Closed Bug 19033 Opened 25 years ago Closed 25 years ago

simple (but likely bogus) XUL document segfaults

Categories

(Core :: XUL, defect, P1)

x86
Linux
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: dmosedale, Assigned: waterson)

Details

Attachments

(2 files)

Debug build from the CVS tip, early Tuesday the 16th. I'll attach the document in question. Stack trace as follows: #0 0x40944b35 in nsXULElement::GetTagName (this=0x865e940, aTagName=@0xbfffeac0) at nsXULElement.cpp:961 #1 0x4094a792 in nsXULElement::HandleDOMEvent (this=0x865e940, aPresContext=@0x82f0ed0, aEvent=0xbfffee08, aDOMEvent=0xbfffeb58, aFlags=1, aEventStatus=@0xbfffed24) at nsXULElement.cpp:2534 #2 0x40efba00 in PresShell::HandleEvent (this=0x86692a8, aView=0x8668e78, aEvent=0xbfffee08, aEventStatus=@0xbfffed24) at nsPresShell.cpp:2410 #3 0x412e4ec9 in nsView::HandleEvent (this=0x8668e78, event=0xbfffee08, aEventFlags=28, aStatus=@0xbfffed24, aHandled=@0xbfffecc8) at nsView.cpp:839 #4 0x412f0be3 in nsViewManager::DispatchEvent (this=0x8668d08, aEvent=0xbfffee08, aStatus=@0xbfffed24) at nsViewManager.cpp:1722 #5 0x412e2fe4 in HandleEvent (aEvent=0xbfffee08) at nsView.cpp:68 #6 0x406466f0 in nsWidget::DispatchEvent (this=0x8668ee0, aEvent=0xbfffee08, aStatus=@0xbfffedbc) at nsWidget.cpp:1318 #7 0x4064642c in nsWidget::DispatchWindowEvent (this=0x8668ee0, event=0xbfffee08) at nsWidget.cpp:1223 #8 0x406467b0 in nsWidget::DispatchMouseEvent (this=0x8668ee0, aEvent=@0xbfffee08) at nsWidget.cpp:1345 #9 0x406473f8 in nsWidget::OnEnterNotifySignal (this=0x8668ee0, aGdkCrossingEvent=0x8393688) at nsWidget.cpp:1787 #10 0x406483d6 in nsWidget::EnterNotifySignal (aWidget=0x86690d8, aGdkCrossingEvent=0x8393688, aData=0x8668ee0) at nsWidget.cpp:2340 #11 0x4075e79d in gtk_marshal_BOOL__POINTER () from /usr/lib/libgtk-1.2.so.0 #12 0x40726037 in gtk_handlers_run () from /usr/lib/libgtk-1.2.so.0 #13 0x4072552f in gtk_signal_real_emit () from /usr/lib/libgtk-1.2.so.0 #14 0x40723800 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0 #15 0x407565b8 in gtk_widget_event () from /usr/lib/libgtk-1.2.so.0 #16 0x406fa546 in gtk_main_do_event () from /usr/lib/libgtk-1.2.so.0 #17 0x4079dab2 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0 #18 0x407ca2c6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #19 0x407ca801 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #20 0x407ca979 in g_main_run () from /usr/lib/libglib-1.2.so.0 #21 0x406f9f3a in gtk_main () from /usr/lib/libgtk-1.2.so.0 #22 0x4062fd35 in nsAppShell::Run (this=0x813a748) at nsAppShell.cpp:399 #23 0x403ff4e1 in nsAppShellService::Run (this=0x812bc48) at nsAppShellService.cpp:488 #24 0x804bb63 in main1 (argc=1, argv=0xbffff4f4) at nsAppRunner.cpp:580 #25 0x804bdf9 in main (argc=1, argv=0xbffff4f4) at nsAppRunner.cpp:670
Assignee: trudelle → hyatt
reassigning to hyatt.
Assignee: hyatt → waterson
Status: NEW → ASSIGNED
Priority: P3 → P1
Target Milestone: M13
One more ingredient: you need to move the mouse in the content area. In the debugger, it looks like the prototype document has been deleted from beneath the element. Uh oh.
spam: changing qa contact from ckritzer -> paulmac for xul bugs
Attached patch proposed fix (deleted) — Splinter Review
hyatt: could you code review my fix? Here's what was happening. We were transferring ownership of a partially-constructed prototype element tree to the prototype document too early. Specifically, we were setting the prototype document's root element as soon as we created the root element. Since the XUL content sink's cleanup code deletes all of the prototype nodes left on the content stack when a parse fails, the prototype document was left with a dangling pointer to a deleted root node. (Which is what happened in this case: note that in dmose's sample there is no </window> tag). The fix moves the "ownership transfer" to the CloseContainer() routine.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
fix checked in, r=hyatt
BULK MOVE: Changing component from XUL to XP Toolkit/Widgets: XUL. XUL component will be deleted.
Component: XUL → XP Toolkit/Widgets: XUL
verified
Status: RESOLVED → VERIFIED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: paulmac → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: