Closed Bug 1748 Opened 26 years ago Closed 26 years ago

crash dereferencing null pointer

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: buster, Assigned: serhunt)

References

(
URL
)

Details

the URL crashes dereferencing a null "container" returned by the pres context
(with return value = NS_OK).  Either the pres context is returning the wrong
value, making the nsObjectFrame::Reflow code correct, or the interface is
allowed to return null in the "NS_OK" case making the reflow code incorrect.  I
can't tell which is right.  If null is a legal return value, we should check all
uses of GetContainer.

stack:
nsObjectFrame::Reflow() line 371 + 16 bytes
nsInlineReflow::ReflowFrame() line 498
nsInlineReflow::ReflowFrame() line 271 + 16 bytes
nsInlineFrame::ReflowFrame() line 976 + 12 bytes
nsInlineFrame::ReflowMapped() line 909 + 24 bytes
nsInlineFrame::InitialReflow() line 789 + 20 bytes
nsInlineFrame::Reflow() line 549 + 25 bytes
nsInlineReflow::ReflowFrame() line 498
nsInlineReflow::ReflowFrame() line 271 + 16 bytes
nsBlockFrame::ReflowInlineFrame() line 3575 + 18 bytes
nsBlockFrame::ReflowLine() line 2844 + 28 bytes
nsBlockFrame::ReflowLinesAt() line 2707 + 20 bytes
nsBlockFrame::ResizeReflow() line 2695 + 19 bytes
nsBlockFrame::InitialReflow() line 2265 + 12 bytes
nsBlockFrame::Reflow() line 1702 + 18 bytes
nsBodyFrame::Reflow() line 268 + 25 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableCellFrame::Reflow() line 334
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowFrame::InitialReflow() line 761 + 34 bytes
nsTableRowFrame::Reflow() line 1364 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowGroupFrame::ReflowMappedChildren() line 365 + 34 bytes
nsTableRowGroupFrame::Reflow() line 873 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableFrame::ResizeReflowPass1() line 1696
nsTableFrame::Reflow() line 1547 + 43 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableOuterFrame::Reflow() line 999 + 37 bytes
nsInlineReflow::ReflowFrame() line 498
nsInlineReflow::ReflowFrame() line 271 + 16 bytes
nsBlockFrame::ReflowBlockFrame() line 3354 + 12 bytes
nsBlockFrame::ReflowLine() line 2837 + 24 bytes
nsBlockFrame::ReflowLinesAt() line 2707 + 20 bytes
nsBlockFrame::ResizeReflow() line 2695 + 19 bytes
nsBlockFrame::InitialReflow() line 2265 + 12 bytes
nsBlockFrame::Reflow() line 1702 + 18 bytes
nsBodyFrame::Reflow() line 268 + 25 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableCellFrame::Reflow() line 334
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowFrame::InitialReflow() line 761 + 34 bytes
nsTableRowFrame::Reflow() line 1364 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowGroupFrame::ReflowMappedChildren() line 365 + 34 bytes
nsTableRowGroupFrame::Reflow() line 873 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableFrame::ResizeReflowPass1() line 1696
nsTableFrame::Reflow() line 1547 + 43 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableOuterFrame::Reflow() line 999 + 37 bytes
nsInlineReflow::ReflowFrame() line 498
nsInlineReflow::ReflowFrame() line 271 + 16 bytes
nsBlockFrame::ReflowBlockFrame() line 3354 + 12 bytes
nsBlockFrame::ReflowLine() line 2837 + 24 bytes
nsBlockFrame::ReflowLinesAt() line 2707 + 20 bytes
nsBlockFrame::ResizeReflow() line 2695 + 19 bytes
nsBlockFrame::InitialReflow() line 2265 + 12 bytes
nsBlockFrame::Reflow() line 1702 + 18 bytes
nsBodyFrame::Reflow() line 268 + 25 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableCellFrame::Reflow() line 334
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowFrame::InitialReflow() line 761 + 34 bytes
nsTableRowFrame::Reflow() line 1364 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableRowGroupFrame::ReflowMappedChildren() line 365 + 34 bytes
nsTableRowGroupFrame::Reflow() line 873 + 39 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableFrame::ResizeReflowPass1() line 1696
nsTableFrame::Reflow() line 1547 + 43 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsTableOuterFrame::Reflow() line 999 + 37 bytes
nsInlineReflow::ReflowFrame() line 498
nsInlineReflow::ReflowFrame() line 271 + 16 bytes
nsBlockFrame::ReflowBlockFrame() line 3354 + 12 bytes
nsBlockFrame::ReflowLine() line 2837 + 24 bytes
nsBlockFrame::ReflowLinesAt() line 2707 + 20 bytes
nsBlockFrame::ResizeReflow() line 2695 + 19 bytes
nsBlockFrame::InitialReflow() line 2265 + 12 bytes
nsBlockFrame::Reflow() line 1702 + 18 bytes
nsBodyFrame::Reflow() line 268 + 25 bytes
nsContainerFrame::ReflowChild() line 391 + 28 bytes
nsScrollFrame::Reflow() line 349
nsContainerFrame::ReflowChild() line 391 + 28 bytes
RootFrame::Reflow() line 209
PresShell::InitialReflow() line 551
PresShell::VerifyIncrementalReflow() line 1461
PresShell::ProcessReflowCommands() line 770
PresShell::ExitReflowLock() line 453
PresShell::ContentAppended() line 889
nsDocument::ContentAppended() line 870
nsHTMLDocument::ContentAppended() line 425 + 17 bytes
HTMLContentSink::WillInterrupt() line 1398
CNavDTD::WillInterruptParse() line 3569 + 18 bytes
nsParser::ResumeParse() line 692
nsParser::OnDataAvailable() line 929 + 15 bytes
nsDocumentBindInfo::OnDataAvailable() line 1553 + 24 bytes
OnDataAvailableProxyEvent::HandleEvent() line 606 + 45 bytes
StreamListenerProxyEvent::HandlePLEvent() line 452 + 12 bytes
PL_HandleEvent() line 395 + 10 bytes


code:
NS_IMETHODIMP
nsObjectFrame::Reflow(nsIPresContext&          aPresContext,
                      nsHTMLReflowMetrics&     aMetrics,
                      const nsHTMLReflowState& aReflowState,
                      nsReflowStatus&          aStatus)
{
  // Get our desired size
  GetDesiredSize(&aPresContext, aReflowState, aMetrics);

  // XXX deal with border and padding the usual way...wrap it up!

  nsIAtom* atom;
  mContent->GetTag(atom);
  if ((nsnull != atom) && (nsnull == mInstanceOwner)) {
    static NS_DEFINE_IID(kIPluginHostIID, NS_IPLUGINHOST_IID);
    static NS_DEFINE_IID(kIContentViewerContainerIID,
NS_ICONTENT_VIEWER_CONTAINER_IID);

    nsISupports               *container;
    nsIPluginHost             *pm;
    nsIContentViewerContainer *cv;
    nsresult                  rv;

    mInstanceOwner = new nsPluginInstanceOwner();

    if (nsnull != mInstanceOwner) {
      NS_ADDREF(mInstanceOwner);
      mInstanceOwner->Init(&aPresContext, this);

      rv = aPresContext.GetContainer(&container);

                    /* returns NS_OK with NULL container */

      if (NS_OK == rv) {
        rv = container->QueryInterface(kIContentViewerContainerIID, (void
**)&cv);
              /* container is NULL! */
Assignee: michaelp → av
Component: Layout → Plug-ins
Status: NEW → ASSIGNED
I cannot reproduce this with the tree pulled yesterday, 12.2.98
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → INVALID
I can't reproduce it either.  However, failing to reproduce in this one case
doesn't really address the point of the bug report.  We did (at least once) get
a null returned through an interface where null seems to be unexpected.  Either
the interface should be better documented, or null should be check for in all
uses. Perhaps an assert should be added in the GetContainer method to check for
a null return if in fact that isn't legal.
[Pinged Steve by E-mail to ask whether he'd like to re-open the bug to address
the greater issue of dealing with nulls in this interface addressed, or if it's
okay to rubber-stamp the bug verified since the problem no longer occurs on this
site.]
Status: RESOLVED → VERIFIED
Marking as verified, per E-mail from Steve.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.