289477 - crash [@ DocumentViewerImpl::GetPopupImageNode] when popupnode is null

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[timeless]

steps? use domi recklessly. [i dunno, but the code is wrong]

Unhandled exception at 0x00f8ede0 (gklayout.dll) in mozilla.exe: 0xC0000005:
Access violation reading location 0x00000000.

+	this	0x02638dc0 {mRefCnt={mValue=199765280 } mContainer=0x0000001d
mDeviceContext={...} ...}	DocumentViewerImpl * const
+	aNode	0x00000000	nsIImageLoadingContent * *
-	node	{...}	nsCOMPtr<nsIDOMNode>
\+	nsCOMPtr_base	{mRawPtr=0x00000000 }	nsCOMPtr_base

  CallQueryInterface(node, aNode);

>	gklayout.dll!DocumentViewerImpl::GetPopupImageNode(nsIImageLoadingContent * *
aNode=0x00000000)  Line 2851 + 0x3	C++
 	gklayout.dll!DocumentViewerImpl::GetInImage(int * aInImage=0x00000000)  Line
2902	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0b45bc2c, unsigned int
methodIndex=13, unsigned int paramCount=1, nsXPTCVariant * params=0x0012ccf0)
 Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_GETTER)  Line 2034 + 0x16	C++
 	xpc3250.dll!XPC_WN_GetterSetter(JSContext * cx=0x00a1fea0, JSObject *
obj=0x0b79a878, unsigned int argc=0, long * argv=0x15decb30, long *
vp=0x0012cf54)  Line 1319 + 0xb	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1293 + 0x11	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x00a1fec8, JSObject *
obj=0x0b79a878, long fval=175713736, unsigned int flags=0, unsigned int argc=0,
long * argv=0x00000000, long * rval=0x0bafb714)  Line 1390 + 0xe	C
 	js3250.dll!js_InternalGetOrSet(JSContext * cx=0x00a1fea0, JSObject *
obj=0x0b79a878, long id=188315640, long fval=175713736, JSAccessMode
mode=JSACC_READ, unsigned int argc=0, long * argv=0x00000000, long *
rval=0x0bafb714)  Line 1433 + 0x15	C
 	js3250.dll!js_GetProperty(JSContext * cx=0x00a1fea0, JSObject *
obj=0x0b79a878, long id=188315640, long * vp=0x0bafb714)  Line 2773 + 0x1d	C
 	js3250.dll!JS_GetPropertyDesc(JSContext * cx=0x00000000, JSObject *
obj=0x0b79a878, JSScopeProperty * sprop=0x0c0e98a4, JSPropertyDesc *
pd=0x0bafb710)  Line 965 + 0x13	C
 	js3250.dll!JS_GetPropertyDescArray(JSContext * cx=0x00a1fea0, JSObject *
obj=0x0b79a878, JSPropertyDescArray * pda=0x0012d124)  Line 1066 + 0x10	C
 	jsd3250.dll!_buildProps(JSDContext * jsdc=0x00a1e338, JSDValue *
jsdval=0x0b45bc28)  Line 346 + 0xf	C
 	jsd3250.dll!jsd_GetCountOfProperties(JSDContext * jsdc=0x00a1e338, JSDValue *
jsdval=0x0bd82ac8)  Line 398 + 0x9	C
 	jsd3250.dll!jsdValue::GetPropertyCount(int * _rval=0x0012d18c)  Line 2162 +
0xb	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0012d314, unsigned int
methodIndex=11154102, unsigned int paramCount=30116712, nsXPTCVariant *
params=0x00000015)  Line 102	C++
 	xpc3250.dll!AutoJSSuspendRequest::SuspendRequest()  Line 3012 + 0x9	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_GETTER)  Line 2034 + 0x16	C++
 	xpc3250.dll!XPC_WN_GetterSetter(JSContext * cx=0x026233d8, JSObject *
obj=0x0a792a00, unsigned int argc=0, long * argv=0x09b2b9b4, long *
vp=0x0012d3f0)  Line 1319 + 0xb	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1293 + 0x11	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x0c30d3dc, JSObject *
obj=0x0a792a00, long fval=175712808, unsigned int flags=0, unsigned int argc=0,
long * argv=0x00000000, long * rval=0x0012d6bc)  Line 1390 + 0xe	C
 	js3250.dll!js_InternalGetOrSet(JSContext * cx=0x026233d8, JSObject *
obj=0x0a792a00, long id=161724832, long fval=175712808, JSAccessMode
mode=JSACC_READ, unsigned int argc=0, long * argv=0x00000000, long *
rval=0x0012d6bc)  Line 1433 + 0x15	C
 	js3250.dll!js_GetProperty(JSContext * cx=0x026233d8, JSObject *
obj=0x0a792a00, long id=161724832, long * vp=0x0012d6bc)  Line 2773 + 0x1d	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00a92d01, unsigned char *
pc=0x0b321634, long * result=0x0012cd48)  Line 5219 + 0x197	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1313 + 0xc	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x0012cd2c, unsigned short methodIndex=11521, const nsXPTMethodInfo *
info=0x0b321634, nsXPTCMiniVariant * nativeParams=0x0012cd48)  Line 1339 + 0x10	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const
nsXPTMethodInfo * info=0x09b29958, nsXPTCMiniVariant * params=0x0012d910) 
Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x09dc7a88, unsigned
int methodIndex=3, unsigned int * args=0x0012d9cc, unsigned int *
stackBytesToPop=0x0012d9bc)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	jsd3250.dll!jsds_ExecutionHookProc(JSDContext * jsdc=0x00a1e338,
JSDThreadState * jsdthreadstate=0x0b301738, unsigned int type=4, void *
callerdata=0x00000000, long * rval=0x0012dbcc)  Line 682	C++
 	jsd3250.dll!jsd_CallExecutionHook(JSDContext * jsdc=0x00a1e338, JSContext *
cx=0x026233d8, unsigned int type=5, unsigned int (JSDContext *, JSDThreadState
*, unsigned int, void *, long *)* hook=0x00e17d6b, void * hookData=0x00000000,
long * rval=0x0012dbcc)  Line 178	C
 	jsd3250.dll!jsd_ThrowHandler(JSContext * cx=0x026233d8, JSScript *
script=0x0b3de608, unsigned char * pc=0x0b3de7cd, long * rval=0x0012dbcc, void *
closure=0x0a504aa0)  Line 149 + 0x12	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00a92d01, unsigned char *
pc=0x0b321634, long * result=0x0012cd48)  Line 5293 + 0x14	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1313 + 0xc	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x0012cd2c, unsigned short methodIndex=11521, const nsXPTMethodInfo *
info=0x0b321634, nsXPTCMiniVariant * nativeParams=0x0012cd48)  Line 1339 + 0x10	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const
nsXPTMethodInfo * info=0x0168cde0, nsXPTCMiniVariant * params=0x0012de20) 
Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x01af33c0, unsigned
int methodIndex=3, unsigned int * args=0x0012dedc, unsigned int *
stackBytesToPop=0x0012decc)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x0a0ed608, nsIDOMEvent * aDOMEvent=0x0012cd2c,
nsIDOMEventTarget * aCurrentTarget=0x00a92d01, unsigned int aSubType=187831860,
unsigned int aPhaseFlags=1232200)  Line 1512 + 0xb	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012e6d8, nsIDOMEvent * *
aDOMEvent=0x0012e554, nsIDOMEventTarget * aCurrentTarget=0x12891538, unsigned
int aFlags=2, nsEventStatus * aEventStatus=0x0012e720)  Line 1589	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsPresContext *
aPresContext=0x0a0ed608, nsEvent * aEvent=0x0012cd2c, nsIDOMEvent * *
aDOMEvent=0x00a92d01, unsigned int aFlags=187831860, nsEventStatus *
aEventStatus=0x0012cd48)  Line 2820	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsPresContext *
aPresContext=0x0a0ed608, nsEvent * aEvent=0x0012cd2c, nsIDOMEvent * *
aDOMEvent=0x00a92d01, unsigned int aFlags=187831860, nsEventStatus *
aEventStatus=0x0012cd48)  Line 2839	C++
 	gklayout.dll!nsXULElement::SetAttrAndNotify(int aNamespaceID=187831860,
nsIAtom * aAttribute=0x0012ce10, nsIAtom * aPrefix=0x0a0ed608, const nsAString &
aOldValue={...}, nsAttrValue & aParsedValue={...}, int aModification=11087105,
int aFireMutation=187831860, int aNotify=1232200)  Line 2197	C++
 	gklayout.dll!nsXULElement::SetAttr(int aNamespaceID=168744456, nsIAtom *
aName=0x0012cd2c, nsIAtom * aPrefix=0x00a92d01, const nsAString & aValue={...},
int aNotify=1232200)  Line 2125 + 0x1f	C++
 	gklayout.dll!nsTreeContentView::ToggleOpenState(int aIndex=0)  Line 581 + 0x13	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0c943840, unsigned int
methodIndex=24, unsigned int paramCount=1, nsXPTCVariant * params=0x0012e87c)
 Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2034 + 0x16	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x026233d8, JSObject *
obj=0x017ce098, unsigned int argc=1, long * argv=0x0279f150, long *
vp=0x0012eae0)  Line 1287 + 0xa	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1293 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00a92d01, unsigned char *
pc=0x0b321634, long * result=0x0012cd48)  Line 3565	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00a92d01, unsigned int argc=187831860,
unsigned int flags=1232200)  Line 1313 + 0xc	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x02623400, JSObject *
