Closed Bug 840898 Opened 8 years ago Closed 8 years ago

CSSValueListBinding crash with out-of-range .item()

Categories

(Core :: DOM: CSS Object Model, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox20 + fixed
firefox21 + fixed

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

No description provided.
Attached file stack
On Windows: bp-7c8f6639-d356-4069-a9f4-b92832130213
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::WebGLBuffer>, int>::Wrap(JSContext*, JSObject*, nsRefPtr<mozilla::WebGLBuffer> const&, JS::Value*)]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → bzbarsky
Blocks: 798567
Whiteboard: [need review]
Attachment #713367 - Flags: review?(trev.saunders) → review+
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 798567 (
User impact if declined: Easy to trigger null-deref crash
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Very very low risk.
String or UUID changes made by this patch: None.
Attachment #713367 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/integration/mozilla-inbound/rev/b29cf09b5182
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla21
https://hg.mozilla.org/mozilla-central/rev/b29cf09b5182
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 713367 [details] [diff] [review]
Flag our nullable return value as actually being nullable.

Approving low risk fix for uplift.
Attachment #713367 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.