Accessing rootless document crashes browser.

VERIFIED FIXED

Status

()

Core
XML
P3
normal
VERIFIED FIXED
18 years ago
9 years ago

People

(Reporter: Taras Tielkes, Assigned: Nisheeth Ranjan)

Tracking

({crash, testcase})

Trunk
x86
Windows NT
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
I don't know what the current stance is about "always-well-formed" documents.

The 18 June nightly build lets me create empty documents (using DOM2 
createDocument()).

Inserting a node into the document will produce a crash. See commented line in 
attached HTML file.
(Reporter)

Comment 1

18 years ago
Created attachment 10369 [details]
Simple testcase that will crash my 18 june nightly build on WinNT
(Reporter)

Updated

18 years ago
Keywords: crash, testcase
(Reporter)

Comment 2

18 years ago
Correction:

The code in the testcase tries to access the (non-existant) firstChild property 
of an empty document. The bug description is still valid. 

Comment 3

18 years ago
Patch to prevent the crash here and at other places where we assume that 
there's always document element:

Index: nsDocument.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/base/src/nsDocument.cpp,v
retrieving revision 3.226
diff -u -r3.226 nsDocument.cpp
--- nsDocument.cpp      2000/06/17 01:46:53     3.226
+++ nsDocument.cpp      2000/06/19 20:11:33
@@ -2522,6 +2522,7 @@
 {
   nsresult result = NS_OK;

+  *aFirstChild = nsnull;
   if ((nsnull != mProlog) && (0 != mProlog->Count())) {
     nsIContent* content;
     content = (nsIContent *)mProlog->ElementAt(0);
@@ -2533,7 +2534,7 @@
   else {
     nsIDOMElement* element;
     result = GetDocumentElement(&element);
-    if (NS_OK == result) {
+    if ((NS_OK == result) && element) {
       result = element->QueryInterface(NS_GET_IID(nsIDOMNode), (void**)aFirstCh
ild);
       NS_RELEASE(element);
     }
@@ -2557,7 +2558,7 @@
   else {
     nsIDOMElement* element;
     result = GetDocumentElement(&element);
-    if (NS_OK == result) {
+    if ((NS_OK == result) && element) {
       result = element->QueryInterface(NS_GET_IID(nsIDOMNode), (void**)aLastChi
ld);
       NS_RELEASE(element);
     }
@@ -3393,7 +3394,7 @@
     }
     if (!rootElement)
       result=GetDocumentElement(getter_AddRefs(rootElement));
-    if (NS_SUCCEEDED(result))
+    if (NS_SUCCEEDED(result) && rootElement)
     {
   #if 1
       result=ToXIF(converter,rootElement);

Comment 4

18 years ago
Fixed on 6/20/2000 along with other document cleanup for nsbeta2.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 5

18 years ago
Fixed in the July 6 build.
Status: RESOLVED → VERIFIED

Comment 6

9 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.