crash [@ nsDOMConstructor::HasInstance ]

RESOLVED FIXED

Status

()

Core
DOM
--
critical
RESOLVED FIXED
11 years ago
8 years ago

People

(Reporter: Mook, Assigned: peterv)

Tracking

({crash, fixed1.8.0.12, verified1.8.1.4})

Trunk
x86
Windows XP
crash, fixed1.8.0.12, verified1.8.1.4
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
(See URL)

I've somehow gotten in nsDOMConstructor::HasInstance where neither line 4991 nor line 4994 is true, therefore ci_data remains null.  I then crash on line 5008 due to an access violation.

Unfortunately, my steps to reproduce consist of:
1) Get Firefox trunk
2) Get Firebug 1.0b
3) Go to a page (I used slashdot)
4) Open firebug and click around (usually when going from the console view to the HTML view).

I'll try crashing again and see what name_struct->mType is.
(Reporter)

Comment 1

11 years ago
Created attachment 251276 [details]
stack at crash

Some random relevant-looking variables I found in the debugger:

name_struct->mType = eTypeProperty
dom_class.name = "InstallTrigger"
class_iid = {a6cf906b-15b3-11d2-932e-00805f8add32} = nsIDOMWindow

stack looks big, see attachment.  Bugzilla will want to wrap it anyway.

I still think that, at minimum, some sort of early bail-out would be nice (so at least I don't crash).
(Assignee)

Updated

11 years ago
(Assignee)

Updated

11 years ago

Updated

11 years ago
Severity: normal → critical
Keywords: crash
(Assignee)

Comment 2

11 years ago
Created attachment 251530 [details] [diff] [review]
v1

I think eTypeProperty is the only one that can trigger this, but this is more bulletproof. We could try to get the interfaces from the object's classinfo, but that doesn't seem worth it for such an edge-case.
Assignee: general → peterv
Status: NEW → ASSIGNED
Attachment #251530 - Flags: superreview?(jst)
Attachment #251530 - Flags: review?(jst)
Comment on attachment 251530 [details] [diff] [review]
v1

r+sr=jst
Attachment #251530 - Flags: superreview?(jst)
Attachment #251530 - Flags: superreview+
Attachment #251530 - Flags: review?(jst)
Attachment #251530 - Flags: review+
(Assignee)

Updated

11 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

11 years ago
Comment on attachment 251530 [details] [diff] [review]
v1

Trivial crash fix.
Attachment #251530 - Flags: approval1.8.1.3?
Attachment #251530 - Flags: approval1.8.0.11?
Comment on attachment 251530 [details] [diff] [review]
v1

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #251530 - Flags: approval1.8.1.4?
Attachment #251530 - Flags: approval1.8.1.4+
Attachment #251530 - Flags: approval1.8.0.12?
Attachment #251530 - Flags: approval1.8.0.12+
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.0.12, fixed1.8.1.4
verified fixed on the 1.8 branch using  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. Installed Firebug and clicked around on slashdot as described in original report, no crash observed. Adding branch verified keyword.
Keywords: fixed1.8.1.4 → verified1.8.1.4
verified fixed 1.8.0.12 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre and the steps to reproduce from comment #0. No crash with Firebug on slashdot. Adding verified keyword.

Updated

8 years ago
Summary: crash [ @ nsDOMConstructor::HasInstance ] → crash [@ nsDOMConstructor::HasInstance ]
Crash Signature: [@ nsDOMConstructor::HasInstance ]
You need to log in before you can comment on or make changes to this bug.