Closed Bug 840898 Opened 12 years ago Closed 12 years ago

CSSValueListBinding crash with out-of-range .item()

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox20 + fixed
firefox21 + fixed

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
300 bytes, text/html
Details
stack
10.55 KB, text/plain
Details
Flag our nullable return value as actually being nullable.
1.88 KB, patch
tbsaunde
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review
No description provided.
Attached file stack
On Windows: bp-7c8f6639-d356-4069-a9f4-b92832130213
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::WebGLBuffer>, int>::Wrap(JSContext*, JSObject*, nsRefPtr<mozilla::WebGLBuffer> const&, JS::Value*)]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → bzbarsky
Blocks: 798567
tracking-firefox20: --- → ?
tracking-firefox21: --- → ?
Whiteboard: [need review]
Attachment #713367 - Flags: review?(trev.saunders) → review+
Comment on attachment 713367 [details] [diff] [review] Flag our nullable return value as actually being nullable. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 798567 ( User impact if declined: Easy to trigger null-deref crash Testing completed (on m-c, etc.): Passes tests. Risk to taking this patch (and alternatives if risky): Very very low risk. String or UUID changes made by this patch: None.
Attachment #713367 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/integration/mozilla-inbound/rev/b29cf09b5182
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla21
https://hg.mozilla.org/mozilla-central/rev/b29cf09b5182
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21: affectedfixed
Resolution: --- → FIXED
Comment on attachment 713367 [details] [diff] [review] Flag our nullable return value as actually being nullable. Approving low risk fix for uplift.
Attachment #713367 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: