Closed Bug 326998 Opened 19 years ago Closed 19 years ago

[FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Details

(4 keywords, Whiteboard: [rft-dl])

Crash Data

Attachments

(2 files)

See upcoming testcase, which crashes current trunk Mozilla build. It also crashes Mozilla1.7.12. Talkback ID: TB15086320X nsBoxFrame::AttributeChanged [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1314] nsCSSFrameConstructor::AttributeChanged [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10802] PresShell::AttributeChanged [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5140] nsGenericElement::SetAttrAndNotify [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3759] nsGenericElement::SetAttr [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3676] nsXULElement::SetOrdinal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2291] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152] XPC_WN_GetterSetter [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1468] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1243] js_InternalInvoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1403] js_SetProperty [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3125] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3655] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1267] js_InternalInvoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4176] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1424] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6219] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6589] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x1eb69 (0x77e5eb69)
Attached patch FixSplinter Review
Sometimes, a null-check really is the right thing!
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #212192 - Flags: superreview?(roc)
Attachment #212192 - Flags: review?(roc)
OS: Windows XP → All
Priority: -- → P3
Hardware: PC → All
Summary: Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html → [FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html
Target Milestone: --- → mozilla1.9alpha
Attachment #212192 - Flags: approval-branch-1.8.1?(roc)
Not sure whether this is worth it for 1.8.0.x branch. roc, thoughts?
Comment on attachment 212192 [details] [diff] [review] Fix I think we may as well take it for 1.8.0.x, the risk is as low as it gets.
Attachment #212192 - Flags: superreview?(roc)
Attachment #212192 - Flags: superreview+
Attachment #212192 - Flags: review?(roc)
Attachment #212192 - Flags: review+
Attachment #212192 - Flags: approval-branch-1.8.1?(roc)
Attachment #212192 - Flags: approval-branch-1.8.1+
Comment on attachment 212192 [details] [diff] [review] Fix Requesting 1.8.0.x approval. This is a simple null-check crash fix; should be very safe.
Attachment #212192 - Flags: approval1.8.0.2?
Fixed on trunk and 1.8.1
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
No crash loading/reloading testcase: https://bugzilla.mozilla.org/attachment.cgi?id=211724&action=view on Windows XP SeaMonkey trunk Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060221 SeaMonkey/1.5a
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.2+
Comment on attachment 212192 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz
Attachment #212192 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [rft-dl]
verified on the 1.8.0.2 branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. I get no crash repeatedly loading and reloading the testcase listed in the bug.
Crash Signature: [@ nsBoxFrame::AttributeChanged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: