Closed Bug 336976 Opened 19 years ago Closed 10 years ago

crash [@ nsCSSFrameConstructor::BuildScrollFrame - nsCSSFrameConstructor::InitializeSelectFrame - nsCSSFrameConstructor::ConstructSelectFrame] "(aState)->mFrameManager" Pointer dereferenced before NULL check

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, crash)

Crash Data

I'm not sure if this is a bug, but i'd like to track it, i've left it in bz's queue, but if you find mrbkap he can look it up there and squish it if you decide it's bogus. hopefully it's just a useless null check. 6766 nsCSSFrameConstructor::BuildScrollFrame(nsFrameConstructorState& aState, 6767 nsIContent* aContent, 6768 nsStyleContext* aContentStyle, 6769 nsIFrame* aScrolledFrame, 6770 nsIFrame* aParentFrame, 6771 nsIFrame* aContentParentFrame, 6772 nsIFrame*& aNewFrame, 6773 nsStyleContext*& aScrolledContentStyle) 6774 { ... 6787 // now set the primary frame to the ScrollFrame Event deref_parm_in_call: Dereferenced parameter "(aState)->mFrameManager" in the function "nsFrameManager::SetPrimaryFrameFor(nsIContent *, nsIFrame *)" [model] Event deref_parm_in_call: Dereferenced parameter "(aState)->mFrameManager" in the function "nsFrameManager::SetPrimaryFrameFor(nsIContent *, nsIFrame *)" [model] Also see events: [deref_parm_in_call] 6788 aState.mFrameManager->SetPrimaryFrameFor( aContent, aNewFrame ); 5333 nsresult 5334 nsCSSFrameConstructor::InitializeSelectFrame(nsFrameConstructorState& aState, 5335 nsIFrame* scrollFrame, 5336 nsIFrame* scrolledFrame, 5337 nsIContent* aContent, 5338 nsIFrame* aParentFrame, 5339 nsStyleContext* aStyleContext, 5340 PRBool aBuildCombobox, 5341 nsFrameItems& aFrameItems) 5342 { ... Event deref_parm_in_call: Dereferenced parameter "(aState)->mFrameManager" in the function "nsCSSFrameConstructor::BuildScrollFrame(nsFrameConstructorState &, nsIContent *, nsStyleContext *, nsIFrame *, nsIFrame *, nsIFrame *, nsIFrame *&, nsStyleContext *&)" [model] 5387 BuildScrollFrame(aState, aContent, aStyleContext, scrolledFrame, 5388 geometricParent, aParentFrame, scrollFrame, 5389 scrolledPseudoStyle); 5177 nsCSSFrameConstructor::ConstructSelectFrame(nsFrameConstructorState& aState, 5178 nsIContent* aContent, 5179 nsIFrame* aParentFrame, 5180 nsIAtom* aTag, 5181 nsStyleContext* aStyleContext, 5182 nsIFrame*& aNewFrame, 5183 const nsStyleDisplay* aStyleDisplay, 5184 PRBool& aFrameHasBeenInitialized, 5185 nsFrameItems& aFrameItems) 5186 { ... Event deref_ptr_in_call: Dereferences pointer "(aState)->mFrameManager" [model] Also see events: [check_after_deref] 5264 InitializeSelectFrame(aState, listFrame, scrolledFrame, aContent, 5265 comboboxFrame, listStyle, PR_TRUE, aFrameItems); ... Event check_after_deref: Pointer "(aState)->mFrameManager" dereferenced before NULL check Also see events: [deref_ptr_in_call] At conditional (3): "nsCOMPtr<nsILayoutHistoryState>::operator nsDerivedSafe<nsILayoutHistoryState> *() const != 0" taking true path 5293 if (aState.mFrameState && aState.mFrameManager) {
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: dbaron → nobody
Component: Style System (CSS) → Layout: Misc Code
QA Contact: ian → layout.misc-code
Crash Signature: [@ nsCSSFrameConstructor::BuildScrollFrame - nsCSSFrameConstructor::InitializeSelectFrame - nsCSSFrameConstructor::ConstructSelectFrame]
I can't find any null-checks of mFrameManager anywhere in nsCSSFrameConstructor.cpp. I think it can't be null nowadays when it's a base class of nsCSSFrameConstructor.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.