The default bug view has changed. See this FAQ.

Insert with no `nodeset` declaration causes crash

RESOLVED FIXED

Status

Core Graveyard
XForms
RESOLVED FIXED
10 years ago
9 months ago

People

(Reporter: John L. Clark, Assigned: John L. Clark)

Tracking

({fixed1.8.1.12})

Trunk
x86
Linux
fixed1.8.1.12
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007100210 Minefield/3.0a9pre
Build Identifier: CVS HEAD, 2007-10-02T10:30:00-04:00

In some cases, inserting a node with no `nodeset` attribute specified will cause the browser to crash with the following (partial) backtrace:

0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb733de66 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2  0xb733dc8f in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7ec26d9 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:149
#4  0xb7edb854 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0xb4ad27c6 in nsXFormsInsertDeleteElement::HandleAction (this=0x9599ba8, aEvent=0x9ae5d78,
    aParentAction=0x9599a94)
    at /home/john/development/mozilla/extensions/xforms/nsXFormsInsertDeleteElement.cpp:243
#7  0xb7d16c41 in NS_InvokeByIndex_P ()
    at /home/john/development/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfo.cpp:73

Reproducible: Always
(Assignee)

Comment 1

10 years ago
Created attachment 283196 [details] [diff] [review]
Patch to test the pointer before dereferencing it

The `nodeset` variable is null if no `nodeset` attribute is specified, so we just bypass the assignment of `nodesetSize` (instead allowing it to remain 0).
(Assignee)

Updated

10 years ago
Version: unspecified → Trunk
This is probably a regressions from bug 391586.
Merle can hopefully do the first review (use the 'Details' link on the 
attachment to set 'review ? msterlin@us.ibm.com').
Btw, in the future, use also -p option of cvs diff.
Depends on: 391586

Comment 3

10 years ago
I am not authorized to edit the bug to add myself as a reviewer.

The error most likely is a regression from bug 391586 because I had to rearrange a lot of the code to get the in-scope evaluation context correct and apparently left out the check for a non-null nodeset. The patch is fine, so r=me.

 

Attachment #283196 - Flags: review+
Assignee: nobody → jlc6
Checked in
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Updated

10 years ago
Whiteboard: xf-to-branch

Updated

9 years ago
Blocks: 410239

Comment 5

9 years ago
checked into 1.8 branch via bug 410239.
Keywords: fixed1.8.1.12
Whiteboard: xf-to-branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.