Closed
Bug 431703
Opened 17 years ago
Closed 17 years ago
Crash [@ nsXMLContentSink::HandleEndElement] setting innerHTML with SVG, onload
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla1.9
People
(Reporter: jruderman, Assigned: longsonr)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
|
241 bytes,
application/xhtml+xml
|
Details | |
|
1020 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase makes Firefox crash with a null mDocument at nsXMLContentSink::HandleEndElement:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xml/document/src/nsXMLContentSink.cpp&rev=1.442&mark=1172#1157
Based on code inspection, I think this is a regression from bug 380417.
|
||
Comment 1•17 years ago
|
||
Doubt it. The code dereferenced mDocument before as well, and nsXMLFragmentContentSink simply never calls Init() and hence never sets mDocument as far as I can tell. So any use of mDocument in the XML sink that doesn't null-check it would crash in innerHTML sets if it gets hit.
This code just needs a null-check, and has all along.
|
Reporter | |
Comment 2•17 years ago
|
||
You're right. Sorry for blaming you incorrectly.
Keywords: regression
|
Assignee | |
Comment 3•17 years ago
|
||
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #318988 -
Flags: superreview?(bzbarsky)
Attachment #318988 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•17 years ago
|
OS: Mac OS X → All
Hardware: PC → All
|
|
||
Comment 4•17 years ago
|
||
Comment on attachment 318988 [details] [diff] [review]
null check
Makes sense. I doubt anyone expects this event to fire inside innerHTML sets.
Attachment #318988 -
Flags: superreview?(bzbarsky)
Attachment #318988 -
Flags: superreview+
Attachment #318988 -
Flags: review?(bzbarsky)
Attachment #318988 -
Flags: review+
|
|
Assignee | |
Comment 5•17 years ago
|
||
Comment on attachment 318988 [details] [diff] [review]
null check
Simple null check to prevent null dereference crash.
Attachment #318988 -
Flags: approval1.9?
|
|
Assignee | |
Updated•17 years ago
|
Whiteboard: [needs approval][needs landing]
|
||
Comment 6•17 years ago
|
||
Comment on attachment 318988 [details] [diff] [review]
null check
a1.9=beltzner
Attachment #318988 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Updated•17 years ago
|
Whiteboard: [needs approval][needs landing] → checkin-wanted
|
||
Comment 7•17 years ago
|
||
It's "checkin-needed", and it's a keyword, not a status whiteboard note. :)
Keywords: checkin-needed
Whiteboard: checkin-wanted
|
|
||
Comment 8•17 years ago
|
||
Checking in content/xml/document/src/nsXMLContentSink.cpp;
/cvsroot/mozilla/content/xml/document/src/nsXMLContentSink.cpp,v <-- nsXMLContentSink.cpp
new revision: 1.443; previous revision: 1.442
done
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9
|
|
Reporter | |
Comment 10•16 years ago
|
||
Added crashtest:
http://hg.mozilla.org/mozilla-central/rev/63120a5301f2
Flags: in-testsuite? → in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ nsXMLContentSink::HandleEndElement]
You need to log in
before you can comment on or make changes to this bug.
Description
•