Closed
Bug 862185
Opened 11 years ago
Closed 11 years ago
Use-after-poison with -moz-column, fieldset
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main23+])
Crash Data
Attachments
(5 files, 1 obsolete file)
###!!! ASSERTION: this type of frame can't have overflow containers: '(aProperty != nsContainerFrame::OverflowContainersProperty() && aProperty != nsContainerFrame::ExcessOverflowContainersProperty()) || IsFrameOfType(nsIFrame::eCanContainOverflowContainers)', file /Users/jruderman/trees/mozilla-central/layout/generic/nsContainerFrame.cpp, line 1458 Crash with nsFieldSetFrame::GetIntrinsicWidth calling nsLayoutUtils::IntrinsicForContainer. Nightly: bp-9f41ac48-8362-4f07-84aa-837992130416
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ nsLayoutUtils::IntrinsicForContainer]
Assignee | ||
Comment 2•11 years ago
|
||
When we reflow a nsFieldSetFrame and its child frames are COMPLETE their next-in-flows will be destroyed, by DeleteNextInFlowChild. The problem is nsFieldSetFrame has frame pointer members mLegendFrame and mContentFrame that isn't updated when such children are destroyed, so when we reflow the nsFieldSetFrame's next-in-flow it will use stale pointers.
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Comment 3•11 years ago
|
||
Assignee: nobody → matspal
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #738107 -
Attachment is obsolete: true
Attachment #738216 -
Flags: review?(roc)
Assignee | ||
Comment 5•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=ddd01ee1e9f2
Attachment #738220 -
Flags: review?(roc)
Comment on attachment 738216 [details] [diff] [review] Make nsFieldSetFrame reflow and paint overflow container children. Review of attachment 738216 [details] [diff] [review]: ----------------------------------------------------------------- I think we need a reftest here
Attachment #738216 -
Flags: review?(roc) → review+
Attachment #738220 -
Flags: review?(roc) → review+
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/440634eef3f1 https://hg.mozilla.org/integration/mozilla-inbound/rev/b064ea1f6af7 Will add a reftest when the bug is public.
Flags: in-testsuite?
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/440634eef3f1 https://hg.mozilla.org/mozilla-central/rev/b064ea1f6af7
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox23:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Comment 9•11 years ago
|
||
The ESR 17.0.5 version of this crash is also frame poisoning (as expected): bp-e40441a7-ca1c-4ba3-ad77-2f5032130503
status-b2g18:
--- → wontfix
status-firefox21:
--- → wontfix
status-firefox22:
--- → affected
status-firefox-esr17:
--- → wontfix
Updated•11 years ago
|
Whiteboard: [adv-main23+]
Assignee | ||
Comment 11•10 years ago
|
||
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/0246c21cfc5c
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•