Closed Bug 503978 Opened 15 years ago Closed 15 years ago

[HTML5] nsContentSink on null this

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 502091

People

(Reporter: Delineif, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090713 Firefox/3.6a1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090713 Firefox/3.6a1pre Null dereferencing at nsContentSink::ProcessHeaderData. There's a segfault when trying to call mDocument->SetHeaderData, since ProcessHeaderData is called with a NULL this. That's a bit strange, since at nsHtml5TreeOperation::Perform aBuilder is 0x114e5ba8: case eTreeOpProcessMeta: { rv = aBuilder->ProcessMeta(mNode); But into nsContentSink::ProcessMETATag this is NULL (ProcessMeta == ProcessMETATag?). Reproducible: Sometimes Steps to Reproduce: Happened twice when adding an archive into an input file xul.dll!nsContentSink::ProcessHeaderData(nsIAtom * aHeader=0x01583110, const nsAString_internal & aValue={...}, nsIContent * aContent=0x0b855670) Line 472 + 0x3 bytes C++ xul.dll!nsContentSink::ProcessMETATag(nsIContent * aContent=0x0b855670) Line 830 C++ xul.dll!nsHtml5TreeOperation::Perform(nsHtml5TreeBuilder * aBuilder=0x114e5ba8) Line 152 C++ xul.dll!nsHtml5TreeBuilder::Flush() Line 477 + 0x9 bytes C++ xul.dll!nsHtml5TreeBuilder::endTokenization() Line 555 + 0xa bytes C++ xul.dll!nsHtml5Tokenizer::end() Line 3182 C++ xul.dll!nsHtml5Parser::ParseFragment(const nsAString_internal & aSourceBuffer={...}, nsISupports * aTargetNode=0x00000000, nsIAtom * aContextLocalName=0x01581c7c, int aContextNamespace=3, int aQuirks=0) Line 529 C++ xul.dll!nsContentUtils::CreateContextualFragment(nsIDOMNode * aContextNode=0x110601b4, const nsAString_internal & aFragment={...}, int aWillOwnFragment=0, nsIDOMDocumentFragment * * aReturn=0x0012f1bc) Line 3655 C++ xul.dll!nsGenericHTMLElement::SetInnerHTML(const nsAString_internal & aInnerHTML={...}) Line 708 + 0x15 bytes C++ xul.dll!nsGenericHTMLElementTearoff::SetInnerHTML(const nsAString_internal & aInnerHTML={...}) Line 190 + 0x13 bytes C++ xul.dll!nsIDOMNSHTMLElement_SetInnerHTML(JSContext * cx=0x059549e8, JSObject * obj=0x0c862e20, int id=20252164, int * vp=0x0012f2c4) Line 12713 C++ js3250.dll!js_SetSprop(JSContext * cx=0x059549e8, JSScopeProperty * sprop=0x00000000, JSObject * obj=0x00000000, int * vp=0x00000000) Line 402 + 0xb bytes C++ js3250.dll!js_SetPropertyHelper(JSContext * cx=0x00000000, JSObject * obj=0x0c862e20, int id=20252164, int cacheResult=1, int * vp=0x0012f2c4) Line 4518 + 0x10 bytes C++ js3250.dll!js_Interpret(JSContext * cx=) Line 4852 + 0x10 bytes C++ js3250.dll!js_Invoke(JSContext * cx=0x0012f150, unsigned int argc=102951800, int * vp=0x0012f3c8, unsigned int flags=2089872920) Line 1389 + 0x1a bytes C++ 0000ffff() ntdll.dll!RtlAllocateHeap() + 0x117 bytes [Los marcos siguientes pueden no ser correctos o faltar, no se han cargado símbolos para ntdll.dll] msvcr80.dll!malloc() + 0x7a bytes js3250.dll!js_Invoke(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6cec, unsigned int flags=0) Line 1397 + 0x6 bytes C++ js3250.dll!js_fun_apply(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6cb4) Line 2081 C++ js3250.dll!js_Interpret(JSContext * cx=0x059549e8) Line 5219 C++ js3250.dll!js_Invoke(JSContext * cx=0x059549e8, unsigned int argc=1, int * vp=0x0b8a6b00, unsigned int flags=0) Line 1397 + 0x6 bytes C++ xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x2172efc8, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x015e3f70, nsXPTCMiniVariant * nativeParams=0x0012f7f4) Line 1647 + 0x16 bytes C++ xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x015e3f70, nsXPTCMiniVariant * params=0x0012f7f4) Line 571 C++ xul.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0ace1d58, unsigned int methodIndex=3, unsigned int * args=0x0012f8ac, unsigned int * stackBytesToPop=0x0012f89c) Line 114 + 0x15 bytes C++ xul.dll!SharedStub() Line 142 C++ xul.dll!nsPluginElement::GetDescription(nsAString_internal & aDescription={...}) Line 311 C++ xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x10015049, nsIDOMEventListener * aListener=0x00d0042c, nsIDOMEvent * aDOMEvent=0x0012f958, nsPIDOMEventTarget * aCurrentTarget=0x00000001, unsigned int aPhaseFlags=13632532) Line 1034 + 0x7 bytes C++ xul.dll!nsCycleCollectingAutoRefCnt::incr(nsISupports * owner=0x0012f9d4) Line 151 C++ xul.dll!XPCJSContextStack::Push(JSContext * cx=0x00000006) Line 137 + 0x13 bytes C++ 00000005()
nsContentSink isn't properly initialized in the fragment case.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.