CSSValueListBinding crash with out-of-range .item()

RESOLVED FIXED in Firefox 20

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jruderman, Assigned: bzbarsky)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla21
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox20+ fixed, firefox21+ fixed)

Details

(crash signature)

Attachments

(3 attachments)

No description provided.
Posted file stack
On Windows: bp-7c8f6639-d356-4069-a9f4-b92832130213
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::WebGLBuffer>, int>::Wrap(JSContext*, JSObject*, nsRefPtr<mozilla::WebGLBuffer> const&, JS::Value*)]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → bzbarsky
Blocks: 798567
Whiteboard: [need review]
Attachment #713367 - Flags: review?(trev.saunders) → review+
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 798567 (
User impact if declined: Easy to trigger null-deref crash
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Very very low risk.
String or UUID changes made by this patch: None.
Attachment #713367 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/integration/mozilla-inbound/rev/b29cf09b5182
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla21
https://hg.mozilla.org/mozilla-central/rev/b29cf09b5182
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

Approving low risk fix for uplift.
Attachment #713367 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.