Closed Bug 271945 Opened 20 years ago Closed 20 years ago

crash when an image located within an anchor has a style of "display:-moz-popup" - M17x [@ nsMenuPopupFrame::RelayoutDirtyChild]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: RJackson, Unassigned)

References

(
URL
)

Details

(Keywords: crash, hang, topcrash, Whiteboard: [sg:dos])

Crash Data

Attachments

(3 files)

copy of given testcase
807 bytes, text/html
Details
First crack at a patch
2.97 KB, patch
Details | Diff | Splinter Review
Don't use GetParentBox
4.34 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

The web site http://80.4.61.62/moz-crash.html has an image embedded in an anchor
with the style property : display:-moz-popup. According to the web site when
viewed in IE, it says that it's due to a overflow buffer problem.

Reproducible: Always
Steps to Reproduce:
1. Visit http://80.4.61.62/moz-crash.html
Actual Results:  
1. Firefox crashes.

Expected Results:  
2. Firefox should not crash.
OS: Windows XP → All
Attached file copy of given testcase 
Copy of testcase from website in case it goes away. I've changed the img src
from a relative url to one that will resolve on www.mozilla.org. I didn't see
any problems when the image didn't resolve.

I don't see a crash, I get a sort of hang instead. The menus will drop down,
cursor will change shape as I mouseover things in both chrome and content, but
it doesn't respond to clicks anywhere.
I do see a crash in Mozilla 1.7.2 (actually Netscape 7.2) down in layout. Will
try to get a talkback trace for Mozilla proper.
Assignee: firefox → nobody
Status: UNCONFIRMED → NEW
Component: General → Layout
Ever confirmed: true
Keywords: crash, hang
Product: Firefox → Core
QA Contact: firefox.general → core.layout
Summary: Firefox crash when an image located within an anchor has a style of "display:-moz-popup" → crash when an image located within an anchor has a style of "display:-moz-popup"
Whiteboard: [sg:dos]
Version: unspecified → 1.7 Branch
Strange, the site no longer causes Firefox to crash on me. It now causes Firefox
to hang on me, when the browser is closed Firefox will remain as a proccess in
the background (then if you go to start up Firefox again it will ask which
profile you want and say that your default profile is locked).


(In reply to comment #1)
> Created an attachment (id=167326)
> copy of given testcase
> 
> Copy of testcase from website in case it goes away. I've changed the img src
> from a relative url to one that will resolve on www.mozilla.org. I didn't see
> any problems when the image didn't resolve.
> 
> I don't see a crash, I get a sort of hang instead. The menus will drop down,
> cursor will change shape as I mouseover things in both chrome and content, but
> it doesn't respond to clicks anywhere.
Component: Layout → General
Product: Core → Firefox
Version: 1.7 Branch → 1.0 Branch
With 1.8a5 the crash I get is
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=2241191

Access violation
nsMenuPopupFrame::RelayoutDirtyChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuPopupFrame.cpp,
line 350]
nsIFrame::MarkDirtyChildren 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsBox.cpp,
line 310]
nsBoxFrame::RemoveFrame 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 1173]
nsContainerFrame::ReplaceFrame 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 410]
nsCSSFrameConstructor::CantRenderReplacedElement 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10576]
nsFrameManager::HandlePLEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 888]
PL_HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c,
line 693]
_md_EventReceiverProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c,
line 1434]
0x778b0c24
0x006e006f

I don't see an overflowed buffer, but it does appear to be operating on garbage
pointers. Maybe a lifetime issue from deCOMtamination. This routine (though not
this stack) is roughly top crash #20 on the Mozilla 1.7 branch, doesn't show up
in the Firefox 1.0 talkbacks at all.

Clearing security sensitive flag to get more eyeballs here. If someone figures
out a way to actually exploit this then we can hide it again later.
Group: security
It does not matter where the image points to and the outcome is unpredictable to
what Firefox does.

I tried using other words with similar patterns and this is the only word I
woulc find that caused this problem. This word should be ignored by Firefox
altogether since the DTD does not define the use of this attribute.
Which DTD? -moz-popup is supported as an extension of CSS. Attributes with the
"-moz" prefix are for internal or experimental use (for example, we had rounded
border attributes, that were replaced with the standard attribute names when
adopted by the working group). Web authors are advised not to use them as they
can and will change, plus they make web content specific to a single browser
family which we advocate against. But they will not be ignored (and of course
they shouldn't crash).
Assignee: nobody → dbaron
Sorry, my error since there is no DTD for CSS, I must have been confused and
thinking about attributes when I added that comment.

When I said ignored, I meant the browser should not parse the word if it does
not know how to handle the word correctly and not that this bug should be ignored.
Assignee: dbaron → nobody
Component: General → XP Toolkit/Widgets: Menus
Product: Firefox → Core
QA Contact: core.layout
Version: 1.0 Branch → Trunk
Summary: crash when an image located within an anchor has a style of "display:-moz-popup" → crash when an image located within an anchor has a style of "display:-moz-popup" [@ nsMenuPopupFrame::RelayoutDirtyChild]
Basically the popup frame (which is what display: -moz-popup; creates) assumes
its in a menu or a popupset... if the CSS frame constructor can't enforce this
then we'll have to sprinkle null checks throughout the code.
The CSS frame constructor _could_ enforce it, in theory.  The problem is that
the frame constructor has no way of knowing silly implementation details of all
the XUL frames, especially since these have a way of changing.  Maybe we should
have an nsIFrame api to deal with this?

Apart from that, someone needs to decide exactly how XUL frame construction
_should_ work and specify it.  Then we should implement it.  I'm sorta tired of
hacking it a little bit at a time in haphazard ways.
bz, like this?
Yeah, somewhat like this.  With an XXX comment that the null-check is there
because the assert can be triggered and that frame construction should probably
be fixed...
I wasn't sure why these three places use GetParentBox; nowhere else does.
Adding M17x to summary and topcrash keyword for tracking, this has been showing
up in Talkback for the past few Mozilla 1.7.x releaes.
Keywords: topcrash
Summary: crash when an image located within an anchor has a style of "display:-moz-popup" [@ nsMenuPopupFrame::RelayoutDirtyChild] → crash when an image located within an anchor has a style of "display:-moz-popup" - M17x [@ nsMenuPopupFrame::RelayoutDirtyChild]
Neil, is that patch ready to go, then?
I can't honestly remember. I'm sure that my build doesn't crash though.
Comment on attachment 167540 [details] [diff] [review]
Don't use GetParentBox

r+sr=bzbarsky, though it looks like some of this code could be refactored a
tad... but that can happen later.
Attachment #167540 - Flags: superreview+
Attachment #167540 - Flags: review+
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 279884 has been marked as a duplicate of this bug. ***
Component: XP Toolkit/Widgets: Menus → XUL
QA Contact: xptoolkit.widgets
Crash Signature: [@ nsMenuPopupFrame::RelayoutDirtyChild]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: