Closed Bug 323022 Opened 18 years ago Closed 18 years ago

Crash [@ nsSpaceManager::GetTranslation() line 196] with null SpaceManager on SVG documents

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 310436

People

(Reporter: bc, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 310436] testcases from bug 306663)

Crash Data

Attachments

(2 files)

stacks+assertions
56.34 KB, text/plain
Details
reduced testcase (crashes at nsSpaceManager::GetTranslation)
269 bytes, image/svg+xml
Details
Attached file stacks+assertions 

    
    

    
  
doesn't look exploitable, lots of null pointers.
Whiteboard: [sg:nse]

    
    

    
  


  
Crashes in nsSpaceManager::GetTranslation, called by nsBlockBandData::Init.  In a release build, the Mac OS X crash report tool shows nsBlockBandData::Init at the top, probably because nsSpaceManager::GetTranslation gets inlined.

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:nse] → [sg:nse?]

    
  

        Attachment #208344 -
        Attachment description: reduced testcase → reduced testcase (crashes at nsSpaceManager::GetTranslation)

    
    

    
  


  
0    PL_DHashTableFinish + 168
1    nsPropertyTable::GetPropertyInternal(void const*, unsigned, nsIAtom*, int, unsigned*) + 80
2    nsBlockFrame::GetFirstChild(nsIAtom*) const + 128
3    nsCSSFrameConstructor::FindFrameWithContent(nsFrameManager*, nsIFrame*, nsIContent*, nsIContent*, nsFindFrameHint*) + 244
4    nsCSSFrameConstructor::FindFrameWithContent(nsFrameManager*, nsIFrame*, nsIContent*, nsIContent*, nsFindFrameHint*) + 396

    
    

    
  


  
0    0 + 38572876
1    nsCSSFrameConstructor::ReinsertContent(nsIContent*, nsIContent*) + 676
2    nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) + 432
3    nsCSSFrameConstructor::ReinsertContent(nsIContent*, nsIContent*) + 80
4    nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsIFrame*) + 468
5    nsCSSFrameConstructor::ContentAppended(nsIContent*, int) + 2380

    
    

    
  
Yes.  None of the attachments here crash in a debug build with that patch applied.

    
  
Depends on: 310436

    
    

    
  
And fixed in opt builds from atlantia (yesterday's nightly crashes; a very recent hourly doesn't), now that the patch in bug 310436 has been checked in :)

Should this be marked as fixed, wfm, or dup?

    
    

    
  

*** This bug has been marked as a duplicate of 310436 ***
Status: NEW → RESOLVED
Closed: 18 years ago
No longer depends on: 310436
Resolution: --- → DUPLICATE
Whiteboard: [sg:nse?] → [sg:dupe 310436] keep confidential, reveals bug 306663
Whiteboard: [sg:dupe 310436] keep confidential, reveals bug 306663 → [sg:dupe 310436] testcases from bug 306663
Group: security
Crash Signature: [@ nsSpaceManager::GetTranslation() line 196]

          You need to log in
          before you can comment on or make changes to this bug.