Closed Bug 344296 Opened 19 years ago Closed 18 years ago

Crash [@ nsMathMLContainerFrame::FixInterFrameSpacing] on 1.8.0.5 and 1.8.1 branch

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse null-deref] 1.8-branch; fuzz testcase)

Crash Data

Attachments

(1 file)

testcase
3.62 KB, application/xhtml+xml
Details
See upcoming testcase, it crashes on branches, but not on trunk. I can reduce the testcase, if desired. Talkback ID: TB20840312G nsMathMLContainerFrame::FixInterFrameSpacing [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp, line 1483] nsMathMLmactionFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLmactionFrame.cpp, line 335] nsAbsoluteContainingBlock::ReflowAbsoluteFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 674] nsAbsoluteContainingBlock::IncrementalReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 387] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 300] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 914] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6882] PresShell::WillPaint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6519] PresShell::EndUpdate [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 3545] nsCSSStyleSheet::SetComplete [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsCSSStyleSheet.cpp, line 1537] CSSLoaderImpl::ParseSheet [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsCSSLoader.cpp, line 1396] CSSLoaderImpl::LoadInlineStyle [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsCSSLoader.cpp, line 1567] nsStyleLinkElement::UpdateStyleSheet [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsStyleLinkElement.cpp, line 326] nsHTMLStyleElement::BindToTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLStyleElement.cpp, line 223] nsGenericElement::InsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2769] nsGenericElement::InsertBefore [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3058] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2160] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1349] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 4085] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1368] js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1447] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4377] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1474] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6636] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6999] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Attached file testcase
Appears to be a null parentContent in nsMathMLContainerFrame::FixInterFrameSpacing
Whiteboard: [sg:nse null-deref] 1.8-branch; fuzz testcase
Version: Trunk → 1.8 Branch
This is actually worksforme, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 Might have been fixed by bug 373882, I guess. I suppose this bug can be opened now?
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsMathMLContainerFrame::FixInterFrameSpacing]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: