Closed Bug 585745 Opened 14 years ago Closed 13 years ago

Crash [@ nsIDOMElementCSSInlineStyle_GetStyle | js::callJSPropertyOp] from MathML element with HTML __proto__

Categories

(Core :: XPConnect, defect, P1)

x86
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla2.0b11
Tracking Status
blocking2.0 --- final+

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase, Whiteboard: [softblocker][fx4-fixed-bugday] )

Crash Data

Attachments

(3 files)

      No description provided.
Jesse, were you testing in a debug build?
Yes.
OK, that makes sense then.  In a debug build, this would crash in some debug-verification code.
Blocks: 584293
blocking2.0: --- → final+
Component: Style System (CSS) → XPConnect
Priority: -- → P1
QA Contact: style-system → xpconnect
Assignee: nobody → bzbarsky
Whiteboard: softblocker
Whiteboard: softblocker → [softblocker]
Attached patch Proposed fixSplinter Review
This is icky, and about a 10% hit for the style getter, but it's simple and works.  And we're considering changing up this code anyway.
Attachment #505445 - Flags: review?(peterv)
Whiteboard: [softblocker] → [need review][softblocker]
Comment on attachment 505445 [details] [diff] [review]
Proposed fix

The way to fix this without a performance hit (I think) is to make an empty class that inherits from nsStyledElement and make all classes that inherit from nsStyledElement (except for nsMathMLElement) inherit from the new class. Then replace nsStyledElement with this new class in DOMCI_CASTABLE_INTERFACES and thisType. Up to you.
Attachment #505445 - Flags: review?(peterv) → review+
Nevermind, I missed that nsMathMLElement inherits from nsMappedAttributeElement.
Yeah, exactly.  I started with the comment 6 thing, and then discovered that exact problem.  :(
Whiteboard: [need review][softblocker] → [need landing][softblocker]
Pushed http://hg.mozilla.org/mozilla-central/rev/263ba81f2447
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing][softblocker] → [softblocker]
Target Milestone: --- → mozilla2.0b11
Can this be verified on a beta build?  or just affects debug builds?   FWIW, the testcases in here dont seem to crash or do anything bad

Testing on  Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b11) Gecko/20100101 Firefox/4.0b11
Whiteboard: [softblocker] → [softblocker][fx4-fixed-bugday]
The crash only affects debug builds.

The testcase that landed as part of the patch shows a web-detectable behavior difference that this patch fixed.
Going to mark verified based on comment 11.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsIDOMElementCSSInlineStyle_GetStyle | js::callJSPropertyOp]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: