Closed Bug 374021 Opened 13 years ago Closed 2 years ago

crash [@ IsChromeURI] Loading an overlay using loadOverlay into an uninitialized XULDocument

Categories

(Core :: XUL, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- fixed

People

(Reporter: asqueella, Assigned: jeanluc.bonnafoux)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Loading an overlay using loadOverlay into an uninitialized XULDocument crashes:
var xulDoc = Components.classes["@mozilla.org/xul/xul-document;1"].createInstance(Components.interfaces.nsIDOMXULDocument); xulDoc.loadOverlay("chrome://browser/content/",null);

Discovered by dkirsch on irc.

IsChromeURI(aURI=0x00000000)  Line 146	C++
nsXULDocument::LoadOverlayInternal(aURI=0x03f6d558, aIsDynamic=0x00000001, aShouldReturn=0x0012e794, aFailureFromContent=0x0012e78c)  Line 2694	C++
nsXULDocument::LoadOverlay(aURL={...}, aObserver=0x00000000)  Line 2656	C++
NS_InvokeByIndex(that=0x00000011, methodIndex=0x00000002, paramCount=0x0012e904, params=0x00d01894)  Line 102	C++
XPCWrappedNative::CallMethod(ccx={...}, mode=0x00000011)  Line 2247	C++
XPCWrappedNative::CallMethod(ccx={...}, mode=CALL_METHOD)  Line 2247	C++
XPC_WN_CallMethod(cx=0x040cb0a8, obj=JSObject [... slots], argc=0x00000002, argv=0x04120610, vp=0x0012ebac)  Line 1464	C++
js_Invoke(cx=0x040cb0a8, argc=0x00000002, flags=0x00000000)  Line 1353	C
js_Interpret(cx=0x040cb0a8, pc=0x00d40b1c, result=0x0012f1ac)  Line 4042	C
js_Execute(cx=0x040cb0a8, chain=JSObject [... slots], script=JSScript "javascript: var%20xulDoc%20%3D%20Components.classes%5B%22%40mozilla.org%2Fxul%2Fxul-document%3B1%22%5D.createInstance(Components.interfaces.nsIDOMXULDocument)%3BxulDoc.loadOverlay(%22chrome%3A%2F%2Fbrowser%2Fcontent%2F%22%2Cnull)%3B%20", down=0x00000000, flags=0x00000000, result=0x0012f2d8)  Line 1612	C
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ IsChromeURI]
Hello,

Trying to understand the root cause of this crash.
Call to nsXULDocument::LoadOverlayInternal has parameter aURI which is a non null pointer.

So it seems the root cause of crash is: bool documentIsChrome = IsChromeURI(mDocumentURI);
where mDocumentURI would be a null pointer.

According to documentation of GetDocumentURI() this pointer may be a null pointer.

Therefore call to IsChromeURI(mDocumentURI) should be protected against null pointer value.

I will try to submit a patch proposal.

Thanks,
Comment on attachment 8955811 [details]
Bug 374021 - Loading an overlay using loadOverlay into an uninitialized XULDocument

https://reviewboard.mozilla.org/r/224850/#review231148

Thanks :-)
Attachment #8955811 - Flags: review?(nika) → review+
Hello,

Could you please tell me what is needed to have this patch landing?

Thanks,
I've marked you as the assignee, and marked the bug as checkin-needed. A sheriff should come by and land it for you :-).
Assignee: nobody → jeanluc.bonnafoux
Keywords: checkin-needed
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6024410244a9
Loading an overlay using loadOverlay into an uninitialized XULDocument r=mystor
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/6024410244a9
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.