Closed
Bug 1043181
Opened 10 years ago
Closed 10 years ago
Crash [@ nsCSSValue::GetStringValue(nsAString_internal&) ] with @counter-style
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
mozilla34
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | unaffected |
firefox33 | + | verified |
firefox34 | + | verified |
People
(Reporter: sebo, Assigned: heycam)
Details
Crash Data
Attachments
(3 files)
330 bytes,
text/html
|
Details | |
114 bytes,
text/css
|
Details | |
1.02 KB,
patch
|
dbaron
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Example crash report: https://crash-stats.mozilla.com/report/index/58a6e548-c794-49a8-b374-0fdae2140724 Test case: 1. Install Firebug 2.0.2[1] 2. Open Firebug on the attached files 3. Switch to the CSS panel 4. Reload the page Sebastian [1] https://addons.mozilla.org/firefox/addon/firebug/versions/2.0.2
Reporter | ||
Comment 1•10 years ago
|
||
Assignee | ||
Comment 2•10 years ago
|
||
The nsCSSCounterStyleRule copy constructor (which is called under CSSStyleSheet::EnsureUniqueInner) doesn't copy over its mValues array, which is where the descriptor values are stored. Later we assume that the symbols descriptor nsCSSValue is a list, when it's null. (Also mGeneration isn't initialized.)
Assignee | ||
Comment 3•10 years ago
|
||
Assignee: nobody → cam
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8461387 -
Flags: review?(dbaron)
Assignee | ||
Updated•10 years ago
|
OS: Windows 7 → All
Hardware: x86 → All
Comment on attachment 8461387 [details] [diff] [review] patch Probably better to use ArrayLength(mValues) rather than eCSSCounterDesc_COUNT. And given that you're there, I'd prefer ++i over i++ when it doesn't matter, since it's the conceptually simpler operation. r=dbaron with that I suppose it doesn't matter whether the generation is initialized to 0 or aCopy.mGeneration, so this is probably fine (and maybe slightly better just because it's more normal).
Attachment #8461387 -
Flags: review?(dbaron) → review+
Also, we perhaps need a test_rule_cloning to go along with test_value_cloning. Though it would be a good bit of work to write.
Assignee | ||
Comment 6•10 years ago
|
||
(In reply to David Baron [:dbaron] (UTC-7) (needinfo? for questions) from comment #4) > I suppose it doesn't matter whether the generation is initialized to 0 or > aCopy.mGeneration, so this is probably fine (and maybe slightly better just > because it's more normal). Yeah, the mGeneration value should be 0 at the time it is cloned, so I agree it shouldn't matter.
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6ff70a5507f7
https://hg.mozilla.org/mozilla-central/rev/6ff70a5507f7
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Comment 9•10 years ago
|
||
Why not uplift this patch to 33 where @counter-style landed?
Reporter | ||
Comment 10•10 years ago
|
||
[Tracking Requested - why for this release]:
[Tracking Requested - why for this release]:
[Tracking Requested - why for this release]:
I can confirm that it's working now. Thanks for the fast patch!
> Why not uplift this patch to 33 where @counter-style landed?
I agree with that. I tried to set the appropriate tracking flags. (Please correct them if I did that wrong.)
Sebastian
status-firefox31:
--- → unaffected
status-firefox32:
--- → unaffected
status-firefox33:
--- → affected
status-firefox34:
--- → fixed
tracking-firefox33:
--- → ?
tracking-firefox34:
--- → ?
Assignee | ||
Comment 11•10 years ago
|
||
Comment on attachment 8461387 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: bug 966166 [User impact if declined]: certain CSS rules can cause a crash (at least when inspecting the rules using Firebug, possibly also in the normal course of viewing a page) [Describe test coverage new/current, TBPL]: no test, but manual testing shows the crash is now avoided [Risks and why]: low; the patch just initializes some variables that weren't previously [String/UUID change made/needed]: N/A
Attachment #8461387 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8461387 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•10 years ago
|
Assignee | ||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a55b8ef060a8
Updated•10 years ago
|
Flags: qe-verify+
QA Contact: lhenry
Comment 13•10 years ago
|
||
I couldn't reproduce the crash using the steps from the bug, also based on Socorro it seems that the latest build that reproduce the crash was from 20140716183446. Marking the bug as Verified. If someone can still reproduce this bug please reopen it.
Reporter | ||
Comment 14•10 years ago
|
||
FWIW it's also working for me now using Firefox 32.0.2 + Firebug 2.0.2/2.0.4 on Win8.1. Sebastian
You need to log in
before you can comment on or make changes to this bug.
Description
•