Closed Bug 468210 Opened 16 years ago Closed 16 years ago

[FIX]Crash [@ nsHTMLDocument::MatchAnchors] with XBL

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(5 keywords)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
608 bytes, application/xhtml+xml
Details
Proposed fix
3.67 KB, patch
sicking
: review+
sicking
: superreview+
beltzner
: approval1.9.1+
dveditz
: approval1.9.0.6+
Details | Diff | Splinter Review 
MatchAnchors complains about two assertion failures, then dereferences null.

###!!! ASSERTION: This method should never be called on content nodes that are not in a document!: 'aContent->IsInDoc()', file /Users/jruderman/central/content/html/document/src/nsHTMLDocument.cpp, line 1675

###!!! ASSERTION: Huh, how did this happen? This should only be used with HTML documents!: 'htmldoc', file /Users/jruderman/central/content/html/document/src/nsHTMLDocument.cpp, line 1682
Attached patch Proposed fixSplinter Review 
Similar to bug 406900.  In this case we null out the binding parent of the anon content but not its content parent, which makes it think it's in the non-anonymous DOM, and then things go bad.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #352062 - Flags: superreview?(jonas)
Attachment #352062 - Flags: review?(jonas)
Summary: Crash [@ nsHTMLDocument::MatchAnchors] with XBL → [FIX]Crash [@ nsHTMLDocument::MatchAnchors] with XBL
Comment on attachment 352062 [details] [diff] [review]
Proposed fix

Nice, I suspect this was the originally intended behavior with the existing |UnbindFromTree| call. I wonder if that is needed at all any more...
Attachment #352062 - Flags: superreview?(jonas)
Attachment #352062 - Flags: superreview+
Attachment #352062 - Flags: review?(jonas)
Attachment #352062 - Flags: review+
Pushed http://hg.mozilla.org/mozilla-central/rev/54aad068c46c
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 352062 [details] [diff] [review]
Proposed fix

I think we should take this on branches.
Attachment #352062 - Flags: approval1.9.1?
Attachment #352062 - Flags: approval1.9.0.6?
Whiteboard: [needs 1.9.1 approval and landing]
Comment on attachment 352062 [details] [diff] [review]
Proposed fix

a191=beltzner
Attachment #352062 - Flags: approval1.9.1? → approval1.9.1+
Pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6fb499641030
Keywords: fixed1.9.1
Whiteboard: [needs 1.9.1 approval and landing]
Comment on attachment 352062 [details] [diff] [review]
Proposed fix

Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #352062 - Flags: approval1.9.0.6? → approval1.9.0.6+
Fixed on 1.9.0.6.
Keywords: fixed1.9.0.6
Running the attached testcase on 3.0.5 on OS X, I get no crash. Is this a crash in debug builds only?
No, since it's a null-pointer dereference.  But the behavior will be gc-dependent and such, so if there was a change to that or to XBL unbinding since 1.9.0 it might require a slightly different testcase to trigger tehre.
Yeah, it doesn't work on OS X and I checked on Linux too, just because.
Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090115 Shiretoko/3.1b3pr.
Keywords: fixed1.9.1verified1.9.1
Verified with:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090122 Minefield/3.2a1pre ID:20090122020333

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.6verified1.9.0.6
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ nsHTMLDocument::MatchAnchors]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: