Closed Bug 326778 Opened 17 years ago Closed 17 years ago

[FIX]document.getBoxObjectFor({}) crashes

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bzbarsky)

Details

(4 keywords, Whiteboard: [rft-dl])

Attachments

(2 files)

Calling document.getBoxObjectFor with a parameter of {} crashes.  Top of the stack in a debug build on Mac:

0   libgklayout.dylib        	0x0b564204 nsCOMPtr<nsINodeInfo>::operator->() const + 36 (nsCOMPtr.h:850)
1   libgklayout.dylib        	0x0b564e74 nsINode::GetOwnerDoc() const + 40 (nsINode.h:116)
2   libgklayout.dylib        	0x0b2645ac nsXBLService::ResolveTag(nsIContent*, int*, nsIAtom**) + 44 (nsXBLService.cpp:686)
3   libgklayout.dylib        	0x0b092aec nsDocument::GetBoxObjectFor(nsIDOMElement*, nsIBoxObject**) + 756 (nsDocument.cpp:3321)

See also bug 234331, "Mozilla crashes if document.getBoxObjectFor() is called with an undefined parameter" (fixed in 2004).
Attached file testcase
Severity: normal → critical
Attached patch FixSplinter Review
Attachment #211623 - Flags: review?
Attachment #211623 - Flags: superreview?(peterv)
Attachment #211623 - Flags: review?(bugmail)
Attachment #211623 - Flags: review?
Attachment #211623 - Flags: approval-branch-1.8.1?(peterv)
Do we want this fixed on other branches too?
Assignee: general → bzbarsky
OS: MacOS X → All
Priority: -- → P2
Hardware: Macintosh → All
Summary: document.getBoxObjectFor({}) crashes → [FIX]document.getBoxObjectFor({}) crashes
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 211623 [details] [diff] [review]
Fix

We might want to take this on the other branches too, the risk should be fairly low and it fixes a crash.
Attachment #211623 - Flags: superreview?(peterv)
Attachment #211623 - Flags: superreview+
Attachment #211623 - Flags: approval-branch-1.8.1?(peterv)
Attachment #211623 - Flags: approval-branch-1.8.1+
Fixed trunk and 1.8.1 branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Comment on attachment 211623 [details] [diff] [review]
Fix

Requesting 1.8.0.x branch approval.  Completely safe null-check crash fix.
Attachment #211623 - Flags: approval1.8.0.2?
Flags: blocking1.8.0.2+
Comment on attachment 211623 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Attachment #211623 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
Status: RESOLVED → VERIFIED
Whiteboard: [rft-dl]
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2, no crash with testcase.
Crashtest checked in.
Flags: in-testsuite+
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.