Last Comment Bug 326778 - [FIX]document.getBoxObjectFor({}) crashes
: [FIX]document.getBoxObjectFor({}) crashes
: crash, fixed1.8.1, testcase, verified1.8.0.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: P2 critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
: Hixie (not reading bugmail)
: Andrew Overholt [:overholt]
Depends on:
Blocks: 326633
  Show dependency treegraph
Reported: 2006-02-10 22:32 PST by Jesse Ruderman
Modified: 2013-04-04 13:53 PDT (History)
2 users (show)
dveditz: blocking1.8.0.2+
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (46 bytes, text/html)
2006-02-10 22:33 PST, Jesse Ruderman
no flags Details
Fix (1.90 KB, patch)
2006-02-12 11:53 PST, Boris Zbarsky [:bz] (still a bit busy)
jonas: review+
peterv: superreview+
peterv: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review

Description Jesse Ruderman 2006-02-10 22:32:52 PST
Calling document.getBoxObjectFor with a parameter of {} crashes.  Top of the stack in a debug build on Mac:

0   libgklayout.dylib        	0x0b564204 nsCOMPtr<nsINodeInfo>::operator->() const + 36 (nsCOMPtr.h:850)
1   libgklayout.dylib        	0x0b564e74 nsINode::GetOwnerDoc() const + 40 (nsINode.h:116)
2   libgklayout.dylib        	0x0b2645ac nsXBLService::ResolveTag(nsIContent*, int*, nsIAtom**) + 44 (nsXBLService.cpp:686)
3   libgklayout.dylib        	0x0b092aec nsDocument::GetBoxObjectFor(nsIDOMElement*, nsIBoxObject**) + 756 (nsDocument.cpp:3321)

See also bug 234331, "Mozilla crashes if document.getBoxObjectFor() is called with an undefined parameter" (fixed in 2004).
Comment 1 Jesse Ruderman 2006-02-10 22:33:22 PST
Created attachment 211466 [details]
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2006-02-12 11:53:24 PST
Created attachment 211623 [details] [diff] [review]
Comment 3 Boris Zbarsky [:bz] (still a bit busy) 2006-02-12 11:55:53 PST
Do we want this fixed on other branches too?
Comment 4 Peter Van der Beken [:peterv] 2006-02-14 06:18:02 PST
Comment on attachment 211623 [details] [diff] [review]

We might want to take this on the other branches too, the risk should be fairly low and it fixes a crash.
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2006-02-14 08:26:36 PST
Fixed trunk and 1.8.1 branch.
Comment 6 Boris Zbarsky [:bz] (still a bit busy) 2006-02-14 08:26:45 PST
Comment on attachment 211623 [details] [diff] [review]

Requesting 1.8.0.x branch approval.  Completely safe null-check crash fix.
Comment 7 Daniel Veditz [:dveditz] 2006-02-22 00:53:35 PST
Comment on attachment 211623 [details] [diff] [review]

approved for 1.8.0 branch, a=dveditz
Comment 8 Boris Zbarsky [:bz] (still a bit busy) 2006-02-22 18:55:18 PST
Fixed for
Comment 9 Jay Patel [:jay] 2006-03-06 15:40:19 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060306 Firefox/, no crash with testcase.
Comment 10 Jesse Ruderman 2007-12-14 19:36:04 PST
Crashtest checked in.

Note You need to log in before you can comment on or make changes to this bug.