Closed Bug 840898 Opened 10 years ago Closed 10 years ago

CSSValueListBinding crash with out-of-range .item()

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox20 + fixed
firefox21 + fixed

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
300 bytes, text/html
Details
stack
10.55 KB, text/plain
Details
Flag our nullable return value as actually being nullable.
1.88 KB, patch
tbsaunde
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
      No description provided.
Attached file stack 

    
    

    
  
On Windows: bp-7c8f6639-d356-4069-a9f4-b92832130213
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::WebGLBuffer>, int>::Wrap(JSContext*, JSObject*, nsRefPtr<mozilla::WebGLBuffer> const&, JS::Value*)]
OS: Mac OS X → All
Hardware: x86_64 → All

    
  
Assignee: nobody → bzbarsky

    
  
Blocks: 798567

          tracking-firefox20:
          --- → ?

          tracking-firefox21:
          --- → ?
Whiteboard: [need review]

        Attachment #713367 -
        Flags: review?(trev.saunders) → review+

    
    

    
  
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 798567 (
User impact if declined: Easy to trigger null-deref crash
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Very very low risk.
String or UUID changes made by this patch: None.

        Attachment #713367 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/b29cf09b5182
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla21

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b29cf09b5182
Status: NEW → RESOLVED
Closed: 10 years ago

          status-firefox21:
          affectedfixed
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

Approving low risk fix for uplift.

        Attachment #713367 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.