obj=0x01856d30, long fval=30739976, unsigned int flags=0, unsigned int argc=1,
long * argv=0x0012ef1c, long * rval=0x0012ef40)  Line 1390 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x026233d8, JSObject *
obj=0x01856d30, long fval=30739976, unsigned int argc=1, long * argv=0x0012ef1c,
long * rval=0x0012ef40)  Line 3804 + 0x1a	C
 	gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x01856d30,
JSObject * aHandler=0x01d50e08, unsigned int argc=1, long * argv=0x0012ef1c,
long * rval=0x0012ef40)  Line 1344 + 0x18	C++
 	gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x0012cd48) 
Line 175 + 0x1c	C++
 	gklayout.dll!nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *
aReceiver=0x0b321634, nsIDOMEvent * aEvent=0x0012cd48)  Line 491	C++
 	gklayout.dll!nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent *
aEvent=0x0bc2b990)  Line 143 + 0xc	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x0a0ed608, nsIDOMEvent * aDOMEvent=0x0012cd2c,
nsIDOMEventTarget * aCurrentTarget=0x00a92d01, unsigned int aSubType=187831860,
unsigned int aPhaseFlags=1232200)  Line 1512 + 0xb	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012f96c, nsIDOMEvent * *
aDOMEvent=0x0012f73c, nsIDOMEventTarget * aCurrentTarget=0x0bc2b990, unsigned
int aFlags=7, nsEventStatus * aEventStatus=0x0012f8d4)  Line 1589	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsPresContext *
aPresContext=0x0a0ed608, nsEvent * aEvent=0x0012cd2c, nsIDOMEvent * *
aDOMEvent=0x00a92d01, unsigned int aFlags=187831860, nsEventStatus *
aEventStatus=0x0012cd48)  Line 2820	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f96c,
nsIView * aView=0x0b966710, unsigned int aFlags=1, nsEventStatus *
aStatus=0x0012f8d4)  Line 5957 + 0x11	C++
 	gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x0b966710, nsGUIEvent *
aEvent=0x0012f96c, nsEventStatus * aEventStatus=0x0012f8d4, int aForceHandle=1,
int & aHandled=1)  Line 5812 + 0x11	C++
 	gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x00a92d01, nsGUIEvent
* aEvent=0x0b321634, int aCaptured=1232200)  Line 2354	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x3d888889,
nsEventStatus * aStatus=0x0012f930)  Line 2127 + 0x14	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f96c)  Line 166	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f96c,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1074 + 0x3	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x00000000) 
Line 1095	C++
 	gkwidget.dll!nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned
short aCharCode=0, unsigned int aVirtualCharCode=39, long aKeyData=21823489) 
Line 3003 + 0xe	C++
 	gkwidget.dll!nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=39, unsigned int
aScanCode=333, long aKeyData=21823489)  Line 3129	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=256, unsigned int
wParam=39, long lParam=21823489, long * aRetValue=0x0012fd14)  Line 3972	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x00140262, unsigned int
msg=256, unsigned int wParam=39, long lParam=206254908)  Line 1355 + 0x10	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x1b	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7	
 	user32.dll!_DispatchMessageWorker@8()  + 0xd8	
 	user32.dll!_DispatchMessageW@4()  + 0xb	
 	gkwidget.dll!nsAppShell::Run()  Line 159	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=2, char * * argv=0x002a44d0, nsISupports *
nativeApp=0x02638d08)  Line 1321 + 0x9	C++
 	mozilla.exe!main(int argc=2, char * * argv=0x002a44d0)  Line 1813 + 0x13	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ *
__formal=0x00400000, char * args=0x00152370, HINSTANCE__ * __formal=0x00400000)
 Line 1841 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23

Comment 1

[timeless]

Attachment: look before leaping

the other caller tolerates a null out, so this should too.

Comment 2

[Mike Shaver (:shaver emeritus)]

Comment on attachment 180017 [details] [diff] [review]
look before leaping

a=shaver

Comment 3

[timeless]

Comment on attachment 180017 [details] [diff] [review]
look before leaping

mozilla/layout/base/nsDocumentViewer.cpp	1.427