Closed Bug 378521 Opened 15 years ago Closed 13 years ago
Crash [@ ns
CSSFrame Constructor::Create Input Frame] with <binding extends="html:input">
Loading this testcase in Firefox (Mac trunk nightly) causes a null deref crash [@ nsCSSFrameConstructor::CreateInputFrame]. On trunk, at least, it might be best to fix this by removing support for extends="tagname" (bug 378518).
Crash also on GNU/Linux with Sm trunk.
Still crashes on trunk with the same crash signature. Before the crash, there's also an assertion: ###!!! ASSERTION: input is not an nsIFormControl!: 'control', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 2323 Bug 378518 is blocking1.9+, so this bug should go away soon.
Now I just get ###!!! ASSERTION: Invalid extends value: 'Error', file /Users/jruderman/central/content/xbl/src/nsXBLService.cpp, line 989 I checked the testcase in as a crashtest and filed bug 454029 on the bogus assertion.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
1.9.0 !exploitable report PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsCSSFrameConstructor::CreateInputFrame
This is an unexploitable null-deref, !exploitable's paranoia interacts badly with this code pattern.
Flags: blocking126.96.36.199? → wanted1.9.0.x+
Crash Signature: [@ nsCSSFrameConstructor::CreateInputFrame]
You need to log in before you can comment on or make changes to this bug.