Closed Bug 431128 Opened 16 years ago Closed 16 years ago

Crash [@ nsIContent::NodeInfo] with observes onbroadcast and persist

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse] null deref)

Crash Data

Attachments

(1 file)

testcase
436 bytes, application/vnd.mozilla.xul+xml
Details
Attached file testcase 
See testcase, which crashes current trunk build, but also branch builds and even Mozilla1.7, so marking security sensitive.

http://crash-stats.mozilla.com/report/pending/3e702ce1-1512-11dd-baf7-0013211cbf8a
(Breakpad seems down atm)

Stack from debug build:
>	gklayout.dll!nsCOMPtr<nsINodeInfo>::get_DerivedSafe()  Line 931 + 0x3 bytes	C++
 	gklayout.dll!nsCOMPtr<nsINodeInfo>::operator nsDerivedSafe<nsINodeInfo> *()  Line 863	C++
 	gklayout.dll!nsIContent::NodeInfo()  Line 217	C++
 	gklayout.dll!nsXULDocument::ExecuteOnBroadcastHandlerFor(nsIContent * aBroadcaster=0x06ae60f0, nsIDOMElement * aListener=0x05750c54, nsIAtom * aAttr=0x0420ac48)  Line 876 + 0x14 bytes	C++
 	gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x0543d890, nsIContent * aElement=0x06ae60f0, int aNameSpaceID=0, nsIAtom * aAttribute=0x0420ac48, int aModType=2, unsigned int aStateMask=0)  Line 984	C++
 	gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x06ae60f0, int aNameSpaceID=0, nsIAtom * aAttribute=0x0420ac48, int aModType=2, unsigned int aStateMask=0)  Line 109 + 0xf3 bytes	C++
 	gklayout.dll!nsGenericElement::SetAttrAndNotify(int aNamespaceID=0, nsIAtom * aName=0x0420ac48, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aOldValue={...}, nsAttrValue & aParsedValue={...}, int aModification=0, int aFireMutation=0, int aNotify=1)  Line 3797 + 0x1d bytes	C++
 	gklayout.dll!nsGenericElement::SetAttr(int aNamespaceID=0, nsIAtom * aName=0x0420ac48, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aValue={...}, int aNotify=1)  Line 3725 + 0x34 bytes	C++
 	gklayout.dll!nsIContent::SetAttr(int aNameSpaceID=0, nsIAtom * aName=0x0420ac48, const nsAString_internal & aValue={...}, int aNotify=1)  Line 255	C++
 	gklayout.dll!nsXULDocument::ApplyPersistentAttributesToElements(nsIRDFResource * aResource=0x063278a8, nsCOMArray<nsIContent> & aElements={...})  Line 2195 + 0x20 bytes	C++
 	gklayout.dll!nsXULDocument::ApplyPersistentAttributes()  Line 2122	C++
 	gklayout.dll!nsXULDocument::ResumeWalk()  Line 3032 + 0xb bytes	C++
 	gklayout.dll!nsXULDocument::OnPrototypeLoadDone(int aResumeWalk=1)  Line 610 + 0xe bytes	C++
 	gklayout.dll!nsXULDocument::EndLoad()  Line 594	C++
 	gklayout.dll!XULContentSinkImpl::DidBuildModel()  Line 292	C++
 	gkparser.dll!nsExpatDriver::DidBuildModel(unsigned int anErrorCode=0, int aNotifySink=1, nsIParser * aParser=0x055054b0, nsIContentSink * aSink=0x062c1a78)  Line 1308 + 0xe bytes	C++
 	gkparser.dll!nsParser::DidBuildModel(unsigned int anErrorCode=0)  Line 1004 + 0x35 bytes	C++
 	gkparser.dll!nsParser::ResumeParse(int allowIteration=1, int aIsFinalChunk=1, int aCanInterrupt=1)  Line 1707	C++
 	gkparser.dll!nsParser::OnStopRequest(nsIRequest * request=0x056f0c68, nsISupports * aContext=0x00000000, unsigned int status=0)  Line 2331 + 0x17 bytes	C++
 	docshell.dll!nsDocumentOpenInfo::OnStopRequest(nsIRequest * request=0x056f0c68, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0)  Line 324	C++
 	necko.dll!nsBaseChannel::OnStopRequest(nsIRequest * request=0x06ae1778, nsISupports * ctxt=0x00000000, unsigned int status=0)  Line 623	C++
 	necko.dll!nsInputStreamPump::OnStateStop()  Line 577	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x04190148)  Line 401 + 0xb bytes	C++
 	xpcom_core.dll!nsInputStreamReadyEvent::Run()  Line 112	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012f848)  Line 511	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x012b4020, int mayWait=1)  Line 227 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 170 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 181 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=1, char * * argv=0x003ff750, const nsXREAppData * aAppData=0x003ffdf8)  Line 3170 + 0x25 bytes	C++
 	firefox.exe!NS_internal_main(int argc=1, char * * argv=0x003ff750)  Line 158 + 0x12 bytes	C++
 	firefox.exe!wmain(int argc=1, unsigned short * * argv=0x003fa060)  Line 87 + 0xd bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 583 + 0x19 bytes	C
 	firefox.exe!wmainCRTStartup()  Line 403	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes
Depends on: 395671
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Still crashing, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Looks like a null deref too me.
Flags: wanted1.8.1.x+
Whiteboard: [sg:nse] null deref
This seems to be worksforme in current trunk build.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsIContent::NodeInfo]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: