Closed Bug 503978 Opened 15 years ago Closed 15 years ago

[HTML5] nsContentSink on null this

Categories

(Core :: DOM: HTML Parser, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 502091

People

(Reporter: Delineif, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090713 Firefox/3.6a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090713 Firefox/3.6a1pre


Null dereferencing at nsContentSink::ProcessHeaderData.
There's a segfault when trying to call mDocument->SetHeaderData, since ProcessHeaderData is called with a NULL this.

That's a bit strange, since at nsHtml5TreeOperation::Perform aBuilder is 0x114e5ba8:
 case eTreeOpProcessMeta: {
	rv = aBuilder->ProcessMeta(mNode);

But into nsContentSink::ProcessMETATag this is NULL (ProcessMeta == ProcessMETATag?).



Reproducible: Sometimes

Steps to Reproduce:
Happened twice when adding an archive into an input file




	xul.dll!nsContentSink::ProcessHeaderData(nsIAtom * aHeader=0x01583110, const nsAString_internal & aValue={...}, nsIContent * aContent=0x0b855670)  Line 472 + 0x3 bytes	C++
 	xul.dll!nsContentSink::ProcessMETATag(nsIContent * aContent=0x0b855670)  Line 830	C++
 	xul.dll!nsHtml5TreeOperation::Perform(nsHtml5TreeBuilder * aBuilder=0x114e5ba8)  Line 152	C++
 	xul.dll!nsHtml5TreeBuilder::Flush()  Line 477 + 0x9 bytes	C++
 	xul.dll!nsHtml5TreeBuilder::endTokenization()  Line 555 + 0xa bytes	C++
 	xul.dll!nsHtml5Tokenizer::end()  Line 3182	C++
 	xul.dll!nsHtml5Parser::ParseFragment(const nsAString_internal & aSourceBuffer={...}, nsISupports * aTargetNode=0x00000000, nsIAtom * aContextLocalName=0x01581c7c, int aContextNamespace=3, int aQuirks=0)  Line 529	C++
 	xul.dll!nsContentUtils::CreateContextualFragment(nsIDOMNode * aContextNode=0x110601b4, const nsAString_internal & aFragment={...}, int aWillOwnFragment=0, nsIDOMDocumentFragment * * aReturn=0x0012f1bc)  Line 3655	C++
 	xul.dll!nsGenericHTMLElement::SetInnerHTML(const nsAString_internal & aInnerHTML={...})  Line 708 + 0x15 bytes	C++
 	xul.dll!nsGenericHTMLElementTearoff::SetInnerHTML(const nsAString_internal & aInnerHTML={...})  Line 190 + 0x13 bytes	C++
 	xul.dll!nsIDOMNSHTMLElement_SetInnerHTML(JSContext * cx=0x059549e8, JSObject * obj=0x0c862e20, int id=20252164, int * vp=0x0012f2c4)  Line 12713	C++
 	js3250.dll!js_SetSprop(JSContext * cx=0x059549e8, JSScopeProperty * sprop=0x00000000, JSObject * obj=0x00000000, int * vp=0x00000000)  Line 402 + 0xb bytes	C++
 	js3250.dll!js_SetPropertyHelper(JSContext * cx=0x00000000, JSObject * obj=0x0c862e20, int id=20252164, int cacheResult=1, int * vp=0x0012f2c4)  Line 4518 + 0x10 bytes	C++
 	js3250.dll!js_Interpret(JSContext * cx=)  Line 4852 + 0x10 bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x0012f150, unsigned int argc=102951800, int * vp=0x0012f3c8, unsigned int flags=2089872920)  Line 1389 + 0x1a bytes	C++
 	0000ffff()	
 	ntdll.dll!RtlAllocateHeap()  + 0x117 bytes	
 	[Los marcos siguientes pueden no ser correctos o faltar, no se han cargado símbolos para ntdll.dll]	
 	msvcr80.dll!malloc()  + 0x7a bytes	
 	js3250.dll!js_Invoke(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6cec, unsigned int flags=0)  Line 1397 + 0x6 bytes	C++
 	js3250.dll!js_fun_apply(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6cb4)  Line 2081	C++
 	js3250.dll!js_Interpret(JSContext * cx=0x059549e8)  Line 5219	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6b00, unsigned int flags=0)  Line 1397 + 0x6 bytes	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x2172efc8, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x015e3f70, nsXPTCMiniVariant * nativeParams=0x0012f7f4)  Line 1647 + 0x16 bytes	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x015e3f70, nsXPTCMiniVariant * params=0x0012f7f4)  Line 571	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0ace1d58, unsigned int methodIndex=3, unsigned int * args=0x0012f8ac, unsigned int * stackBytesToPop=0x0012f89c)  Line 114 + 0x15 bytes	C++
 	xul.dll!SharedStub()  Line 142	C++
 	xul.dll!nsPluginElement::GetDescription(nsAString_internal & aDescription={...})  Line 311	C++
 	xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x10015049, nsIDOMEventListener * aListener=0x00d0042c, nsIDOMEvent * aDOMEvent=0x0012f958, nsPIDOMEventTarget * aCurrentTarget=0x00000001, unsigned int aPhaseFlags=13632532)  Line 1034 + 0x7 bytes	C++
 	xul.dll!nsCycleCollectingAutoRefCnt::incr(nsISupports * owner=0x0012f9d4)  Line 151	C++
 	xul.dll!XPCJSContextStack::Push(JSContext * cx=0x00000006)  Line 137 + 0x13 bytes	C++
 	00000005()
nsContentSink isn't properly initialized in the fragment case.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.