Closed Bug 417266 Opened 16 years ago Closed 16 years ago

crash [@ nsEventReceiverSH::IsEventName]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta4

People

(Reporter: smaug, Assigned: jst)

References

Details

Attachments

(3 files)

another testcase
118 bytes, text/html
Details
Fix.
1.32 KB, patch
Details | Diff | Splinter Review
Fix (diff -w)
1.59 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review 
The second testcase of bug 390813 crashes now [@ nsEventReceiverSH::IsEventName]

###!!! ASSERTION: Don't pass non-string jsval's here!: 'JSVAL_IS_STRING(id)', file /home/smaug/mozilla/mozilla_cvs/mozilla/dom/src/base/nsDOMClassInfo.h, line 360
#0  0x00000032d7097581 in nanosleep () from /lib64/libc.so.6
#1  0x00000032d70973a4 in sleep () from /lib64/libc.so.6
#2  0x00002aaaaaae5419 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:149
#3  0x00002aaaaaaf3df1 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216
#4  <signal handler called>
#5  JS_GetStringChars (str=0x0) at /home/smaug/mozilla/mozilla_cvs/mozilla/js/src/jsapi.c:5240
#6  0x00002aaab0e84fc3 in nsEventReceiverSH::IsEventName (id=3)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/dom/src/base/nsDOMClassInfo.h:362
#7  0x00002aaab0e7d252 in nsWindowSH::SetProperty (this=0x138c590, wrapper=0x1669350, cx=0x138ce60, obj=0x2aaabbb62880, 
    id=3, vp=0x7fff8e8f9158, _retval=0x7fff8e8f88f4)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/dom/src/base/nsDOMClassInfo.cpp:4606
#8  0x00002aaab0660aca in XPC_WN_Helper_SetProperty (cx=0x138ce60, obj=0x2aaabbb62880, idval=3, vp=0x7fff8e8f9158)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:962
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
Attached file another testcase 

    
    

    
  
The fix might be as simple as

-if (IsEventName(id)) {
+if (JSVAL_IS_STRING(id) && IsEventName(id)) {

(untested)
Keywords: assertion, 
          
            crash, 
          
            regression, 
          
            testcase

    
  
Assignee: nobody → jst
Component: XPConnect → DOM
Keywords: assertion, 
          
            crash, 
          
            regression, 
          
            testcase
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4

    
    

    
  
Basically, yes. Patch coming...

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix.Splinter Review
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix (diff -w)Splinter Review
      

    


  

        Attachment #303130 -
        Flags: superreview?(jonas)

        Attachment #303130 -
        Flags: review?(jonas)

        Attachment #303130 -
        Flags: superreview?(jonas)

        Attachment #303130 -
        Flags: superreview+

        Attachment #303130 -
        Flags: review?(jonas)

        Attachment #303130 -
        Flags: review+

    
    

    
  
Fix checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

    
    

    
  
verified fixed using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b4pre) Gecko/2008022704 Minefield/3.0b4pre. No crashes with either testcase noted in the bug.
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: