Closed Bug 942979 Opened 6 years ago Closed 6 years ago

Crash in nsContentUtils::GetCommonAncestor

Categories

(Core :: DOM: Core & HTML, defect)

25 Branch
x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla28

People

(Reporter: vulnerable.zappa, Assigned: mz_mhs-ctb)

Details

Attachments

(2 files, 3 obsolete files)

Attached file repro.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36 OPR/17.0.1241.53

Steps to reproduce:

run repro.html


Actual results:

Firefox crash


Expected results:

Nothing
Confirmed locally.
Assignee: nobody → mz_mhs-ctb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: nsDocument::mSubtreeModifiedTargets crash → Crash in nsContentUtils::GetCommonAncestor
Attached patch Patch (obsolete) — Splinter Review
Attachment #8339661 - Flags: review?(bzbarsky)
Comment on attachment 8339661 [details] [diff] [review]
Patch

Why is mSubtreeModifiedTargets[i] null, exactly?
That is, the real bug is whatever allows a null to end up in there; there should be no null values in that array.
Attachment #8339661 - Flags: review?(bzbarsky)
Attached patch Patch v2 (obsolete) — Splinter Review
Attachment #8339661 - Attachment is obsolete: true
Attachment #8340541 - Flags: review?(bzbarsky)
Comment on attachment 8340541 [details] [diff] [review]
Patch v2

Yes, thank you. This makes a lot more sense.  Maybe add a comment about how parentNode can be null if an earlier mutation event removed the node?

r=me
Attachment #8340541 - Flags: review?(bzbarsky) → review+
Component: Untriaged → DOM
Product: Firefox → Core
And add the test? :)
Attached patch Patch with test. (obsolete) — Splinter Review
Attachment #8340541 - Attachment is obsolete: true
Comment on attachment 8340678 [details] [diff] [review]
Patch with test.

Carrying r+ from bzbarsky.
Attachment #8340678 - Flags: review+
Keywords: checkin-needed
Attachment #8340678 - Attachment is obsolete: true
Sorry about that, forgot the comment.
https://hg.mozilla.org/mozilla-central/rev/bfa858a90cb0
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.