Closed
Bug 516436
Opened 15 years ago
Closed 15 years ago
[HTML5] Crash due to C++ exception under nsHTMLFormElement::RemoveElement when using HTML5 parser
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 514425
People
(Reporter: bzbarsky, Unassigned)
Details
Attachments
(1 file)
43.91 KB,
text/plain
|
Details |
Looks like a situation in which the HTML5 parser was holding the last ref to an input, then was stopped, then the input's destructor called nsHTMLFormElement::RemoveElement and then we crashed due to calling std::type_info::~type_info. The really broken thing here, imo, is the destructor calling a function that will then call virtual methods on the object, etc (as RemoveElement does; can't recall at what stage in a destructor it's safe to call virtual methods, but I suspect in this case it's not). And even more broken is the fact that this node has a form set but never ends up removed from the form before destruction. I've gotten this crash a few times but this is the first time I managed to get a stack. So possible solutions: 1) Fix whatever it is in the parser that's getting the node into this state. 2) Move the RemoveElement call to the very start of the leaf class destructors. Seem reasonable? The OSX crash report for this is attached.
Comment 1•15 years ago
|
||
Breakpad doesn't catch this because the actual crash here is an unhandled C++ exception, which Breakpad doesn't currently handle. This is filed upstream as: http://code.google.com/p/google-breakpad/issues/detail?id=318
Comment 2•15 years ago
|
||
Is this the same as bug 514425?
Reporter | ||
Comment 3•15 years ago
|
||
Looks like it. This bug has a bit more information, that bug has a testcase.... Adding dependency for now and then we should retest the testcase if we come up with a fix here.
Blocks: 514425
Reporter | ||
Updated•15 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•