Closed Bug 639733 Opened 9 years ago Closed 9 years ago

Crash [@ nsIsIndexFrame::RestoreState]

Categories

(Core :: Layout, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
status2.0 --- ?

People

(Reporter: jruderman, Assigned: mats)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(4 files)

No description provided.
Attached file stack trace
Null-pointer crash trying to restore a saved <embed> state on a <isindex>.
Tracing frame state save/restore leading up to the crash:

No state to save for HTMLScroll(html)(-1)@0x7fffe1b57448
No state to save for HTMLScroll(html)(-1)@0x7fffdae18448
No state to save for HTMLScroll(html)(-1)@0x7fffda3a1448
No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda3a1448
No state '0>0>o>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda3a9ab0
No state '0>0>o>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd91057c0
AddState '0>0>o>1>3>0' = 0x7fffd91a9040 for HTMLScroll(embed)(1)@0x7fffda3a9ab0
No state to save for IsIndex(isindex)(2)@0x7fffd91057c0
RestoreState '0>0>o>1>3>0' = 0x7fffd91a9040 for IsIndex(isindex)(1)@0x7fffd91057c0
[0x7fffd91057c0]RestoreState: aState=0x7fffd91a9040 GetStateProperty stateString=(nil)
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 819

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff603fd0f in nsIsIndexFrame::RestoreState (this=0x7fffd91057c0, aState=0x7fffd91a9040) at layout/forms/nsIsIndexFrame.cpp:571
571       stateString->GetData(data);
OS: Mac OS X → All
Hardware: x86 → All
Attached patch fixSplinter Review
Include the tag name in the frame state key, instead of "o".
Make nsIsIndexFrame::RestoreState null safe, just in case.
Assignee: nobody → matspal
Attachment #524003 - Flags: review?(bzbarsky)
Here's what the trace looks like with the fix:

No state to save for HTMLScroll(html)(-1)@0x7fffe187a448
No state to save for HTMLScroll(html)(-1)@0x7fffdaeb9448
No state to save for HTMLScroll(html)(-1)@0x7fffda272448
No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda272448
No state '0>0>embed>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda285ab0
No state '0>0>isindex>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd90d27c0
AddState '0>0>embed>1>3>0' = 0x7fffd8c0a060 for HTMLScroll(embed)(1)@0x7fffda285ab0
No state to save for IsIndex(isindex)(2)@0x7fffd90d27c0
No state '0>0>isindex>1>3>0' to restore for IsIndex(isindex)(1)@0x7fffd90d27c0
Attached patch crashtestSplinter Review
Blocks: 647612
Comment on attachment 524003 [details] [diff] [review]
fix

Why not just:

  KeyAppendString(nsDependentAtomString(aContent->Tag()), aKey);

?

r=me with that.  Don't forget to check in the crashtest.
Attachment #524003 - Flags: review?(bzbarsky) → review+
Much better, thanks.

Fixed in Cedar:
http://hg.mozilla.org/projects/cedar/rev/1652e3d8dc1c
http://hg.mozilla.org/projects/cedar/rev/80dc22b6c3f6
Flags: in-testsuite+
Whiteboard: fixed-in-cedar
Whiteboard: fixed-in-cedar → [sg:dos]fixed-in-cedar
Duplicate of this bug: 647612
http://hg.mozilla.org/mozilla-central/rev/80dc22b6c3f6
http://hg.mozilla.org/mozilla-central/rev/1652e3d8dc1c
Whiteboard: [sg:dos]fixed-in-cedar → [sg:dos]
Target Milestone: --- → mozilla2.2
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Per security group discussion, requesting landing on mozilla-2.0.
status2.0: --- → ?
Attachment #524003 - Flags: approval2.0?
Crash Signature: [@ nsIsIndexFrame::RestoreState]
Comment on attachment 524003 [details] [diff] [review]
fix

minus on long past 2.0 approval
Attachment #524003 - Flags: approval2.0? → approval2.0-
You need to log in before you can comment on or make changes to this bug.