Crash [@ nsImageDocument::ShrinkToFit] in removed frame

RESOLVED FIXED in mozilla2.0b7

Status

()

defect
--
critical
RESOLVED FIXED
9 years ago
5 months ago

People

(Reporter: jruderman, Assigned: mats)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla2.0b7
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

Posted file testcase (obsolete) —
mImageContent is null.
The other nsIImageDocument methods have the same problem.
Assignee: nobody → matspal
Attachment #480464 - Attachment is obsolete: true
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:dos]
Posted patch Patch rev. 1Splinter Review
Add null-check and silent return.
Or should we return NS_ERROR_NOT_AVAILABLE perhaps?
Attachment #480510 - Flags: review?(Olli.Pettay)
Comment on attachment 480510 [details] [diff] [review]
Patch rev. 1

 
> NS_IMETHODIMP
> nsImageDocument::RestoreImageTo(PRInt32 aX, PRInt32 aY)
> {
>+  if (!mImageContent) {
>+    return NS_OK;
>+  }
>   return ScrollImageTo(aX, aY, PR_TRUE);
> }
This change shouldn't be needed, since
ScrollImageTo calls RestoreImage which you make
null safe.

 
> NS_IMETHODIMP
> nsImageDocument::ToggleImageSize()
> {
>+  if (!mImageContent) {
>+    return NS_OK;
>+  }
>   mShouldResize = PR_TRUE;
>   if (mImageIsResized) {
>     mShouldResize = PR_FALSE;
>     ResetZoomLevel();
>     RestoreImage();
>   }
>   else if (mImageIsOverflowing) {
>     ResetZoomLevel();
And I think this isn't needed either.
Attachment #480510 - Flags: review?(Olli.Pettay) → review+
Fair enough.  I think the former is slightly more robust, but
the testcase should catch a future change in ScrollImageTo,
ToggleImageSize that would make them crash in this case.
Comment on attachment 480615 [details] [diff] [review]
Patch rev. 2 (nits fixed)

Trivial fix for a null-pointer crash.
Attachment #480615 - Flags: approval2.0?
Attachment #480615 - Flags: approval2.0? → approval2.0+
http://hg.mozilla.org/mozilla-central/rev/ad23e7efe0ca
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Crash Signature: [@ nsImageDocument::ShrinkToFit]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.