Closed Bug 421366 Opened 14 years ago Closed 14 years ago

crash when i make clic in one link... line 119: 9084 Segmentation fault [@ nsContentUtils::IsEventAttributeName]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mrwaltercool, Assigned: smaug)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase
351 bytes, text/html
Details
proposed patch
5.30 KB, patch
peterv
: review+
peterv
: superreview+
mtschrep
: approval1.9+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b4pre) Gecko/2008030300 (Gentoo) Firefox/3.0b4pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b4pre) Gecko/2008030300 (Gentoo) Firefox/3.0b4pre

/usr/libexec/mozilla-launcher: line 119:  9084 Segmentation fault      $(type -P aoss) "$mozbin" $xulparams "$@"
xulrunner-bin exited with non-zero status (139)

When i make clic in one link... firefox closes himself with this error :S

Reproducible: Always

Steps to Reproduce:
1.Visit www.sii.cl
2.Make click in one link
Actual Results:  
Firefox Closes himself

Expected Results:  
See other web

Im using gentoo with kernel 2.6.24-r3

Xulruner 1.9_pre20080228 from mozilla svn
Firefox 20080303 from mozilla svn
I can confirm this bug, Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030715 Firefox/3.0b5pre.

Stack trace:
#0  0xb4b3d624 in nsContentUtils::IsEventAttributeName
      (aName=0x8b32080, aType=1)
    at mozilla/content/base/src/nsContentUtils.cpp:2857
#1  0xb4c3d9cb in nsGenericHTMLElement::AfterSetAttr
      (this=0x87606a0, aNamespaceID=0, aName=0x8b32080, aValue=0x0, aNotify=0)
    at mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1331
#2  0xb4b99602 in nsGenericElement::UnsetAttr
      (this=0x87606a0, aNameSpaceID=0, aName=0x8b32080, aNotify=0)
    at mozilla/content/base/src/nsGenericElement.cpp:4044
#3  0xb4c4156c in nsGenericHTMLElement::UnsetAttr
      (this=0x87606a0, aNameSpaceID=0, aAttribute=0x8b32080, aNotify=0)
    at mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1433
#4  0xb4cd35c5 in nsHTMLDocument::OpenCommon
      (this=0x85a3800, aContentType=@0xbf8d6dcc, aReplace=0)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2227
#5  0xb4cd3bd9 in nsHTMLDocument::Open
      (this=0x85a3800, aContentType=@0xbf8d6dcc, aReplace=0, aReturn=0xbf8d6dd8)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2342
#6  0xb4ccb033 in nsHTMLDocument::Open
      (this=0x85a3800)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2335
#7  0xb4cd1c1f in nsHTMLDocument::WriteCommon
      (this=0x85a3800, aText=@0xbf8d6e88, aNewlineTerminate=1)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2443
#8  0xb4cd21b0 in nsHTMLDocument::ScriptWriteCommon
      (this=0x85a3800, aNewlineTerminate=1)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2535
#9  0xb4cd235f in nsHTMLDocument::Writeln
      (this=0x85a3800)
    at mozilla/content/html/document/src/nsHTMLDocument.cpp:2569
...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: crash when i make clic in one link... line 119: 9084 Segmentation fault → crash when i make clic in one link... line 119: 9084 Segmentation fault [@ nsContentUtils::IsEventAttributeName]
Attached file testcase 
The html-element in the testcase has an xml:lang attribute. FF does not crash without that attribute.
Keywords: crash, testcase
Strange... tested today and not problem... but yesterday i cant use the web :S Firefox closed himself

So... Solved for now...
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reopening, still crashes here with nightly builds newer than 2007120404.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → NEW
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Attached patch proposed patchSplinter Review 
nsGenericElement::RemoveAttribute already keeps things alive.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #308327 - Flags: superreview?(peterv)
Attachment #308327 - Flags: review?(peterv)
Comment on attachment 308327 [details] [diff] [review]
proposed patch

Ugh, that's fragile :-/. I wonder if it wouldn't make more sense to make UnsetAttr keep the strong reference. There's only a couple of UnsetAttr implementations that would need to keep the atom alive (nsGenericElement and nsXULElement?).
well, the patch makes callers to follow the common xpcom rule to keep objects alive.
Attachment #308327 - Flags: superreview?(peterv)
Attachment #308327 - Flags: superreview+
Attachment #308327 - Flags: review?(peterv)
Attachment #308327 - Flags: review+
Attachment #308327 - Flags: approval1.9?
Flags: wanted1.8.1.x?
Attachment #308327 - Flags: approval1.9? → approval1.9+
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Keywords: checkin-needed
Flags: wanted1.8.1.x?
Crash Signature: [@ nsContentUtils::IsEventAttributeName]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.