[FIX]document.getBoxObjectFor({}) crashes

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
DOM
P2
critical
VERIFIED FIXED
12 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl])

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
Calling document.getBoxObjectFor with a parameter of {} crashes.  Top of the stack in a debug build on Mac:

0   libgklayout.dylib        	0x0b564204 nsCOMPtr<nsINodeInfo>::operator->() const + 36 (nsCOMPtr.h:850)
1   libgklayout.dylib        	0x0b564e74 nsINode::GetOwnerDoc() const + 40 (nsINode.h:116)
2   libgklayout.dylib        	0x0b2645ac nsXBLService::ResolveTag(nsIContent*, int*, nsIAtom**) + 44 (nsXBLService.cpp:686)
3   libgklayout.dylib        	0x0b092aec nsDocument::GetBoxObjectFor(nsIDOMElement*, nsIBoxObject**) + 756 (nsDocument.cpp:3321)

See also bug 234331, "Mozilla crashes if document.getBoxObjectFor() is called with an undefined parameter" (fixed in 2004).
(Reporter)

Comment 1

12 years ago
Created attachment 211466 [details]
testcase
(Reporter)

Updated

12 years ago
Severity: normal → critical
Created attachment 211623 [details] [diff] [review]
Fix
Attachment #211623 - Flags: review?
(Assignee)

Updated

12 years ago
Attachment #211623 - Flags: superreview?(peterv)
Attachment #211623 - Flags: review?(bugmail)
Attachment #211623 - Flags: review?
Attachment #211623 - Flags: approval-branch-1.8.1?(peterv)
Do we want this fixed on other branches too?
Assignee: general → bzbarsky
OS: MacOS X → All
Priority: -- → P2
Hardware: Macintosh → All
Summary: document.getBoxObjectFor({}) crashes → [FIX]document.getBoxObjectFor({}) crashes
Target Milestone: --- → mozilla1.9alpha
Attachment #211623 - Flags: review?(bugmail) → review+
Comment on attachment 211623 [details] [diff] [review]
Fix

We might want to take this on the other branches too, the risk should be fairly low and it fixes a crash.
Attachment #211623 - Flags: superreview?(peterv)
Attachment #211623 - Flags: superreview+
Attachment #211623 - Flags: approval-branch-1.8.1?(peterv)
Attachment #211623 - Flags: approval-branch-1.8.1+
Fixed trunk and 1.8.1 branch.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Comment on attachment 211623 [details] [diff] [review]
Fix

Requesting 1.8.0.x branch approval.  Completely safe null-check crash fix.
Attachment #211623 - Flags: approval1.8.0.2?
Flags: blocking1.8.0.2+
Comment on attachment 211623 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Attachment #211623 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
(Reporter)

Updated

12 years ago
Status: RESOLVED → VERIFIED

Updated

12 years ago
Whiteboard: [rft-dl]

Comment 9

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2, no crash with testcase.
Keywords: fixed1.8.0.2 → verified1.8.0.2
(Reporter)

Comment 10

10 years ago
Crashtest checked in.
Flags: in-testsuite+
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.