User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007100210 Minefield/3.0a9pre
Build Identifier: CVS HEAD, 2007-10-02T10:30:00-04:00
In some cases, inserting a node with no `nodeset` attribute specified will cause the browser to crash with the following (partial) backtrace:
0xffffe410 in __kernel_vsyscall ()
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb733de66 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2 0xb733dc8f in sleep () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7ec26d9 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:149
#4 0xb7edb854 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210
#5 <signal handler called>
#6 0xb4ad27c6 in nsXFormsInsertDeleteElement::HandleAction (this=0x9599ba8, aEvent=0x9ae5d78,
#7 0xb7d16c41 in NS_InvokeByIndex_P ()
Created attachment 283196 [details] [diff] [review]
Patch to test the pointer before dereferencing it
The `nodeset` variable is null if no `nodeset` attribute is specified, so we just bypass the assignment of `nodesetSize` (instead allowing it to remain 0).
This is probably a regressions from bug 391586.
Merle can hopefully do the first review (use the 'Details' link on the
attachment to set 'review ? email@example.com').
Btw, in the future, use also -p option of cvs diff.
I am not authorized to edit the bug to add myself as a reviewer.
The error most likely is a regression from bug 391586 because I had to rearrange a lot of the code to get the in-scope evaluation context correct and apparently left out the check for a non-null nodeset. The patch is fine, so r=me.
checked into 1.8 branch via bug 410239.