Closed
Bug 431128
Opened 16 years ago
Closed 16 years ago
Crash [@ nsIContent::NodeInfo] with observes onbroadcast and persist
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:nse] null deref)
Crash Data
Attachments
(1 file)
436 bytes,
application/vnd.mozilla.xul+xml
|
Details |
See testcase, which crashes current trunk build, but also branch builds and even Mozilla1.7, so marking security sensitive. http://crash-stats.mozilla.com/report/pending/3e702ce1-1512-11dd-baf7-0013211cbf8a (Breakpad seems down atm) Stack from debug build: > gklayout.dll!nsCOMPtr<nsINodeInfo>::get_DerivedSafe() Line 931 + 0x3 bytes C++ gklayout.dll!nsCOMPtr<nsINodeInfo>::operator nsDerivedSafe<nsINodeInfo> *() Line 863 C++ gklayout.dll!nsIContent::NodeInfo() Line 217 C++ gklayout.dll!nsXULDocument::ExecuteOnBroadcastHandlerFor(nsIContent * aBroadcaster=0x06ae60f0, nsIDOMElement * aListener=0x05750c54, nsIAtom * aAttr=0x0420ac48) Line 876 + 0x14 bytes C++ gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x0543d890, nsIContent * aElement=0x06ae60f0, int aNameSpaceID=0, nsIAtom * aAttribute=0x0420ac48, int aModType=2, unsigned int aStateMask=0) Line 984 C++ gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x06ae60f0, int aNameSpaceID=0, nsIAtom * aAttribute=0x0420ac48, int aModType=2, unsigned int aStateMask=0) Line 109 + 0xf3 bytes C++ gklayout.dll!nsGenericElement::SetAttrAndNotify(int aNamespaceID=0, nsIAtom * aName=0x0420ac48, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aOldValue={...}, nsAttrValue & aParsedValue={...}, int aModification=0, int aFireMutation=0, int aNotify=1) Line 3797 + 0x1d bytes C++ gklayout.dll!nsGenericElement::SetAttr(int aNamespaceID=0, nsIAtom * aName=0x0420ac48, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aValue={...}, int aNotify=1) Line 3725 + 0x34 bytes C++ gklayout.dll!nsIContent::SetAttr(int aNameSpaceID=0, nsIAtom * aName=0x0420ac48, const nsAString_internal & aValue={...}, int aNotify=1) Line 255 C++ gklayout.dll!nsXULDocument::ApplyPersistentAttributesToElements(nsIRDFResource * aResource=0x063278a8, nsCOMArray<nsIContent> & aElements={...}) Line 2195 + 0x20 bytes C++ gklayout.dll!nsXULDocument::ApplyPersistentAttributes() Line 2122 C++ gklayout.dll!nsXULDocument::ResumeWalk() Line 3032 + 0xb bytes C++ gklayout.dll!nsXULDocument::OnPrototypeLoadDone(int aResumeWalk=1) Line 610 + 0xe bytes C++ gklayout.dll!nsXULDocument::EndLoad() Line 594 C++ gklayout.dll!XULContentSinkImpl::DidBuildModel() Line 292 C++ gkparser.dll!nsExpatDriver::DidBuildModel(unsigned int anErrorCode=0, int aNotifySink=1, nsIParser * aParser=0x055054b0, nsIContentSink * aSink=0x062c1a78) Line 1308 + 0xe bytes C++ gkparser.dll!nsParser::DidBuildModel(unsigned int anErrorCode=0) Line 1004 + 0x35 bytes C++ gkparser.dll!nsParser::ResumeParse(int allowIteration=1, int aIsFinalChunk=1, int aCanInterrupt=1) Line 1707 C++ gkparser.dll!nsParser::OnStopRequest(nsIRequest * request=0x056f0c68, nsISupports * aContext=0x00000000, unsigned int status=0) Line 2331 + 0x17 bytes C++ docshell.dll!nsDocumentOpenInfo::OnStopRequest(nsIRequest * request=0x056f0c68, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0) Line 324 C++ necko.dll!nsBaseChannel::OnStopRequest(nsIRequest * request=0x06ae1778, nsISupports * ctxt=0x00000000, unsigned int status=0) Line 623 C++ necko.dll!nsInputStreamPump::OnStateStop() Line 577 C++ necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x04190148) Line 401 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::Run() Line 112 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012f848) Line 511 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x012b4020, int mayWait=1) Line 227 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 170 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 181 + 0x1c bytes C++ xul.dll!XRE_main(int argc=1, char * * argv=0x003ff750, const nsXREAppData * aAppData=0x003ffdf8) Line 3170 + 0x25 bytes C++ firefox.exe!NS_internal_main(int argc=1, char * * argv=0x003ff750) Line 158 + 0x12 bytes C++ firefox.exe!wmain(int argc=1, unsigned short * * argv=0x003fa060) Line 87 + 0xd bytes C++ firefox.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C firefox.exe!wmainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Reporter | ||
Comment 1•16 years ago
|
||
Still crashing, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Comment 2•16 years ago
|
||
Looks like a null deref too me.
Flags: wanted1.8.1.x+
Whiteboard: [sg:nse] null deref
Reporter | ||
Comment 3•16 years ago
|
||
This seems to be worksforme in current trunk build.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsIContent::NodeInfo]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•