Closed Bug 326778 Opened 18 years ago Closed 18 years ago

[FIX]document.getBoxObjectFor({}) crashes

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bzbarsky)

Details

(4 keywords, Whiteboard: [rft-dl])

Attachments

(2 files)

testcase
46 bytes, text/html
Details
Fix
1.90 KB, patch
sicking
: review+
peterv
: superreview+
peterv
: approval-branch-1.8.1+
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review 
Calling document.getBoxObjectFor with a parameter of {} crashes.  Top of the stack in a debug build on Mac:

0   libgklayout.dylib        	0x0b564204 nsCOMPtr<nsINodeInfo>::operator->() const + 36 (nsCOMPtr.h:850)
1   libgklayout.dylib        	0x0b564e74 nsINode::GetOwnerDoc() const + 40 (nsINode.h:116)
2   libgklayout.dylib        	0x0b2645ac nsXBLService::ResolveTag(nsIContent*, int*, nsIAtom**) + 44 (nsXBLService.cpp:686)
3   libgklayout.dylib        	0x0b092aec nsDocument::GetBoxObjectFor(nsIDOMElement*, nsIBoxObject**) + 756 (nsDocument.cpp:3321)

See also bug 234331, "Mozilla crashes if document.getBoxObjectFor() is called with an undefined parameter" (fixed in 2004).
Attached file testcase 

    
  
Severity: normal → critical

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  

        Attachment #211623 -
        Flags: review?

    
  

        Attachment #211623 -
        Flags: superreview?(peterv)

        Attachment #211623 -
        Flags: review?(bugmail)

        Attachment #211623 -
        Flags: review?

        Attachment #211623 -
        Flags: approval-branch-1.8.1?(peterv)

    
    

    
  
Do we want this fixed on other branches too?
Assignee: general → bzbarsky
OS: MacOS X → All
Priority: -- → P2
Hardware: Macintosh → All
Summary: document.getBoxObjectFor({}) crashes → [FIX]document.getBoxObjectFor({}) crashes
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
Comment on attachment 211623 [details] [diff] [review]
Fix

We might want to take this on the other branches too, the risk should be fairly low and it fixes a crash.

        Attachment #211623 -
        Flags: superreview?(peterv)

        Attachment #211623 -
        Flags: superreview+

        Attachment #211623 -
        Flags: approval-branch-1.8.1?(peterv)

        Attachment #211623 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Fixed trunk and 1.8.1 branch.
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 211623 [details] [diff] [review]
Fix

Requesting 1.8.0.x branch approval.  Completely safe null-check crash fix.

        Attachment #211623 -
        Flags: approval1.8.0.2?
Flags: blocking1.8.0.2+

    
    

    
  
Comment on attachment 211623 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz

        Attachment #211623 -
        Flags: approval1.8.0.2? → approval1.8.0.2+

    
    

    
  
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2

    
  
Status: RESOLVED → VERIFIED
Whiteboard: [rft-dl]

    
    

    
  
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2, no crash with testcase.
Keywords: fixed1.8.0.2verified1.8.0.2

    
    

    
  
Crashtest checked in.
Flags: in-testsuite+
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.