[FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
Layout
P3
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: bz)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
See upcoming testcase, which crashes current trunk Mozilla build. It also crashes Mozilla1.7.12.


Talkback ID: TB15086320X

nsBoxFrame::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1314]
nsCSSFrameConstructor::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10802]
PresShell::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5140]
nsGenericElement::SetAttrAndNotify  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3759]
nsGenericElement::SetAttr  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3676]
nsXULElement::SetOrdinal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2291]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_GetterSetter  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1468]
js_Invoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1243]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344]
js_InternalGetOrSet  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1403]
js_SetProperty  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3125]
js_Interpret  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3655]
js_Invoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1267]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4176]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1424]
nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6219]
nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6589]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x1eb69 (0x77e5eb69)
(Reporter)

Comment 1

11 years ago
Created attachment 211724 [details]
testcase (crashes on load)
Created attachment 212192 [details] [diff] [review]
Fix

Sometimes, a null-check really is the right thing!
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #212192 - Flags: superreview?(roc)
Attachment #212192 - Flags: review?(roc)
OS: Windows XP → All
Priority: -- → P3
Hardware: PC → All
Summary: Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html → [FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html
Target Milestone: --- → mozilla1.9alpha
Attachment #212192 - Flags: approval-branch-1.8.1?(roc)
Not sure whether this is worth it for 1.8.0.x branch.  roc, thoughts?
Comment on attachment 212192 [details] [diff] [review]
Fix

I think we may as well take it for 1.8.0.x, the risk is as low as it gets.
Attachment #212192 - Flags: superreview?(roc)
Attachment #212192 - Flags: superreview+
Attachment #212192 - Flags: review?(roc)
Attachment #212192 - Flags: review+
Attachment #212192 - Flags: approval-branch-1.8.1?(roc)
Attachment #212192 - Flags: approval-branch-1.8.1+
Comment on attachment 212192 [details] [diff] [review]
Fix

Requesting 1.8.0.x approval.  This is a simple null-check crash fix; should be very safe.
Attachment #212192 - Flags: approval1.8.0.2?
Fixed on trunk and 1.8.1
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
No crash loading/reloading testcase: https://bugzilla.mozilla.org/attachment.cgi?id=211724&action=view

on Windows XP SeaMonkey trunk Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060221 SeaMonkey/1.5a
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.2+
Comment on attachment 212192 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Attachment #212192 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [rft-dl]
verified on the 1.8.0.2 branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. I get no crash repeatedly loading and reloading the testcase listed in the bug.
Keywords: fixed1.8.0.2 → verified1.8.0.2
Crash Signature: [@ nsBoxFrame::AttributeChanged]
You need to log in before you can comment on or make changes to this bug.