ContentSupportMap::Remove tries to remove null element, crashes instead

VERIFIED DUPLICATE of bug 50554

Status

()

Core
XUL
P3
normal
VERIFIED DUPLICATE of bug 50554
18 years ago
10 years ago

People

(Reporter: Robert Ginda, Assigned: Chris Waterson)

Tracking

({crash})

Trunk
Future
x86
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3-])

(Reporter)

Description

18 years ago
To reproduce,
1. start chatzilla
2. type /nick foo
3. type /attach moznet
4. type /join bar

you'll probably see these asserts...
###!!! ASSERTION: element not in tree: 'mDocument != nsnull', file nsXULElement.
cpp, line 3539
###!!! Break: at file nsXULElement.cpp, line 3539
###!!! ASSERTION: element not in tree: 'mDocument != nsnull', file nsXULElement.
cpp, line 3539
###!!! Break: at file nsXULElement.cpp, line 3539

followed by a crash with the following trace...


#0  0x4081b5a6 in ContentSupportMap::Remove (this=0x8a1e200, aElement=0x0)
    at nsXULTemplateBuilder.cpp:2469
#1  0x4081b65a in ContentSupportMap::Remove (this=0x8a1e200, 
    aElement=0x8b306b8) at nsXULTemplateBuilder.cpp:2476
#2  0x4082a3ae in nsXULTemplateBuilder::RemoveGeneratedContent (
    this=0x8a1dfe8, aElement=0x8a1d210) at nsXULTemplateBuilder.cpp:6264
#3  0x40821960 in nsXULTemplateBuilder::RebuildContainerInternal (
    this=0x8a1dfe8, aElement=0x8a1d210, aRecompileRules=0)
    at nsXULTemplateBuilder.cpp:4438
#4  0x4082190f in nsXULTemplateBuilder::RebuildContainer (this=0x8a1dfe8, 
    aElement=0x8a1d210) at nsXULTemplateBuilder.cpp:4427
#5  0x407ee4d9 in nsXULDocument::RebuildWidgetItem (this=0x8923ad8, 
    aElement=0x8a1d210) at nsXULDocument.cpp:4595
#6  0x407e264a in nsXULDocument::AttributeChanged (this=0x8923ad8, 
    aElement=0x8a1d210, aNameSpaceID=0, aAttribute=0x82680e0, aHint=-1)
    at nsXULDocument.cpp:1656
#7  0x407c7c55 in nsXULElement::SetAttribute (this=0x8a1d210, aNameSpaceID=0, 
    aName=0x82680e0, aValue=@0xbfffe4cc, aNotify=1) at nsXULElement.cpp:2809
#8  0x407c0c3e in nsXULElement::SetAttribute (this=0x8a1d210, 
    aName=@0xbfffe564, aValue=@0xbfffe4cc) at nsXULElement.cpp:1234
#9  0x4083596b in nsXULTreeElement::SetAttribute (this=0x89b8458, 
    aName=@0xbfffe564, aValue=@0xbfffe4cc) at nsXULTreeElement.h:54
#10 0x4051a5bf in ElementSetAttribute (cx=0x891f900, obj=0x8a295f0, argc=2, 
    argv=0x8b23354, rval=0xbfffe6c0) at nsJSElement.cpp:239
#11 0x401ecbfc in js_Invoke (cx=0x891f900, argc=2, flags=0) at jsinterp.c:716
#12 0x401f7cd8 in js_Interpret (cx=0x891f900, result=0xbffff1c0)
    at jsinterp.c:2517
#13 0x401ed1a5 in js_Execute (cx=0x891f900, chain=0x88f0798, script=0x8ab2988, 
    fun=0x0, down=0x0, special=0, result=0xbffff1c0) at jsinterp.c:887
#14 0x401c58b2 in JS_EvaluateUCScriptForPrincipals (cx=0x891f900, 
    obj=0x88f0798, principals=0x81e50dc, chars=0xbffff388, length=10, 
    filename=0x8b2c820 "chrome://chatzilla/content/static.js", lineno=322, 
    rval=0xbffff1c0) at jsapi.c:2770
#15 0x404d5319 in nsJSContext::EvaluateString (this=0x891f8c8, 
    aScript=@0xbffff370, aScopeObject=0x88f0798, aPrincipal=0x81e50d8, 
    aURL=0x8b2c820 "chrome://chatzilla/content/static.js", aLineNo=322, 
    aVersion=0x40237c98 "default", aRetValue=@0xbffff2d8, 
    aIsUndefined=0xbffff2d4) at nsJSEnvironment.cpp:525
#16 0x404f6351 in GlobalWindowImpl::RunTimeout (this=0x891f7f0, 
    aTimeout=0x8ae58d0) at nsGlobalWindow.cpp:3653
#17 0x404f6f53 in nsGlobalWindow_RunTimeout (aTimer=0x8b2c850, 
    aClosure=0x8ae58d0) at nsGlobalWindow.cpp:3918

(Notice that aElement is 0x0)
(Assignee)

Updated

18 years ago
Status: NEW → ASSIGNED
Keywords: crash, nsbeta3
Target Milestone: --- → M18

Updated

18 years ago
Blocks: 47673
(Assignee)

Comment 1

18 years ago
rginda: can you reduce this to a smaller test case?
Whiteboard: [nsbeta3-]
Target Milestone: M18 → Future
(Reporter)

Comment 2

18 years ago
ug.  I was afraid you'd ask that.  A reduced testcase will require a new chrome
package, in order to get access to xpconnect, which means new makefiles,
manifest.rdf, etc.  It's possible, just (very) non-trivial.

Apparently the necko guys fixed some idl files recently, and broke chatzilla in
a new place.  I just checked in another fix that should (finally) make this
reproduce as described.

If you ask me again, I'll try to work out a reduced testcase.
(Reporter)

Comment 3

18 years ago
*** Bug 50527 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 4

18 years ago

*** This bug has been marked as a duplicate of 50554 ***
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE

Updated

18 years ago
No longer blocks: 47673

Comment 5

18 years ago
Verified dupe.
Status: RESOLVED → VERIFIED

Updated

10 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.