DescriptionMartin Stransky
2008-03-12 15:18:10 UTC
Firefox crashes because empty document is used during reflow:
Program received signal SIGSEGV, Segmentation fault.
0x00002aaab9026626 in nsObjectFrame::CreateDefaultFrames (this=0x435a120,
aPresContext=0x6240250, aMetrics=@0x7fff4123e750,
aReflowState=@0x7fff4123e640) at nsObjectFrame.cpp:1559
1559 getter_AddRefs(anchor));
(gdb) bt
#0 0x00002aaab9026626 in nsObjectFrame::CreateDefaultFrames (this=0x435a120,
aPresContext=0x6240250,
aMetrics=@0x7fff4123e750, aReflowState=@0x7fff4123e640) at
nsObjectFrame.cpp:1559
#1 0x00002aaab90279d5 in nsObjectFrame::Reflow (this=0x435a120,
aPresContext=0x6240250, aMetrics=@0x7fff4123e750,
aReflowState=@0x7fff4123e640, aStatus=@0x7fff4123ee1c) at nsObjectFrame.cpp:1023
#2 0x00002aaab901b01a in nsLineLayout::ReflowFrame (this=0x7fff4123f000,
aFrame=0x435a120, aReflowStatus=@0x7fff4123ee1c,
aMetrics=0x0, aPushedFrame=@0x7fff4123e8e4) at nsLineLayout.cpp:995
nsObjectFrame.cpp:
// first, we need to get the document
nsIDocument *doc = mContent->GetDocument();
nsIPresShell *shell = aPresContext->GetPresShell();
nsStyleSet *styleSet = shell->StyleSet();
nsCOMPtr<nsIHTMLDocument> htmldoc(do_QueryInterface(doc));
PRInt32 id;
if (htmldoc && !doc->IsCaseSensitive())
id = kNameSpaceID_None;
else
id = kNameSpaceID_XHTML;
nsCOMPtr<nsIContent> anchor;
nsresult rv = doc->CreateElem(nsHTMLAtoms::a, nsnull, id, htmldoc != nsnull,
getter_AddRefs(anchor));
(gdb) p doc
$9 = (nsIDocument *) 0x0
Hi,
firefox-1.5.0.12-13.el5_1 appears to have fixed the cnbc.com bug I mentioned on
bug #433823 comment 31 and is supposed to be fixed in this bug. Thanks for the
rapid help!
daryl
Comment 4Jonathan Peatfield
2008-03-27 23:06:55 UTC
I note that the recently released firefox-1.5.0.12-14.el5_1 seems to not have
this fix included. Is that because the problem has been corrected in a
different way or did it get lost because of the security updates?
A quick check shows that the same patch seems to apply cleanly if added into the
specfile...