Closed Bug 43040 Opened 24 years ago Closed 24 years ago

Accessing rootless document crashes browser.

Categories

(Core :: XML, defect, P3)

Product:
Core
Component:
XML
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: taras.tielkes, Assigned: nisheeth_mozilla)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Simple testcase that will crash my 18 june nightly build on WinNT
481 bytes, text/html
Details 
I don't know what the current stance is about "always-well-formed" documents.

The 18 June nightly build lets me create empty documents (using DOM2 
createDocument()).

Inserting a node into the document will produce a crash. See commented line in 
attached HTML file.
Keywords: crash, testcase
Correction:

The code in the testcase tries to access the (non-existant) firstChild property 
of an empty document. The bug description is still valid. 
Patch to prevent the crash here and at other places where we assume that 
there's always document element:

Index: nsDocument.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/base/src/nsDocument.cpp,v
retrieving revision 3.226
diff -u -r3.226 nsDocument.cpp
--- nsDocument.cpp      2000/06/17 01:46:53     3.226
+++ nsDocument.cpp      2000/06/19 20:11:33
@@ -2522,6 +2522,7 @@
 {
   nsresult result = NS_OK;

+  *aFirstChild = nsnull;
   if ((nsnull != mProlog) && (0 != mProlog->Count())) {
     nsIContent* content;
     content = (nsIContent *)mProlog->ElementAt(0);
@@ -2533,7 +2534,7 @@
   else {
     nsIDOMElement* element;
     result = GetDocumentElement(&element);
-    if (NS_OK == result) {
+    if ((NS_OK == result) && element) {
       result = element->QueryInterface(NS_GET_IID(nsIDOMNode), (void**)aFirstCh
ild);
       NS_RELEASE(element);
     }
@@ -2557,7 +2558,7 @@
   else {
     nsIDOMElement* element;
     result = GetDocumentElement(&element);
-    if (NS_OK == result) {
+    if ((NS_OK == result) && element) {
       result = element->QueryInterface(NS_GET_IID(nsIDOMNode), (void**)aLastChi
ld);
       NS_RELEASE(element);
     }
@@ -3393,7 +3394,7 @@
     }
     if (!rootElement)
       result=GetDocumentElement(getter_AddRefs(rootElement));
-    if (NS_SUCCEEDED(result))
+    if (NS_SUCCEEDED(result) && rootElement)
     {
   #if 1
       result=ToXIF(converter,rootElement);
Fixed on 6/20/2000 along with other document cleanup for nsbeta2.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Fixed in the July 6 build.
Status: RESOLVED → VERIFIED
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: