Closed Bug 384344 Opened 17 years ago Closed 17 years ago

free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [sg:critical?] 1.8-branch only)

Attachments

(4 files)

Testcase
288 bytes, text/html
Details
stack
6.21 KB, text/plain
Details
patch
4.03 KB, patch
dveditz
: review+
dveditz
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
A few remaining assertions after patch
5.82 KB, text/plain
Details
Attached file Testcase 
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223562608 (LWP 4878)]
0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, 
    aSID=@0xbfe65950)
    at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210
210         char* resetOrInherit = NS_REINTERPRET_CAST(char*, *NS_REINTERPRET_CAST(void**, resetOrInheritSlot));

(gdb) print resetOrInheritSlot
$1 = 0xddddddfd <Address 0xddddddfd out of bounds>

(gdb) bt
#0  0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, 
    aSID=@0xbfe65950)
    at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210
#1  0x085c1b28 in nsStyleContext::GetStyleData (this=0xdddddddd, 
    aSID=eStyleStruct_Display)
    at /home/pvnick/Desktop/mozilla/layout/style/nsStyleContext.cpp:248
#2  0x08435842 in nsIFrame::GetStyleData (this=0xb145adf0, 
    aSID=eStyleStruct_Display)
    at /home/pvnick/Desktop/mozilla/layout/mathml/base/src/../../../generic/nsIFrame.h:608
#3  0x0843585d in nsIFrame::GetStyleDisplay (this=0xb145adf0)
    at ../../../dist/include/layout/nsStyleStructList.h:90
#4  0x08413d51 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, 
    aRemovedFrame=0xaf55b9c8, aFrame=0xaf55bad0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9755
#5  0x08413d21 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, 
    aRemovedFrame=0xaf55b9c8, aFrame=0xaf55b9c8)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9740
#6  0x084150f5 in DeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aFrame=0xaf55b9c8)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9812
Assignee: roc → nobody
Component: Layout: View Rendering → Layout
QA Contact: ian → layout
Summary: Read AV at nsCachedStyleData:GetStyleData → free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree
I think this is a duplicate of bug 366128 / bug 322436...
Keywords: crash, testcase
Attached file stack 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
Merging rev. 1.1352 -> 1.1353  +  rev. 1.1354 -> 1.1355 of
layout/base/nsCSSFrameConstructor.cpp fixes the crash.
There are still a few line layout assertions though...

    
    

    
  
What assertions?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

    
    

    
  


  
I happened to have a diagnostic frame dump on the "How'd we get a
floated inline frame?" assertion in this tree so I'm including that as well.
Assignee: nobody → mats.palmgren
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:moderate?] 1.8-branch only

    
    

    
  
Do we need to fix those assertions? If we've got a fix for a crash involving deleted objects that sounds like good progress to get into FF2.0.0.5.

Time is tight: please get some reviews and request approval on this.
Whiteboard: [sg:moderate?] 1.8-branch only → [sg:critical?] 1.8-branch only

    
    

    
  
Comment on attachment 268290 [details] [diff] [review]
patch

r/sr=bzbarsky over IRC
approved for 1.8.1.5 and 1.8.0.13, a=dveditz

        Attachment #268290 -
        Flags: superreview+

        Attachment #268290 -
        Flags: review+

        Attachment #268290 -
        Flags: approval1.8.1.5+

        Attachment #268290 -
        Flags: approval1.8.0.13+

    
    

    
  
MOZILLA_1_8_BRANCH
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.81 

MOZILLA_1_8_0_BRANCH
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.12.2.58 

-> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.0.13, 
          
            fixed1.8.1.5
Resolution: --- → FIXED

    
    

    
  
verified fixed 1.8.1.5 using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007071216 BonEcho/2.0.0.5pre and the Testcase from comment 0 . No crash on testcase - build remain stable - adding verified keyword.
Keywords: fixed1.8.1.5verified1.8.1.5
Depends on: 322436, 366128

    
    

    
  
verified fixed in 1.8.0.13 using Thunderbird build 2007080918 on Windows XP (en-US). No crash with test case.
Keywords: fixed1.8.0.13verified1.8.0.13
Group: security
Flags: in-testsuite?

    
    

    
  
crash test landed
http://hg.mozilla.org/mozilla-central/rev/d849dbf33b4f
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: