Closed
Bug 1072130
Opened 11 years ago
Closed 11 years ago
Use-after-poison [@ mozilla::FontFamilyList::FontFamilyList] with unicode-bidi: bidi-override
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | fixed |
| firefox-esr31 | --- | unaffected |
People
(Reporter: jruderman, Assigned: heycam)
References
Details
(4 keywords, Whiteboard: [adv-main35+])
Crash Data
Attachments
(5 files)
No description provided.
| Reporter | ||
Comment 1•11 years ago
|
||
| Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
In nsLayoutUtils::GetFontMetricsForStyleContext:
3414 nsFont font = aStyleContext->StyleFont()->mFont;
aStyleContext looks fine, the StyleFont() points to a destroyed object,
i.e. memory still allocated but poisoned in the pres shell arena.
Maybe the same underlying problem as bug 1070759?
Component: Layout: Text → CSS Parsing and Computation
Keywords: csectype-framepoisoning,
sec-other
OS: Mac OS X → All
| Assignee | ||
Comment 4•11 years ago
|
||
Might be different. With this bug, if I enable the more expensive style struct destruction checking http://hg.mozilla.org/mozilla-central/file/5e704397529b/layout/style/nsStyleContext.cpp#l89 then it triggers for me:
style struct 0x625000771300 found on style context 0x62500077b7b8
in file:///tmp/test2.html
Assertion failure: false (destroying Font style struct still present in style context tree), at ./nsStyleStructList.h:44
but not in bug 1070759.
So it's likely this bug is a regression for bug 931668.
| Assignee | ||
Comment 5•11 years ago
|
||
Using the restyle logging patches from bug 979133 and bug 1072724 I get this output. Pretty sure we shouldn't be swapping structs for the same-style continuations.
Assignee: nobody → cam
Status: NEW → ASSIGNED
| Assignee | ||
Comment 6•11 years ago
|
||
Looks like this is a change I was going to have in bug 931668, but when splitting up my patch queue it ended up in the bug 979133 patch (see bug 979133 comment 15's mention of copyFromContinuations).
| Assignee | ||
Comment 7•11 years ago
|
||
Attachment #8494997 -
Flags: review?(dbaron)
Attachment #8494997 -
Flags: review?(dbaron) → review+
| Assignee | ||
Comment 8•11 years ago
|
||
Comment 9•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox35:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Updated•11 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
Whiteboard: [adv-main35+]
Updated•10 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•