Crash [@ nsXBLBinding::AllowScripts]

RESOLVED INCOMPLETE

Status

()

Core
XBL
--
critical
RESOLVED INCOMPLETE
12 years ago
8 years ago

People

(Reporter: Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com], Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

if (!mgr) {
      return PR_FALSE;
    }
  
--> nsIDocument* doc = mBoundElement->GetOwnerDoc();
    if (!doc) {
      return PR_FALSE;
    }

Debugger shows mBoundElement->nsISupports->__vfptr = 0xfdfdfdfd

I was messing around with the <toolbox> constructor - having it create some
<hbox>es and moving its children into these hboxes.  I worked around the crash
by moving the logic to a separate function and using setTimeout() to call it
with 0 delay.

nsXBLBinding::AllowScripts() line 1195 + 14 bytes
nsXBLBinding::ExecuteAttachedHandler() line 772 + 8 bytes
nsXBLBinding::ExecuteAttachedHandler() line 772
nsBindingManager::ProcessAttachedQueue(nsBindingManager * const 0x01bfcbb8) line 764
nsCSSFrameConstructor::ContentInserted(nsIContent * 0x00000000, nsIFrame *
0x00000000, nsIContent * 0x0278d080, int 0, nsILayoutHistoryState * 0x00000000,
int 0) line 9020
PresShell::InitialReflow(PresShell * const 0x01bf3da8, int 0, int 0) line 2828
nsXULDocument::StartLayout() line 2165
nsXULDocument::ResumeWalk() line 3187
nsXULDocument::EndLoad() line 744
XULContentSinkImpl::DidBuildModel(XULContentSinkImpl * const 0x02afa260) line 408
nsExpatDriver::DidBuildModel(nsExpatDriver * const 0x02af92d8, unsigned int 0,
int 1, nsIParser * 0x02afa2e8, nsIContentSink * 0x02afa260) line 1079 + 12 bytes
nsParser::DidBuildModel(unsigned int 0) line 1315 + 46 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 2037
nsParser::OnStopRequest(nsParser * const 0x02afa2ec, nsIRequest * 0x02af9738,
nsISupports * 0x00000000, unsigned int 0) line 2706 + 21 bytes
nsJARChannel::OnStopRequest(nsJARChannel * const 0x02af9740, nsIRequest *
0x02af9a58, nsISupports * 0x00000000, unsigned int 0) line 712
nsInputStreamPump::OnStateStop() line 507
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x02af9a5c,
nsIAsyncInputStream * 0x02af9068) line 343 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x02af8ff4) line 120
PL_HandleEvent(PLEvent * 0x02af8ff4) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x009f6598) line 623 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x002103f6, unsigned int 49510, unsigned int 0,
long 10446232) line 1408 + 9 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x01b07368) line 135
nsAppStartup::Run(nsAppStartup * const 0x01b07108) line 208
main1(int 3, char * * 0x002a4358, nsISupports * 0x009f4010) line 1249 + 32 bytes
main(int 3, char * * 0x002a4358) line 1736 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()
So you're saying the mBoundElement of the binding is dead?
(In reply to comment #1)
> So you're saying the mBoundElement of the binding is dead?

<word> hmmm... 0xfdfdfdfd is crt: no man's land (off the end)

If that fits the category of "dead", yes.  It would be 0xdddddddd if it were
actually deleted though, right?
Yeah.  So how did we end up with a bogus mContent, I wonder...

Is the binding itself destroyed by this time or something?

Updated

12 years ago
Severity: normal → critical
Summary: Crash @nsXBLBinding::AllowScripts() → Crash [@ nsXBLBinding::AllowScripts]
Fixed by bug 400735? WFM?
Assignee: xbl → nobody
QA Contact: ian → xbl
This never had a testcase, and the stack wasn't enough information.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.