Closed Bug 639733 Opened 14 years ago Closed 14 years ago

Crash [@ nsIsIndexFrame::RestoreState]

Categories

(Core :: Layout, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
status2.0 --- ?

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(4 files)

No description provided.
Attached file stack trace
Null-pointer crash trying to restore a saved <embed> state on a <isindex>. Tracing frame state save/restore leading up to the crash: No state to save for HTMLScroll(html)(-1)@0x7fffe1b57448 No state to save for HTMLScroll(html)(-1)@0x7fffdae18448 No state to save for HTMLScroll(html)(-1)@0x7fffda3a1448 No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda3a1448 No state '0>0>o>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda3a9ab0 No state '0>0>o>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd91057c0 AddState '0>0>o>1>3>0' = 0x7fffd91a9040 for HTMLScroll(embed)(1)@0x7fffda3a9ab0 No state to save for IsIndex(isindex)(2)@0x7fffd91057c0 RestoreState '0>0>o>1>3>0' = 0x7fffd91a9040 for IsIndex(isindex)(1)@0x7fffd91057c0 [0x7fffd91057c0]RestoreState: aState=0x7fffd91a9040 GetStateProperty stateString=(nil) ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 819 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff603fd0f in nsIsIndexFrame::RestoreState (this=0x7fffd91057c0, aState=0x7fffd91a9040) at layout/forms/nsIsIndexFrame.cpp:571 571 stateString->GetData(data);
OS: Mac OS X → All
Hardware: x86 → All
Attached patch fixSplinter Review
Include the tag name in the frame state key, instead of "o". Make nsIsIndexFrame::RestoreState null safe, just in case.
Assignee: nobody → matspal
Attachment #524003 - Flags: review?(bzbarsky)
Here's what the trace looks like with the fix: No state to save for HTMLScroll(html)(-1)@0x7fffe187a448 No state to save for HTMLScroll(html)(-1)@0x7fffdaeb9448 No state to save for HTMLScroll(html)(-1)@0x7fffda272448 No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda272448 No state '0>0>embed>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda285ab0 No state '0>0>isindex>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd90d27c0 AddState '0>0>embed>1>3>0' = 0x7fffd8c0a060 for HTMLScroll(embed)(1)@0x7fffda285ab0 No state to save for IsIndex(isindex)(2)@0x7fffd90d27c0 No state '0>0>isindex>1>3>0' to restore for IsIndex(isindex)(1)@0x7fffd90d27c0
Attached patch crashtestSplinter Review
Blocks: 647612
Comment on attachment 524003 [details] [diff] [review] fix Why not just: KeyAppendString(nsDependentAtomString(aContent->Tag()), aKey); ? r=me with that. Don't forget to check in the crashtest.
Attachment #524003 - Flags: review?(bzbarsky) → review+
Flags: in-testsuite+
Whiteboard: fixed-in-cedar
Whiteboard: fixed-in-cedar → [sg:dos]fixed-in-cedar
Whiteboard: [sg:dos]fixed-in-cedar → [sg:dos]
Target Milestone: --- → mozilla2.2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Per security group discussion, requesting landing on mozilla-2.0.
status2.0: --- → ?
Attachment #524003 - Flags: approval2.0?
Crash Signature: [@ nsIsIndexFrame::RestoreState]
Comment on attachment 524003 [details] [diff] [review] fix minus on long past 2.0 approval
Attachment #524003 - Flags: approval2.0? → approval2.0-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: