If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

nsRect.h make mozilla crashes

NEW
Assigned to

Status

()

Core
XUL
--
critical
14 years ago
8 years ago

People

(Reporter: Cédric Chantepie, Assigned: janv)

Tracking

({crash, testcase})

Trunk
x86
Windows 2000
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113

Trying to use editable tree extension maid as XBL by ndaekin nsRect.h crashes
with a segfault.

Reproducible: Always
Steps to Reproduce:
1. Click on a list item to display context menu (right click)
2. Click on "Change" in context menu
3. A small textbox (with black border) appears in order to change
list item content, try to click in it (or click otherwhere)

Actual Results:  
Mozilla crashes

Expected Results:  
work

Program received signal SIGSEGV, Segmentation fault.
0x03ff6499 in nsRect::nsRect(nsRect const&) (this=0x22cb24, aRect=@0x4)
    at ../../../../dist/include/gfx/nsRect.h:56
56        nsRect(const nsRect& aRect) {*this = aRect;}
(Reporter)

Comment 1

14 years ago
Created attachment 150798 [details]
Testcase
(Reporter)

Comment 2

14 years ago
#0  0x03ff6499 in nsRect::nsRect(nsRect const&) (this=0x22ceec, aRect=@0x4)
    at ../../../../dist/include/gfx/nsRect.h:56
#1  0x0404eee0 in nsIFrame::GetRect() const (this=0x0)
    at ../../../../dist/include/layout/nsIFrame.h:653
#2  0x03fb7983 in nsTreeColumn::GetWidth() (this=0xf51eba8)
    at c:/Docume~1/cchantepie.INTRANET/mozilla/layout/xul/base/src/tree/src/nsTr
eeColumns.h:71
#3  0x03f0ad73 in nsTreeBodyFrame::InvalidateCell(int, nsITreeColumn*) (
    this=0x11f2903c, aIndex=0, aCol=0xf51eba8)
    at c:/Docume~1/cchantepie.INTRANET/mozilla/layout/xul/base/src/tree/src/nsTr
eeBodyFrame.cpp:692
#4  0x03f1516e in nsTreeBoxObject::InvalidateCell(int, nsITreeColumn*) (
    this=0x11f35498, aRow=0, aCol=0xf51eba8)
    at c:/Docume~1/cchantepie.INTRANET/mozilla/layout/xul/base/src/tree/src/nsTr
eeBoxObject.cpp:333
(Reporter)

Comment 3

14 years ago
Created attachment 150803 [details]
Correct js not to crash

There may have been some error check so that such stupid/silly error in JS
doesn't go so far into mozilla and make it crashes
#1  0x0404eee0 in nsIFrame::GetRect() const (this=0x0)

the null this pointer is the problem... not gfx's fault, it gets a 0x4 pointer
for the rect, which is invalid

looks like a tree calls GetRect on a null frame, so -> trees
Assignee: general → varga
Component: GFX → XP Toolkit/Widgets: Trees
QA Contact: ian

Updated

14 years ago
Keywords: crash, testcase

Comment 5

13 years ago
(Marking NEW, as bug is reproduced and with testcase)
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

9 years ago
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.widgets
I can't reproduce with the testcase on Vista.  I get a security error when I load it.
Cedric, are you still seeing this crash?
You need to log in before you can comment on or make changes to this bug.