Closed Bug 639733 Opened 14 years ago Closed 13 years ago

Crash [@ nsIsIndexFrame::RestoreState]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla5
Tracking Flags:
Tracking Status
status2.0 --- ?

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(4 files)

testcase (crashes Firefox when loaded)
(deleted), application/xhtml+xml
Details
stack trace
(deleted), text/plain
Details
fix
(deleted), patch
bzbarsky
: review+
dveditz
: approval2.0-
Details | Diff | Splinter Review
crashtest
(deleted), patch
Details | Diff | Splinter Review 
      No description provided.
Attached file stack trace (deleted) — 

    
    

    
  
Null-pointer crash trying to restore a saved <embed> state on a <isindex>.
Tracing frame state save/restore leading up to the crash:

No state to save for HTMLScroll(html)(-1)@0x7fffe1b57448
No state to save for HTMLScroll(html)(-1)@0x7fffdae18448
No state to save for HTMLScroll(html)(-1)@0x7fffda3a1448
No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda3a1448
No state '0>0>o>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda3a9ab0
No state '0>0>o>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd91057c0
AddState '0>0>o>1>3>0' = 0x7fffd91a9040 for HTMLScroll(embed)(1)@0x7fffda3a9ab0
No state to save for IsIndex(isindex)(2)@0x7fffd91057c0
RestoreState '0>0>o>1>3>0' = 0x7fffd91a9040 for IsIndex(isindex)(1)@0x7fffd91057c0
[0x7fffd91057c0]RestoreState: aState=0x7fffd91a9040 GetStateProperty stateString=(nil)
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 819

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff603fd0f in nsIsIndexFrame::RestoreState (this=0x7fffd91057c0, aState=0x7fffd91a9040) at layout/forms/nsIsIndexFrame.cpp:571
571       stateString->GetData(data);
OS: Mac OS X → All
Hardware: x86 → All

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix (deleted)
        — Splinter Review
      

    


  
Include the tag name in the frame state key, instead of "o".
Make nsIsIndexFrame::RestoreState null safe, just in case.
Assignee: nobody → matspal

        Attachment #524003 -
        Flags: review?(bzbarsky)

    
    

    
  
Here's what the trace looks like with the fix:

No state to save for HTMLScroll(html)(-1)@0x7fffe187a448
No state to save for HTMLScroll(html)(-1)@0x7fffdaeb9448
No state to save for HTMLScroll(html)(-1)@0x7fffda272448
No state '0>1' to restore for HTMLScroll(html)(-1)@0x7fffda272448
No state '0>0>embed>1>3>0' to restore for HTMLScroll(embed)(1)@0x7fffda285ab0
No state '0>0>isindex>3>3>0' to restore for IsIndex(isindex)(3)@0x7fffd90d27c0
AddState '0>0>embed>1>3>0' = 0x7fffd8c0a060 for HTMLScroll(embed)(1)@0x7fffda285ab0
No state to save for IsIndex(isindex)(2)@0x7fffd90d27c0
No state '0>0>isindex>1>3>0' to restore for IsIndex(isindex)(1)@0x7fffd90d27c0

    
    

    
  

      
      
      
      

        Attached patch
          
          
        crashtest (deleted)
        — Splinter Review
      

    


  

    
  
Blocks: 647612

    
    

    
  
Comment on attachment 524003 [details] [diff] [review]
fix

Why not just:

  KeyAppendString(nsDependentAtomString(aContent->Tag()), aKey);

?

r=me with that.  Don't forget to check in the crashtest.

        Attachment #524003 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
Much better, thanks.

Fixed in Cedar:
http://hg.mozilla.org/projects/cedar/rev/1652e3d8dc1c
http://hg.mozilla.org/projects/cedar/rev/80dc22b6c3f6
Flags: in-testsuite+
Whiteboard: fixed-in-cedar
Whiteboard: fixed-in-cedar → [sg:dos]fixed-in-cedar

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/80dc22b6c3f6
http://hg.mozilla.org/mozilla-central/rev/1652e3d8dc1c
Whiteboard: [sg:dos]fixed-in-cedar → [sg:dos]
Target Milestone: --- → mozilla2.2

    
  
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Per security group discussion, requesting landing on mozilla-2.0.

          status2.0:
          --- → ?

    
  

        Attachment #524003 -
        Flags: approval2.0?
Crash Signature: [@ nsIsIndexFrame::RestoreState]

    
    

    
  
Comment on attachment 524003 [details] [diff] [review]
fix

minus on long past 2.0 approval

        Attachment #524003 -
        Flags: approval2.0? → approval2.0-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: