Last Comment Bug 326998 - [FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a xul element in html
: [FIX]Crash [@ nsBoxFrame::AttributeChanged] when changing ordinal value of a ...
: crash, fixed1.8.1, testcase, verified1.8.0.2
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: P3 critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz]
Depends on:
  Show dependency treegraph
Reported: 2006-02-13 05:04 PST by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
5 users (show)
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (crashes on load) (475 bytes, application/xhtml+xml)
2006-02-13 05:05 PST, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
Fix (1.28 KB, patch)
2006-02-16 22:00 PST, Boris Zbarsky [:bz]
roc: review+
roc: superreview+
roc: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2006-02-13 05:04:32 PST
See upcoming testcase, which crashes current trunk Mozilla build. It also crashes Mozilla1.7.12.

Talkback ID: TB15086320X

nsBoxFrame::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1314]
nsCSSFrameConstructor::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10802]
PresShell::AttributeChanged  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5140]
nsGenericElement::SetAttrAndNotify  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3759]
nsGenericElement::SetAttr  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3676]
nsXULElement::SetOrdinal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2291]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_GetterSetter  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1468]
js_Invoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1243]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344]
js_InternalGetOrSet  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1403]
js_SetProperty  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3125]
js_Interpret  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3655]
js_Invoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1267]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1344]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4176]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1424]
nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6219]
nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6589]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x1eb69 (0x77e5eb69)
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-02-13 05:05:37 PST
Created attachment 211724 [details]
testcase (crashes on load)
Comment 2 Boris Zbarsky [:bz] 2006-02-16 22:00:30 PST
Created attachment 212192 [details] [diff] [review]

Sometimes, a null-check really is the right thing!
Comment 3 Boris Zbarsky [:bz] 2006-02-16 22:04:24 PST
Not sure whether this is worth it for 1.8.0.x branch.  roc, thoughts?
Comment 4 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-02-20 16:37:48 PST
Comment on attachment 212192 [details] [diff] [review]

I think we may as well take it for 1.8.0.x, the risk is as low as it gets.
Comment 5 Boris Zbarsky [:bz] 2006-02-20 16:40:02 PST
Comment on attachment 212192 [details] [diff] [review]

Requesting 1.8.0.x approval.  This is a simple null-check crash fix; should be very safe.
Comment 6 Boris Zbarsky [:bz] 2006-02-20 16:41:50 PST
Fixed on trunk and 1.8.1
Comment 7 Stephen Donner [:stephend] 2006-02-21 15:09:15 PST
No crash loading/reloading testcase:

on Windows XP SeaMonkey trunk Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060221 SeaMonkey/1.5a
Comment 8 Daniel Veditz [:dveditz] 2006-02-22 01:00:04 PST
Comment on attachment 212192 [details] [diff] [review]

approved for 1.8.0 branch, a=dveditz
Comment 9 Boris Zbarsky [:bz] 2006-02-22 19:00:49 PST
Fixed for
Comment 10 Dave Liebreich [:davel] 2006-03-01 16:27:35 PST
Marking [rft-dl] (ready for testing in Firefox release candidates)
Comment 11 Marcia Knous [:marcia - use ni] 2006-03-06 10:12:12 PST
verified on the branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv: Gecko/20060306 Firefox/ I get no crash repeatedly loading and reloading the testcase listed in the bug.

Note You need to log in before you can comment on or make changes to this bug.