Closed Bug 503702 Opened 16 years ago Closed 15 years ago

[HTML5] null pointer dereference [@ nsHtml5TreeBuilder::DoUnlink]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 502260

People

(Reporter: Delineif, Unassigned)

References

Details

(Keywords: crash)

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090711 Firefox/3.6a1pre I hit a null pointer dereference at void nsHtml5TreeBuilder::DoUnlink() where mFlushTimer->Cancel(); is called with mFlushTimer being NULL. I'm running with html5.enable set to true. Reproducible: Didn't try xul.dll!nsHtml5TreeBuilder::DoUnlink() Line 505 + 0x5 bytes C++ xul.dll!nsHtml5Parser::cycleCollection::Unlink(void * p=0x1794d0ac) Line 152 C++ xul.dll!nsCycleCollector::CollectWhite() Line 1742 C++ xul.dll!nsCycleCollector::FinishCollection() Line 2593 + 0x5 bytes C++ xul.dll!XPCCycleCollectGCCallback(JSContext * cx=0x015693e0, JSGCStatus status=JSGC_END) Line 403 + 0x5 bytes C++ js3250.dll!js_GC(JSContext * cx=0x015693e0, JSGCInvocationKind gckind=GC_NORMAL) Line 3793 + 0x8 bytes C++ js3250.dll!JS_GC(JSContext * cx=0x015693e0) Line 2472 + 0x8 bytes C++ xul.dll!nsXPConnect::Collect() Line 478 C++ xul.dll!nsCycleCollector::Collect(unsigned int aTryCollections=1) Line 2407 + 0x5 bytes C++ xul.dll!nsCycleCollector_collect() Line 3098 C++ xul.dll!nsJSContext::CC() Line 3517 + 0x5 bytes C++ xul.dll!nsJSContext::IntervalCC() Line 3606 C++ xul.dll!nsJSContext::CCIfUserInactive() Line 3593 + 0x7 bytes C++ xul.dll!GCTimerFired(nsITimer * aTimer=0x2317aca0, void * aClosure=0x00000000) Line 3636 C++ xul.dll!nsTimerImpl::Fire() Line 427 + 0x6 bytes C++ xul.dll!nsTimerEvent::Run() Line 521 C++ xul.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc70) Line 527 + 0x6 bytes C++ xul.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00000001, int mayWait=1) Line 230 + 0xd bytes C++ xul.dll!nsBaseAppShell::Run() Line 170 + 0x8 bytes C++ xul.dll!nsAppStartup::Run() Line 194 C++ xul.dll!XRE_main(int argc=1, char * * argv=0x00659e00, const nsXREAppData * aAppData=0x00659fa8) Line 3371 C++ firefox.exe!NS_internal_main(int argc=1, char * * argv=0x00659e00) Line 157 C++ firefox.exe!wmain(int argc=6659584, wchar_t * * argv=0x006582e8) Line 112 C++ firefox.exe!__tmainCRTStartup() Line 583 + 0x17 bytes C kernel32.dll!RegisterWaitForInputIdle() + 0x49 bytes
Blocks: html5-parsing
Keywords: crash
Related to bug 502260?
Summary: [HTML5] TreeBuilder unlink null pointer dereference → [HTML5] null pointer dereference [@ nsHtml5TreeBuilder::DoUnlink]
Yes, both bugs involve mFlushTimer being null in nsHtml5TreeBuilder::DoUnlink.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsHtml5TreeBuilder::DoUnlink]
You need to log in before you can comment on or make changes to this bug.