Closed Bug 335731 Opened 19 years ago Closed 19 years ago

Crash while calling HTMLElement.prototype.toString()

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

(5 keywords)

Attachments

(2 files)

Fix
2.64 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4+
Details | Diff | Splinter Review
Testcase: simple call to HTMLElement.prototype.toString()
182 bytes, text/html
Details
I noticed that calling HTMLElement.prototype.toString() crashes the other day. This is fallout from bug 334104, where we added a call to XPCCallContext::SetName from XPC_WN_Shared_ToString. The problem is that SetName assumes that mWrapper is non-null, but HTMLElement.prototype is of class sDOMConstructorProtoClass, which is not a wrapped native. I'm not entirely sure of what the proper fix is, yet. This is a null pointer dereference, and therefore I'm not marking this security sensitive.
Since bug 334104 was checked into the branch, this should probably block 1.8.0.4.
Flags: blocking1.8.0.4?
Keywords: regression
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Attached patch FixSplinter Review
This adds null checks. We have to be able to handle the mWrapper == null case, since that happens whenever we're operating on a wrapped native prototype.
Assignee: dbradley → mrbkap
Status: NEW → ASSIGNED
Attachment #220071 - Flags: superreview?(jst)
Attachment #220071 - Flags: review?(jst)
Flags: blocking1.8.0.4? → blocking1.8.0.4+
Comment on attachment 220071 [details] [diff] [review] Fix > XPCCallContext::GetCallee(nsISupports * *aCallee) > { >- nsISupports* temp = mWrapper->GetIdentityObject(); >+ nsISupports* temp = mWrapper ? mWrapper->GetIdentityObject() : nsnull; > NS_IF_ADDREF(temp); > *aCallee = temp; > return NS_OK; Is it OK to return success if the callee is null? If it's anything like QI callers might expect a failure (though they're probably checking for null). Same in the getClassInfo below.
(In reply to comment #3) > Is it OK to return success if the callee is null? If it's anything like QI > callers might expect a failure (though they're probably checking for null). > Same in the getClassInfo below. It seems that all of the users of GetCallee in the tree either ignore the return value or check for null anyway. GetCalleeWrapper is expected to return non-null if it returns a success code, though. I guess I could make the functions throw if they're going to return null, though I'm not sure if that's really the correct behavior...
be good to get for 1.9a1 too.
Flags: blocking1.9a1+
Comment on attachment 220071 [details] [diff] [review] Fix r+sr=jst
Attachment #220071 - Flags: superreview?(jst)
Attachment #220071 - Flags: superreview+
Attachment #220071 - Flags: review?(jst)
Attachment #220071 - Flags: review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 220071 [details] [diff] [review] Fix This patch fixes a crash regression introduced by a bug that was already checked into the branches.
Attachment #220071 - Flags: approval1.8.0.4?
Attachment #220071 - Flags: approval-branch-1.8.1?(jst)
Comment on attachment 220071 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #220071 - Flags: approval1.8.0.4?
Attachment #220071 - Flags: approval1.8.0.4+
Attachment #220071 - Flags: approval-branch-1.8.1?(jst)
Attachment #220071 - Flags: approval-branch-1.8.1+
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.4, fixed1.8.1
Testcase passes (no crash), and verified by code inspection.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.4, fixed1.8.1testcase, verified1.8.0.4, verified1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: