Closed Bug 1043181 Opened 10 years ago Closed 10 years ago

Crash [@ nsCSSValue::GetStringValue(nsAString_internal&) ] with @counter-style

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox31 --- unaffected
firefox32 --- unaffected
firefox33 + verified
firefox34 + verified

People

(Reporter: sebo, Assigned: heycam)

Details

Crash Data

Attachments

(3 files)

atCounterStyle.html
330 bytes, text/html
Details
atCounterStyle.css
114 bytes, text/css
Details
patch
1.02 KB, patch
dbaron
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file atCounterStyle.html 
Example crash report:
https://crash-stats.mozilla.com/report/index/58a6e548-c794-49a8-b374-0fdae2140724

Test case:
1. Install Firebug 2.0.2[1]
2. Open Firebug on the attached files
3. Switch to the CSS panel
4. Reload the page

Sebastian

[1] https://addons.mozilla.org/firefox/addon/firebug/versions/2.0.2
Attached file atCounterStyle.css 

    
    

    
  
The nsCSSCounterStyleRule copy constructor (which is called under CSSStyleSheet::EnsureUniqueInner) doesn't copy over its mValues array, which is where the descriptor values are stored.  Later we assume that the symbols descriptor nsCSSValue is a list, when it's null.  (Also mGeneration isn't initialized.)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
Assignee: nobody → cam
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

        Attachment #8461387 -
        Flags: review?(dbaron)

    
  
OS: Windows 7 → All
Hardware: x86 → All

    
    

    
  
Comment on attachment 8461387 [details] [diff] [review]
patch

Probably better to use ArrayLength(mValues) rather than eCSSCounterDesc_COUNT.  And given that you're there, I'd prefer ++i over i++ when it doesn't matter, since it's the conceptually simpler operation.

r=dbaron with that

I suppose it doesn't matter whether the generation is initialized to 0 or aCopy.mGeneration, so this is probably fine (and maybe slightly better just because it's more normal).

        Attachment #8461387 -
        Flags: review?(dbaron) → review+

    
    

    
  
Also, we perhaps need a test_rule_cloning to go along with test_value_cloning.  Though it would be a good bit of work to write.

    
    

    
  
(In reply to David Baron [:dbaron] (UTC-7) (needinfo? for questions) from comment #4)
> I suppose it doesn't matter whether the generation is initialized to 0 or
> aCopy.mGeneration, so this is probably fine (and maybe slightly better just
> because it's more normal).

Yeah, the mGeneration value should be 0 at the time it is cloned, so I agree it shouldn't matter.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6ff70a5507f7
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34

    
    

    
  
Why not uplift this patch to 33 where @counter-style landed?

    
    

    
  
[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

I can confirm that it's working now. Thanks for the fast patch!

> Why not uplift this patch to 33 where @counter-style landed?
I agree with that. I tried to set the appropriate tracking flags. (Please correct them if I did that wrong.)

Sebastian

          status-firefox31:
          --- → unaffected

          status-firefox32:
          --- → unaffected

          status-firefox33:
          --- → affected

          status-firefox34:
          --- → fixed

          tracking-firefox33:
          --- → ?

          tracking-firefox34:
          --- → ?

    
    

    
  
Comment on attachment 8461387 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: bug 966166
[User impact if declined]: certain CSS rules can cause a crash (at least when inspecting the rules using Firebug, possibly also in the normal course of viewing a page)
[Describe test coverage new/current, TBPL]: no test, but manual testing shows the crash is now avoided
[Risks and why]: low; the patch just initializes some variables that weren't previously
[String/UUID change made/needed]: N/A

        Attachment #8461387 -
        Flags: approval-mozilla-aurora?

        Attachment #8461387 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: qe-verify+
QA Contact: lhenry

    
    

    
  
I couldn't reproduce the crash using the steps from the bug, also based on Socorro it  seems that the latest build that reproduce the crash was from 20140716183446. Marking the bug as Verified. If someone can still reproduce this bug please reopen it.
Status: RESOLVED → VERIFIED

          status-firefox33:
          fixedverified

          status-firefox34:
          fixedverified

    
    

    
  
FWIW it's also working for me now using Firefox 32.0.2 + Firebug 2.0.2/2.0.4 on Win8.1.

Sebastian

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: