Closed
Bug 19033
Opened 25 years ago
Closed 25 years ago
simple (but likely bogus) XUL document segfaults
Categories
(Core :: XUL, defect, P1)
Tracking
()
VERIFIED
FIXED
M13
People
(Reporter: dmosedale, Assigned: waterson)
Details
Attachments
(2 files)
(deleted),
text/xul
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
Debug build from the CVS tip, early Tuesday the 16th.
I'll attach the document in question.
Stack trace as follows:
#0 0x40944b35 in nsXULElement::GetTagName (this=0x865e940,
aTagName=@0xbfffeac0) at nsXULElement.cpp:961
#1 0x4094a792 in nsXULElement::HandleDOMEvent (this=0x865e940,
aPresContext=@0x82f0ed0, aEvent=0xbfffee08, aDOMEvent=0xbfffeb58,
aFlags=1, aEventStatus=@0xbfffed24) at nsXULElement.cpp:2534
#2 0x40efba00 in PresShell::HandleEvent (this=0x86692a8, aView=0x8668e78,
aEvent=0xbfffee08, aEventStatus=@0xbfffed24) at nsPresShell.cpp:2410
#3 0x412e4ec9 in nsView::HandleEvent (this=0x8668e78, event=0xbfffee08,
aEventFlags=28, aStatus=@0xbfffed24, aHandled=@0xbfffecc8)
at nsView.cpp:839
#4 0x412f0be3 in nsViewManager::DispatchEvent (this=0x8668d08,
aEvent=0xbfffee08, aStatus=@0xbfffed24) at nsViewManager.cpp:1722
#5 0x412e2fe4 in HandleEvent (aEvent=0xbfffee08) at nsView.cpp:68
#6 0x406466f0 in nsWidget::DispatchEvent (this=0x8668ee0, aEvent=0xbfffee08,
aStatus=@0xbfffedbc) at nsWidget.cpp:1318
#7 0x4064642c in nsWidget::DispatchWindowEvent (this=0x8668ee0,
event=0xbfffee08) at nsWidget.cpp:1223
#8 0x406467b0 in nsWidget::DispatchMouseEvent (this=0x8668ee0,
aEvent=@0xbfffee08) at nsWidget.cpp:1345
#9 0x406473f8 in nsWidget::OnEnterNotifySignal (this=0x8668ee0,
aGdkCrossingEvent=0x8393688) at nsWidget.cpp:1787
#10 0x406483d6 in nsWidget::EnterNotifySignal (aWidget=0x86690d8,
aGdkCrossingEvent=0x8393688, aData=0x8668ee0) at nsWidget.cpp:2340
#11 0x4075e79d in gtk_marshal_BOOL__POINTER () from /usr/lib/libgtk-1.2.so.0
#12 0x40726037 in gtk_handlers_run () from /usr/lib/libgtk-1.2.so.0
#13 0x4072552f in gtk_signal_real_emit () from /usr/lib/libgtk-1.2.so.0
#14 0x40723800 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0
#15 0x407565b8 in gtk_widget_event () from /usr/lib/libgtk-1.2.so.0
#16 0x406fa546 in gtk_main_do_event () from /usr/lib/libgtk-1.2.so.0
#17 0x4079dab2 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#18 0x407ca2c6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#19 0x407ca801 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#20 0x407ca979 in g_main_run () from /usr/lib/libglib-1.2.so.0
#21 0x406f9f3a in gtk_main () from /usr/lib/libgtk-1.2.so.0
#22 0x4062fd35 in nsAppShell::Run (this=0x813a748) at nsAppShell.cpp:399
#23 0x403ff4e1 in nsAppShellService::Run (this=0x812bc48)
at nsAppShellService.cpp:488
#24 0x804bb63 in main1 (argc=1, argv=0xbffff4f4) at nsAppRunner.cpp:580
#25 0x804bdf9 in main (argc=1, argv=0xbffff4f4) at nsAppRunner.cpp:670
Reporter | ||
Comment 1•25 years ago
|
||
Updated•25 years ago
|
Assignee: trudelle → hyatt
Comment 2•25 years ago
|
||
reassigning to hyatt.
Updated•25 years ago
|
Assignee: hyatt → waterson
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Priority: P3 → P1
Target Milestone: M13
Assignee | ||
Comment 3•25 years ago
|
||
One more ingredient: you need to move the mouse in the content area. In the
debugger, it looks like the prototype document has been deleted from beneath
the element. Uh oh.
Comment 4•25 years ago
|
||
spam: changing qa contact from ckritzer -> paulmac for xul bugs
Assignee | ||
Comment 5•25 years ago
|
||
Assignee | ||
Comment 6•25 years ago
|
||
hyatt: could you code review my fix?
Here's what was happening. We were transferring ownership of a
partially-constructed prototype element tree to the prototype document too
early. Specifically, we were setting the prototype document's root element as
soon as we created the root element.
Since the XUL content sink's cleanup code deletes all of the prototype nodes
left on the content stack when a parse fails, the prototype document was left
with a dangling pointer to a deleted root node. (Which is what happened in this
case: note that in dmose's sample there is no </window> tag).
The fix moves the "ownership transfer" to the CloseContainer() routine.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•25 years ago
|
||
fix checked in, r=hyatt
BULK MOVE: Changing component from XUL to XP Toolkit/Widgets: XUL. XUL
component will be deleted.
Component: XUL → XP Toolkit/Widgets: XUL
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: paulmac → xptoolkit.widgets
You need to log in
before you can comment on or make changes to this bug.
Description
•