4 0x40aed12a in XPCConvert::NativeInterface2JSObject(XPCCallContext&,
nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, unsigned*)
(ccx=@0xbfffde20,
dest=0xbfffe080, src=0x87ced18, iid=0x4188e8e8, scope=0x8687aa0,
pErr=0xbfffde1c)
at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1056
#5 0x40ad1e6f in nsXPConnect::WrapNative(JSContext*, JSObject*, nsISupports*,
nsID const&, nsIXPConnectJSObjectHolder**) (this=0x80e2d08,
aJSContext=0x86cdf20, aScope=0x8687aa0,
aCOMObj=0x87ced18, aIID=@0x4188e8e8, _retval=0xbfffe080)
at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:568
#6 0x41516f48 in
nsEventListenerManager::CompileEventHandlerInternal(nsIScriptContext*,
nsISupports*, nsIAtom*, nsListenerStruct*, nsIDOMEventTarget*, unsigned)
(this=0x87d1088,
aContext=0x86cd640, aObject=0x87ced18, aName=0x815d098,
aListenerStruct=0x87d10f0,
aCurrentTarget=0x86cd584, aSubType=1)
at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1379
#7 0x415176eb in nsEventListenerManager::HandleEventSubType(nsListenerStruct*,
nsIDOMEvent*, nsIDOMEventTarget*, unsigned, unsigned) (this=0x87d1088,
aListenerStruct=0x87d10f0,
aDOMEvent=0x87cede8, aCurrentTarget=0x86cd584, aSubType=1, aPhaseFlags=7)
at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1495
#8 0x41517b3e in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*,
nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x87d1088,
aPresContext=0x87c79a0, aEvent=0xbfffe460, aDOMEvent=0xbfffe3b4,
aCurrentTarget=0x86cd584, aFlags=7, aEventStatus=0xbfffe49c)
at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1602
#9 0x416f0ba4 in GlobalWindowImpl::HandleDOMEvent(nsPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x86cd558,
aPresContext=0x87c79a0, aEvent=0xbfffe460,
aDOMEvent=0xbfffe3b4, aFlags=7, aEventStatus=0xbfffe49c)
at /home/bzbarsky/mozilla/xlib/mozilla/dom/src/base/nsGlobalWindow.cpp:906
#10 0x4146afd4 in DocumentViewerImpl::LoadComplete(unsigned) (this=0x8602100,
aStatus=0)
at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsDocumentViewer.cpp:889
#11 0x41ecba45 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) (
this=0x86cd1f0, aProgress=0x86e1914, aChannel=0x8368e68, aStatus=0)
at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsDocShell.cpp:4310
#12 0x41ef266d in nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) (
this=0x86cd1f0, aProgress=0x86e1914, channel=0x8368e68, aStatus=0)
at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsWebShell.cpp:747
(gdb) frame 0
#0 0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const (
this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47
47 status = mRawPtr->QueryInterface(aIID,
answer);
(gdb) whats mRawPtr
0x6e006c: Cannot access memory at address 0x6e006c
(gdb) p *mRawPtr
$4 = {_vptr.nsISupports = 0x6e006c}
It looks like in nsEventListenerManager::HandleEventSubType the |jslistener|'s
mTarget is a dead object...
I couldn't reproduce this with HTML, but could this be a bug in the XML sink's
actions on error? Or is this definitely an svg thing?
Reporter | ||
Comment 1•20 years ago
|
||
*** Bug 272025 has been marked as a duplicate of this bug. ***
Comment 2•20 years ago
|
||
Boris,
I dont understand how 272025 is a dupe of this bug, that bug relates to not
closing an element <switch>....<switch> ie a typo
It's not clear to me, what 269881 relates to, the onload value possibly?
Reporter | ||
Comment 3•20 years ago
|
||
jonathan, this bug is about a crash when there is an onload on an <svg> and the
XML is malformed (eg tags are not closed). That's exactly the situation in bug
269881, and that bug crashes at the same exact place as this one.
The patch on bug 252631 prevents the crash.
Comment 5•20 years ago
|
||
Boris,
thanks for the update ~:"
Reporter | ||
Comment 6•20 years ago
|
||
Looks like this was fixed by the checkin for bug 252631
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•