Open
Bug 1416326
Opened 7 years ago
Updated 2 years ago
Make nsBlockFrame::DoRemoveFrame destroy continuations in last-to-first order
Categories
(Core :: Layout: Block and Inline, enhancement, P4)
Core
Layout: Block and Inline
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | affected |
People
(Reporter: MatsPalmgren_bugz, Unassigned)
Details
If we always destroy continuations in last-to-first order then we have the invariant the all first-in-flows are deleted last. This is good since it guarantees that the content is unbound after all frames for it are destroyed (with the assumption that the primary frame is always first-in-flow). It also helps in other situations, for example when some resource is owned by the first-in-flow but shared with the continuations. It would guarantee that the resource is always available, also during frame destruction. (We've had at least one UAF in the past of this nature.)
|
Reporter | |
Comment 1•7 years ago
|
||
BTW, nsContainerFrame::DeleteNextInFlowChild already does this, but there might be other places that we should fix too.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•