Crash [@ nsRect::nsRect(const nsRect & {...}) line 56]

VERIFIED FIXED

Status

()

Core
Layout
--
major
VERIFIED FIXED
12 years ago
7 years ago

People

(Reporter: bc, Assigned: Bernd)

Tracking

(Blocks: 1 bug, {crash, verified1.8.0.1, verified1.8.1})

Trunk
x86
Windows XP
crash, verified1.8.0.1, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] null dereference, crash signature)

Attachments

(2 attachments)

More proof this is probably the same as bug 310426, it doesn't crash with 2005-09-20 build, but crashes with 2005-09-21 build (which is the same regression range as bug 310505, which is essentially a dupe of bug 310426).
Depends on: 310426
realCell is null on line 2318 of nsTableFrame.cpp. Adding a null check to the if(realCell != lastCell) line above would stop the crash, but I have no idea if it's the right thing to do: Are null cells something normal this code should be coping with, or is the fact we have a null cell the real problem?
Keywords: crash
Whiteboard: [sg:nse] null dereference
(Assignee)

Comment 4

12 years ago
Created attachment 204293 [details]
testcase (WARNING: crashes onload)

the code is simply wrong, it is seldom executed so its a very old bug
(Assignee)

Updated

12 years ago
Assignee: nobody → bernd_mozilla
(Assignee)

Updated

12 years ago
Status: UNCONFIRMED → NEW
No longer depends on: 310426
Ever confirmed: true
(Assignee)

Comment 5

12 years ago
Created attachment 204294 [details] [diff] [review]
patch

this makes the code more symmetric to http://lxr.mozilla.org/mozilla/source/layout/tables/nsTableFrame.cpp#2444
Attachment #204294 - Flags: superreview?(bzbarsky)
Attachment #204294 - Flags: review?(bzbarsky)
Attachment #204294 - Flags: superreview?(bzbarsky)
Attachment #204294 - Flags: superreview+
Attachment #204294 - Flags: review?(bzbarsky)
Attachment #204294 - Flags: review+
(Assignee)

Comment 7

12 years ago
Fix checked in, Martijn could you please test with a build that has the patch and open a new bug with security flag and a new stacktrace.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Ok, I filed bug 318451.
(Assignee)

Comment 9

12 years ago
Comment on attachment 204294 [details] [diff] [review]
patch

low risk null check, I think its branch worth. if not 1.8.0.1 then 1.8.1( or how you name it) for sure.
Attachment #204294 - Flags: approval1.8.0.1?

Updated

12 years ago
Blocks: 318451

Comment 10

12 years ago
Comment on attachment 204294 [details] [diff] [review]
patch

Please land in both 1.8.1 and 1.8.0 branches.
Attachment #204294 - Flags: approval1.8.1+
Attachment #204294 - Flags: approval1.8.0.1?
Attachment #204294 - Flags: approval1.8.0.1+
(Assignee)

Comment 11

12 years ago
fixed on branches
Keywords: fixed1.8.0.1, fixed1.8.1
(Reporter)

Comment 12

12 years ago
verified the _specified_ crash no longer occurs on windows with 1.8.0.1. Firefox 1.5.0.1 hangs now and requires the process to be killed. Trunk crashes with a newer, uglier stack appears in bug 322704.
Keywords: fixed1.8.0.1 → verified1.8.0.1
(Reporter)

Comment 13

12 years ago
verified no crash with the testcase on 1.8.0.1, 1.8.1, 1.9a1 on windows.
Status: RESOLVED → VERIFIED
Flags: testcase?
Keywords: fixed1.8.1 → verified1.8.1
(Reporter)

Updated

12 years ago
Flags: testcase? → testcase+
Whiteboard: [sg:nse] null dereference → [sg:nse] null dereference. random-styles
(Reporter)

Updated

11 years ago
Flags: in-testsuite+ → in-testsuite?
Whiteboard: [sg:nse] null dereference. random-styles → [sg:nse] null dereference
Group: security
(Reporter)

Comment 14

9 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/4d671f0bafad
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsRect::nsRect(const nsRect & {...}) line 56]
You need to log in before you can comment on or make changes to this bug.