unchecked null pointer in nsMenuBarListener::KeyUp

RESOLVED FIXED in mozilla9

Status

()

Core
XUL
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: clever, Assigned: sicking)

Tracking

({crash, crashreportid})

7 Branch
mozilla9
x86
Windows XP
crash, crashreportid
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
https://crash-stats.mozilla.com/report/index/bp-970a6ac2-ff25-49b6-b42d-f7dcd2110905

the bug seems to be triggered by this part of the JS in my extension


 function kick_input(node,evt) {
       var ev = node.ownerDocument.createEvent('Events');
        ev.initEvent(evt,true,false);
        node.dispatchEvent(ev);
 }
kick_input(quant,'keyup');
quant being an html <input type=text>
If you're sending key events you really should be using the correct interface. The fix here is going to be to no-op the implementation so you might as well not send the event.
(Reporter)

Comment 2

6 years ago
yeah, ive corrected the code to use var ev = node.ownerDocument.createEvent("keyboardevent"); now
but it would still be nice for firefox to not segfault the moment an API is mis-used
just image what could happen if you just put that code on the homepage of a site, instantly block all firefox users from viewing it

Comment 3

6 years ago
Can you please make such a page (html file) having this code that crashes Firefox and attach it here?
(Reporter)

Comment 4

6 years ago
Created attachment 558950 [details]
the main part of the testcase
(Reporter)

Comment 5

6 years ago
Created attachment 558951 [details]
the trigger for the testcase
(Reporter)

Comment 6

6 years ago
thru some testing, i found that it only occurs when the event is made from chrome code
ive attached an extension and .htm file that will reproduce the problem 100%
just install the extension and open the .htm file
(Reporter)

Comment 7

6 years ago
Comment on attachment 558950 [details]
the main part of the testcase

oops, this was meant to be a .xpi

Updated

6 years ago
Attachment #558950 - Attachment mime type: text/plain → application/x-xpinstall

Updated

6 years ago
Attachment #558951 - Attachment mime type: text/plain → text/html

Comment 8

6 years ago
I installed the extension and visited the testcase html. No crash for me, Win XP 32bit.
Created attachment 559491 [details] [diff] [review]
Patch to fix

This should fix the crash. I would be awesome if someone could figure out how to write a automated testcase for this.
Attachment #559491 - Flags: review?(Olli.Pettay)

Updated

6 years ago
Component: General → XUL
Product: Firefox → Core
QA Contact: general → xptoolkit.widgets
(Reporter)

Comment 10

6 years ago
aceman, did you try testing it on the nightly or beta channel?
i havent checked nightly at all yet, but have seen it on beta channel in 2 computers

Comment 11

6 years ago
NO, I did it on FF6.0.2. But it seems Jonas can already see it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, crashreportid
Version: unspecified → 7 Branch

Updated

6 years ago
Attachment #559491 - Flags: review?(Olli.Pettay) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/e60a0b9fe93c

(In reply to Jonas Sicking (:sicking) from comment #9)
> Created attachment 559491 [details] [diff] [review]
> Patch to fix
> 
> This should fix the crash. I would be awesome if someone could figure out
> how to write a automated testcase for this.

Couldn't you convert the test case attached to the bug to a chrome mochitest of some sort?
Assignee: nobody → jonas
Target Milestone: --- → mozilla9
https://hg.mozilla.org/mozilla-central/rev/e60a0b9fe93c
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.