Closed Bug 862185 Opened 11 years ago Closed 11 years ago

Use-after-poison with -moz-column, fieldset

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox21 --- wontfix
firefox22 --- affected
firefox23 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main23+])

Crash Data

Attachments

(5 files, 1 obsolete file)

testcase (crashes Firefox when loaded)
253 bytes, text/html
Details
stack (gdb)
29.95 KB, text/plain
Details
stack for destroying the frame
38.19 KB, text/plain
Details
Make nsFieldSetFrame reflow and paint overflow container children.
4.43 KB, patch
roc
: review+
Details | Diff | Splinter Review
Remove child frame members which may become stale and add accessors to get them from the child list instead.
22.03 KB, patch
roc
: review+
Details | Diff | Splinter Review 
###!!! ASSERTION: this type of frame can't have overflow containers: '(aProperty != nsContainerFrame::OverflowContainersProperty() && aProperty != nsContainerFrame::ExcessOverflowContainersProperty()) || IsFrameOfType(nsIFrame::eCanContainOverflowContainers)', file /Users/jruderman/trees/mozilla-central/layout/generic/nsContainerFrame.cpp, line 1458

Crash with nsFieldSetFrame::GetIntrinsicWidth calling nsLayoutUtils::IntrinsicForContainer.

Nightly: bp-9f41ac48-8362-4f07-84aa-837992130416
Attached file stack (gdb) 

    
  
Crash Signature: [@ nsLayoutUtils::IntrinsicForContainer]

    
    

    
  


  
When we reflow a nsFieldSetFrame and its child frames are COMPLETE
their next-in-flows will be destroyed, by DeleteNextInFlowChild.
The problem is nsFieldSetFrame has frame pointer members mLegendFrame
and mContentFrame that isn't updated when such children are destroyed,
so when we reflow the nsFieldSetFrame's next-in-flow it will use
stale pointers.

    
  
Keywords: sec-other
OS: Mac OS X → All
Hardware: x86_64 → All

    
    

    
  


  
Assignee: nobody → matspal

    
    

    
  


  

        Attachment #738107 -
        Attachment is obsolete: true

        Attachment #738216 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 738216 [details] [diff] [review]
Make nsFieldSetFrame reflow and paint overflow container children.

Review of attachment 738216 [details] [diff] [review]:
-----------------------------------------------------------------

I think we need a reftest here

        Attachment #738216 -
        Flags: review?(roc) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/440634eef3f1
https://hg.mozilla.org/mozilla-central/rev/b064ea1f6af7
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox23:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23

    
    

    
  
The ESR 17.0.5 version of this crash is also frame poisoning (as expected): bp-e40441a7-ca1c-4ba3-ad77-2f5032130503

          status-b2g18:
          --- → wontfix

          status-firefox21:
          --- → wontfix

          status-firefox22:
          --- → affected

          status-firefox-esr17:
          --- → wontfix
Whiteboard: [adv-main23+]

    
    

    
  
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0246c21cfc5c
Group: core-security
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: