Closed Bug 877910 Opened 7 years ago Closed 7 years ago
opening railsdiff crashes Firefox in mozilla::dom::HTMLOptions
Collection::Named Item @ JSAuto Compartment::JSAuto Compartment
Thank you for the bug report! The relevant stack bit is: #4 0x000000010179ab45 in JSAutoCompartment::JSAutoCompartment (this=0x7fff5fbf0eb8, cx=0x117296400, target=0x0) at jsapi.cpp:1503 #5 0x0000000103a54786 in mozilla::dom::HTMLOptionsCollection::NamedItem (this=0x120410b80, cx=0x117296400, name=@0x7fff5fbf0fc8, error=@0x7fff5fbf0fa0) at HTMLOptionsCollection.cpp:293 #6 0x00000001053274e7 in mozilla::dom::HTMLSelectElement::NamedItem (this=0x1213743e0, aCx=0x117296400, aName=@0x7fff5fbf0fc8, aRv=@0x7fff5fbf0fa0) at HTMLSelectElement.h:212 HTMLOptionsCollection::NamedItem assumes it's called directly from script an hence that the options collection is JS-wrapped, but in this case it's C++ code calling it. We need to either make sure mOptions is wrapped or we need to do the return-value wrapping ourselves. Simple testcase: data:text/html,<select><option id="foo"><script>alert(document.querySelector("select").namedItem("foo"))</script>
Severity: normal → critical
Hardware: x86 → All
Summary: opening railsdiff crashes nightly and aurora → opening railsdiff crashes Firefox in mozilla::dom::HTMLOptionsCollection::NamedItem @ JSAutoCompartment::JSAutoCompartment
This is probably the easiest solution.
In case you prefer a patch that builds.
Comment on attachment 756507 [details] [diff] [review] Patch v1.1 >+/* static */ HTMLOptionElement* That comment is wrong. Please remove it. >+ HTMLOptionElement? namedItem(DOMString name); I think we should get the spec adjusted like this as well. r=me; I like this. ;)
Attachment #756507 - Flags: review?(bzbarsky) → review+
Oh, and I assume this applies fine to Aurora, right?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
[Approval Request Comment] Bug caused by (feature/regressing bug #): bug 841488 User impact if declined: null pointer dereference crashes Testing completed (on m-c, etc.): on m-c, passes tests, manually checked original site Risk to taking this patch (and alternatives if risky): low risk. Alternative is backing out, but that's probably riskier. String or IDL/UUID changes made by this patch: None.
Attachment #756949 - Flags: approval-mozilla-aurora?
Attachment #756949 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Target milestone is when it landed on trunk
Target Milestone: mozilla23 → mozilla24
You need to log in before you can comment on or make changes to this bug.