Closed
Bug 585745
Opened 15 years ago
Closed 14 years ago
Crash [@ nsIDOMElementCSSInlineStyle_GetStyle | js::callJSPropertyOp] from MathML element with HTML __proto__
Categories
(Core :: XPConnect, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla2.0b11
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, testcase, Whiteboard: [softblocker][fx4-fixed-bugday] )
Crash Data
Attachments
(3 files)
No description provided.
|
Assignee | |
Comment 1•15 years ago
|
||
Jesse, were you testing in a debug build?
|
Reporter | |
Comment 2•15 years ago
|
||
Yes.
|
|
Assignee | |
Comment 3•15 years ago
|
||
OK, that makes sense then. In a debug build, this would crash in some debug-verification code.
Blocks: 584293
blocking2.0: --- → final+
Component: Style System (CSS) → XPConnect
Priority: -- → P1
QA Contact: style-system → xpconnect
|
||
Updated•14 years ago
|
Assignee: nobody → bzbarsky
|
||
Updated•14 years ago
|
Whiteboard: softblocker
|
|
||
Updated•14 years ago
|
Whiteboard: softblocker → [softblocker]
|
|
Assignee | |
Comment 4•14 years ago
|
||
This is icky, and about a 10% hit for the style getter, but it's simple and works. And we're considering changing up this code anyway.
Attachment #505445 -
Flags: review?(peterv)
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: [softblocker] → [need review][softblocker]
|
|
Assignee | |
Comment 5•14 years ago
|
||
|
||
Comment 6•14 years ago
|
||
Comment on attachment 505445 [details] [diff] [review]
Proposed fix
The way to fix this without a performance hit (I think) is to make an empty class that inherits from nsStyledElement and make all classes that inherit from nsStyledElement (except for nsMathMLElement) inherit from the new class. Then replace nsStyledElement with this new class in DOMCI_CASTABLE_INTERFACES and thisType. Up to you.
Attachment #505445 -
Flags: review?(peterv) → review+
|
|
||
Comment 7•14 years ago
|
||
Nevermind, I missed that nsMathMLElement inherits from nsMappedAttributeElement.
|
|
Assignee | |
Comment 8•14 years ago
|
||
Yeah, exactly. I started with the comment 6 thing, and then discovered that exact problem. :(
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: [need review][softblocker] → [need landing][softblocker]
|
|
Assignee | |
Comment 9•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing][softblocker] → [softblocker]
Target Milestone: --- → mozilla2.0b11
|
||
Comment 10•14 years ago
|
||
Can this be verified on a beta build? or just affects debug builds? FWIW, the testcases in here dont seem to crash or do anything bad
Testing on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b11) Gecko/20100101 Firefox/4.0b11
Whiteboard: [softblocker] → [softblocker][fx4-fixed-bugday]
|
|
Assignee | |
Comment 11•14 years ago
|
||
The crash only affects debug builds.
The testcase that landed as part of the patch shows a web-detectable behavior difference that this patch fixed.
|
||
Updated•14 years ago
|
Crash Signature: [@ nsIDOMElementCSSInlineStyle_GetStyle | js::callJSPropertyOp]
You need to log in
before you can comment on or make changes to this bug.
Description
•