Closed
Bug 307562
Opened 18 years ago
Closed 14 years ago
Crash [@ nsXBLBinding::AllowScripts]
Categories
(Core :: XBL, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: csthomas, Unassigned)
References
()
Details
if (!mgr) { return PR_FALSE; } --> nsIDocument* doc = mBoundElement->GetOwnerDoc(); if (!doc) { return PR_FALSE; } Debugger shows mBoundElement->nsISupports->__vfptr = 0xfdfdfdfd I was messing around with the <toolbox> constructor - having it create some <hbox>es and moving its children into these hboxes. I worked around the crash by moving the logic to a separate function and using setTimeout() to call it with 0 delay. nsXBLBinding::AllowScripts() line 1195 + 14 bytes nsXBLBinding::ExecuteAttachedHandler() line 772 + 8 bytes nsXBLBinding::ExecuteAttachedHandler() line 772 nsBindingManager::ProcessAttachedQueue(nsBindingManager * const 0x01bfcbb8) line 764 nsCSSFrameConstructor::ContentInserted(nsIContent * 0x00000000, nsIFrame * 0x00000000, nsIContent * 0x0278d080, int 0, nsILayoutHistoryState * 0x00000000, int 0) line 9020 PresShell::InitialReflow(PresShell * const 0x01bf3da8, int 0, int 0) line 2828 nsXULDocument::StartLayout() line 2165 nsXULDocument::ResumeWalk() line 3187 nsXULDocument::EndLoad() line 744 XULContentSinkImpl::DidBuildModel(XULContentSinkImpl * const 0x02afa260) line 408 nsExpatDriver::DidBuildModel(nsExpatDriver * const 0x02af92d8, unsigned int 0, int 1, nsIParser * 0x02afa2e8, nsIContentSink * 0x02afa260) line 1079 + 12 bytes nsParser::DidBuildModel(unsigned int 0) line 1315 + 46 bytes nsParser::ResumeParse(int 1, int 1, int 1) line 2037 nsParser::OnStopRequest(nsParser * const 0x02afa2ec, nsIRequest * 0x02af9738, nsISupports * 0x00000000, unsigned int 0) line 2706 + 21 bytes nsJARChannel::OnStopRequest(nsJARChannel * const 0x02af9740, nsIRequest * 0x02af9a58, nsISupports * 0x00000000, unsigned int 0) line 712 nsInputStreamPump::OnStateStop() line 507 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x02af9a5c, nsIAsyncInputStream * 0x02af9068) line 343 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x02af8ff4) line 120 PL_HandleEvent(PLEvent * 0x02af8ff4) line 688 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x009f6598) line 623 + 9 bytes _md_EventReceiverProc(HWND__ * 0x002103f6, unsigned int 49510, unsigned int 0, long 10446232) line 1408 + 9 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x01b07368) line 135 nsAppStartup::Run(nsAppStartup * const 0x01b07108) line 208 main1(int 3, char * * 0x002a4358, nsISupports * 0x009f4010) line 1249 + 32 bytes main(int 3, char * * 0x002a4358) line 1736 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()
![]() |
||
Comment 1•18 years ago
|
||
So you're saying the mBoundElement of the binding is dead?
Reporter | ||
Comment 2•18 years ago
|
||
(In reply to comment #1) > So you're saying the mBoundElement of the binding is dead? <word> hmmm... 0xfdfdfdfd is crt: no man's land (off the end) If that fits the category of "dead", yes. It would be 0xdddddddd if it were actually deleted though, right?
![]() |
||
Comment 3•18 years ago
|
||
Yeah. So how did we end up with a bogus mContent, I wonder... Is the binding itself destroyed by this time or something?
Updated•18 years ago
|
Severity: normal → critical
Summary: Crash @nsXBLBinding::AllowScripts() → Crash [@ nsXBLBinding::AllowScripts]
Comment 4•16 years ago
|
||
Fixed by bug 400735? WFM?
Updated•14 years ago
|
Assignee: xbl → nobody
QA Contact: ian → xbl
Comment 5•14 years ago
|
||
This never had a testcase, and the stack wasn't enough information.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•