User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007100210 Minefield/3.0a9pre Build Identifier: CVS HEAD, 2007-10-02T10:30:00-04:00 In some cases, inserting a node with no `nodeset` attribute specified will cause the browser to crash with the following (partial) backtrace: 0xffffe410 in __kernel_vsyscall () (gdb) bt #0 0xffffe410 in __kernel_vsyscall () #1 0xb733de66 in nanosleep () from /lib/tls/i686/cmov/libc.so.6 #2 0xb733dc8f in sleep () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7ec26d9 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:149 #4 0xb7edb854 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #5 <signal handler called> #6 0xb4ad27c6 in nsXFormsInsertDeleteElement::HandleAction (this=0x9599ba8, aEvent=0x9ae5d78, aParentAction=0x9599a94) at /home/john/development/mozilla/extensions/xforms/nsXFormsInsertDeleteElement.cpp:243 #7 0xb7d16c41 in NS_InvokeByIndex_P () at /home/john/development/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfo.cpp:73 Reproducible: Always
Created attachment 283196 [details] [diff] [review] Patch to test the pointer before dereferencing it The `nodeset` variable is null if no `nodeset` attribute is specified, so we just bypass the assignment of `nodesetSize` (instead allowing it to remain 0).
This is probably a regressions from bug 391586. Merle can hopefully do the first review (use the 'Details' link on the attachment to set 'review ? email@example.com'). Btw, in the future, use also -p option of cvs diff.
I am not authorized to edit the bug to add myself as a reviewer. The error most likely is a regression from bug 391586 because I had to rearrange a lot of the code to get the in-scope evaluation context correct and apparently left out the check for a non-null nodeset. The patch is fine, so r=me.
checked into 1.8 branch via bug 410239.