Closed Bug 378521 Opened 17 years ago Closed 16 years ago

Crash [@ nsCSSFrameConstructor::CreateInputFrame] with <binding extends="html:input">

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
358 bytes, application/xhtml+xml
Details 
Loading this testcase in Firefox (Mac trunk nightly) causes a null deref crash [@ nsCSSFrameConstructor::CreateInputFrame].

On trunk, at least, it might be best to fix this by removing support for extends="tagname" (bug 378518).
Crash also on GNU/Linux with Sm trunk.
OS: Mac OS X → All
Hardware: PC → All
Still crashes on trunk with the same crash signature.  Before the crash, there's also an assertion:

###!!! ASSERTION: input is not an nsIFormControl!: 'control', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 2323

Bug 378518 is blocking1.9+, so this bug should go away soon.
Now I just get

###!!! ASSERTION: Invalid extends value: 'Error', file /Users/jruderman/central/content/xbl/src/nsXBLService.cpp, line 989

I checked the testcase in as a crashtest and filed bug 454029 on the bogus assertion.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
1.9.0 !exploitable report
PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsCSSFrameConstructor::CreateInputFrame
Flags: blocking1.9.0.11?
This is an unexploitable null-deref, !exploitable's paranoia interacts badly with this code pattern.
Flags: blocking1.9.0.11? → wanted1.9.0.x+
Whiteboard: [sg:dos]
Crash Signature: [@ nsCSSFrameConstructor::CreateInputFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: