Closed
Bug 334080
Opened 19 years ago
Closed 19 years ago
crashes due to null mBodyContent in nsImageDocument::CheckOverflowing [@ nsStyleContext::GetStyleData]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.8.1alpha1
People
(Reporter: dbaron, Assigned: dbaron)
References
Details
(4 keywords, Whiteboard: [patch])
Crash Data
Attachments
(2 files)
25.35 KB,
text/plain; charset=utf-8
|
Details | |
1.22 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
bzbarsky
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
One of the top crashes for Firefox 1.5.0.2 (and 1.5.0.1, I think) is two related stacks in nsImageDocument. On Windows, they show up with the top slightly garbled:
nsStyleContext::GetStyleData [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp, line 248]
nsImageDocument::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/document/src/nsImageDocument.cpp, line 566]
nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1684]
nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1785]
nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1601]
PresShell::FireResizeEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 3111]
nsTimerImpl::Fire [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 394]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
or
nsStyleContext::GetStyleData [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp, line 248]
nsImageDocument::OnStartContainer [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/document/src/nsImageDocument.cpp, line 508]
imgRequest::OnStartContainer [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/modules/libpr0n/src/imgRequest.cpp, line 458]
imgRequest::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/modules/libpr0n/src/imgRequest.cpp, line 886]
ProxyListener::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/modules/libpr0n/src/imgLoader.cpp, line 893]
nsMediaDocumentStreamListener::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/document/src/nsMediaDocument.cpp, line 115]
nsDocumentOpenInfo::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/uriloader/base/nsURILoader.cpp, line 374]
nsStreamListenerTee::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 97]
nsHttpChannel::OnDataAvailable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 4195]
...
However, on Linux, I saw (from 1.5.0.1) a slightly better stack for the latter, which I'll attach with more detailed analysis. I got enough out of the raw stack data and compared to the disassembly of the release build to get local variables, and from this determined that the crash is due to mBodyContent (or at least |content|) being null in CheckOverflowing, which is called from OnStartContainer (in this case) or HandleEvent at the lines indicated in the Windows stacks.
ResolveStyleFor handles a null input and returns null, but then CheckOverflowing dereferences that result.
Assignee | ||
Comment 1•19 years ago
|
||
Assignee | ||
Updated•19 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
Assignee | ||
Comment 2•19 years ago
|
||
Null check the result of QIing mBodyContent just like the one other use in this file.
Assignee: general → dbaron
Status: NEW → ASSIGNED
Attachment #218494 -
Flags: superreview?(bzbarsky)
Attachment #218494 -
Flags: review?(bzbarsky)
Attachment #218494 -
Flags: approval1.8.0.3?
Attachment #218494 -
Flags: approval-branch-1.8.1?(bzbarsky)
Assignee | ||
Updated•19 years ago
|
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.8.1alpha1
Updated•19 years ago
|
Attachment #218494 -
Flags: superreview?(bzbarsky)
Attachment #218494 -
Flags: superreview+
Attachment #218494 -
Flags: review?(bzbarsky)
Attachment #218494 -
Flags: review+
Updated•19 years ago
|
Attachment #218494 -
Flags: approval-branch-1.8.1?(bzbarsky) → approval-branch-1.8.1+
Assignee | ||
Comment 3•19 years ago
|
||
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Assignee | ||
Updated•19 years ago
|
Keywords: fixed1.8 → fixed1.8.1
Comment 5•19 years ago
|
||
Comment on attachment 218494 [details] [diff] [review]
patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #218494 -
Flags: approval1.8.0.3? → approval1.8.0.3+
Comment 7•19 years ago
|
||
*** Bug 337644 has been marked as a duplicate of this bug. ***
Comment 8•19 years ago
|
||
*** Bug 336280 has been marked as a duplicate of this bug. ***
Comment 9•19 years ago
|
||
*** Bug 337703 has been marked as a duplicate of this bug. ***
Comment 10•19 years ago
|
||
I've checked the 1504 candidate build against the urls listed in the bugs dup'd against this bug. no crashes.
Keywords: fixed1.8.0.4 → verified1.8.0.4
Updated•14 years ago
|
Crash Signature: [@ nsStyleContext::GetStyleData]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•