Closed
Bug 521760
Opened 15 years ago
Closed 15 years ago
reproducable document.write() crash
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 519926
People
(Reporter: Dolske, Unassigned)
Details
Just hit this twice in a row with a current trunk nightly, and reproduced with my own build in a clean profile. Crashing URL: http://apnews.myway.com/article/20091011/D9B8SUPO0.html bp-7ea02950-2664-4c00-b0b5-4f62b2091012 bp-681c07cc-8a22-4435-9d13-6979d2091012 0 XUL XUL@0x62c40 1 XUL nsIDOMHTMLDocument_Write 2 libmozjs.dylib js_Interpret 3 libmozjs.dylib js_Execute 4 libmozjs.dylib JS_EvaluateUCScriptForPrincipals 5 XUL nsJSContext::EvaluateString 6 XUL nsScriptLoader::EvaluateScript 7 XUL nsScriptLoader::ProcessRequest 8 XUL nsScriptLoader::ProcessScriptElement 9 XUL nsScriptElement::MaybeProcessScript 10 XUL nsHTMLScriptElement::MaybeProcessScript 11 XUL HTMLContentSink::ProcessSCRIPTEndTag 12 XUL SinkContext::CloseContainer 13 XUL HTMLContentSink::CloseContainer 14 XUL CNavDTD::CloseContainer Frame 0 when crashing in my build is in xpc_qsDOMString::xpc_qsDOMString... 722 *pval = STRING_TO_JSVAL(s); // Root the new string. pval, supplied by the caller, is null here. Though s->mLength is ~500m, so I'm not sure what's going on. DumpJSStack() says the last JS frame is: globHtmlHeader(obj = [object Object]) ["http://bfc.myway.com/script/bzHdr.js":59]
Comment 1•15 years ago
|
||
Do I want to know why they're doing document.write()?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 2•15 years ago
|
||
> Though s->mLength is ~500m, so I'm not sure what's going on.
The 4 high bits of s->mLength are actually flag bits.
You need to log in
before you can comment on or make changes to this bug.
Description
•