Closed
Bug 664916
Opened 13 years ago
Closed 13 years ago
Crash [@ nsIDOMElement_GetTagName]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla8
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
247 bytes,
text/html
|
Details | |
8.02 KB,
text/plain
|
Details | |
3.12 KB,
patch
|
sicking
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•13 years ago
|
||
Assignee | ||
Comment 2•13 years ago
|
||
Is this a debug-only crash? I can only reproduce this in a debug build. In a debug build, this is failing the "QIs to nsIDOMElement" sanity check because the QI result is null. The problem is that the unwrap is done to nsINode, which can work for non-element nodes... This is fallout from bug 659539. The right fix is to probably to add Element to the list of castable interfaces and use it here.
Blocks: 659539
Sounds like a good fix, but I'd like to hear peterv's opinion.
Assignee: nobody → jonas
tracking-firefox7:
--- → ?
Assignee | ||
Comment 4•13 years ago
|
||
Except for two things: 1) The castable interface macros don't work too hot with namespaced stuff. We could use nsGenericElement to work around this. 2) Things would _still_ fail for document fragments, since those cast to Element and nsGenericElement. I suppose we could add an explicit check for that in the custom quickstub... Jonas, thoughts?
Assignee | ||
Comment 5•13 years ago
|
||
And on a further note, I'm getting really tired of document fragment's inheritance stuff, and also tired of not having our new DOM binding unwrapping hotness... ;)
Well, if we're checking anyway we might as well leave things the way they are and check that the nodetype is ELEMENT_NODE. Fixing the inheritance sounds good, would love to share a bit more between documents and elements. Hard to say if it's worth doing before we do the unwrapping goodness though?
Assignee | ||
Comment 7•13 years ago
|
||
> Well, if we're checking anyway we might as well leave things the way they are
> and check that the nodetype is ELEMENT_NODE.
Yeah, that works.
I wouldn't worry about the inheritance stuff for now.
Comment 8•13 years ago
|
||
We already have special casting macros for GenericElement, see http://hg.mozilla.org/mozilla-central/annotate/981ccfb8c1ae/js/src/xpconnect/src/nsDOMQS.h#l89 nsIDOMElement_GetTagName should just use |'thisType': 'nsGenericElement'|.
Assignee | ||
Comment 9•13 years ago
|
||
Oh, great. Sicking, make it so!
Comment 10•13 years ago
|
||
It's not clear to me why this is nominated for release driver tracking.
Assignee | ||
Comment 11•13 years ago
|
||
It's a crash (in debug builds) and minor correctness (in opt builds) regression from a patch that landed in the Gecko 7 cycle. Release drivers presumably need to decide whether to ship the regression, back out the patch that caused it, or take a fix for this.
Assignee | ||
Comment 12•13 years ago
|
||
Attachment #544275 -
Flags: review?(jonas)
Assignee | ||
Updated•13 years ago
|
Assignee: jonas → bzbarsky
Priority: -- → P1
Whiteboard: [need review]
Comment on attachment 544275 [details] [diff] [review] Make sure that we're dealing with an element when getting tagName. Review of attachment 544275 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for taking this!
Attachment #544275 -
Flags: review?(jonas) → review+
Assignee | ||
Updated•13 years ago
|
Whiteboard: [need review] → [need landing]
Assignee | ||
Comment 14•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/c688b177aa30
Flags: in-testsuite+
Whiteboard: [need landing]
Target Milestone: --- → mozilla8
Assignee | ||
Comment 15•13 years ago
|
||
Comment on attachment 544275 [details] [diff] [review] Make sure that we're dealing with an element when getting tagName. I think we should take this for aurora 7. It's a zero-risk change that can help fuzzing and fixes a (slight) web compat regression.
Attachment #544275 -
Flags: approval-mozilla-aurora?
Comment 16•13 years ago
|
||
Comment on attachment 544275 [details] [diff] [review] Make sure that we're dealing with an element when getting tagName. Approved for releases/mozilla-aurora
Attachment #544275 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 17•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c688b177aa30
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 18•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/dbcb235ae784
status-firefox7:
--- → fixed
Updated•13 years ago
|
Crash Signature: [@ nsIDOMElement_GetTagName]
Comment 19•13 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110818 Firefox/9.0a1 Mozilla/5.0 (Windows NT 6.1; rv:7.0a2) Gecko/20110816 Firefox/7.0a2 Firefox doesn't crash. Setting resolution to Verified Fixed. Thanks.
Status: RESOLVED → VERIFIED
Comment 20•13 years ago
|
||
If i am wrong please feel free to rechange the status. Thanks!
Comment 21•13 years ago
|
||
I believe this might have been crashing in a debug build only according to Comment 11, so I am not sure you could verify it in regular build. > If i am wrong please feel free to rechange the status. > Thanks!
Assignee | ||
Comment 22•13 years ago
|
||
Yes, the crash is debug-only. There's a correctness issue that was visible in opt builds; the automated testcases checked in with this bug (which are part of the patch) test that as well as the crash issue...
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•