Closed
Bug 307854
Opened 20 years ago
Closed 20 years ago
crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 288790
People
(Reporter: jruderman, Assigned: bernd_mozilla)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 288799] hold for 306663-derived testcase)
Crash Data
Attachments
(2 files)
|
27.67 KB,
text/plain
|
Details | |
|
999 bytes,
patch
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908
Firefox/1.6a1
Steps to reproduce:
1. Install XForms (get the XPI from the mac-xpi subdirectory of the directory
from which you got your nightly build).
2. Load the testcase.
Result: Crash while status bar counter says 2900.
Filing as security-sensitive because
(1) The crash looks exploitable based on stack traces.
(2) Some users install XForms.
(3) The crash might not actually involve XForms.
(4) Testcase is not simplified and includes code from bug 306663.
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
Corresponds to TB9206231M. I don't know whether it is significant that the
second item on the stack differs between Talkback and Apple.
|
|
Reporter | |
Comment 3•20 years ago
|
||
I've seen all kinds of addresses on the tops of these stacks: 0, 28, 0x02641758,
0x032db448 (SIGILL!), 0x2c696e74, 0x7ffffffc. That makes me pretty sure the
crash is exploitable.
|
||
Comment 4•20 years ago
|
||
Is this just an XTF issue? There are known problems with XTF and table
pseudo-elements (problems == "the two don't coexist") that I mentioned at some
point in review comments on the XTF frame construction code and that never got
addressed.
|
||
Comment 5•20 years ago
|
||
The patch fixes the problem in this test case, but I think
the actual problem is somewhere else.
We're using XBL for <xforms:output>'s layout, not XTF...
|
|
||
Comment 6•20 years ago
|
||
This will crash eventually.
|
|
||
Comment 7•20 years ago
|
||
Hmm... Can we reduce that testcase?
the testcase without xforms does crash with dpalpha 2 but is wfm with current
trunk under winxp. So i guess thats Boris leaf patch.
|
|
||
Comment 10•20 years ago
|
||
Note that leaf frames landed on the 1.8 branch too, at this point.
|
|
||
Comment 11•20 years ago
|
||
Jesse, whats the policy on closing such a bug as a WFM?
|
|
Reporter | |
Comment 12•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050915
Firefox/1.6a1
I can still reproduce using the original testcase (with xforms installed). It
still crashes while the counter says "2900".
I can still reproduce using Smaug's testcase in comment 6. It crashes while the
status bar counter says "5100".
Summary: StirDOM crash in table layout code when XForms is installed [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths] → StirDOM crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
|
Assignee | |
Comment 13•20 years ago
|
||
Martijn, do you see any chance to derandomize this?
|
||
Comment 14•20 years ago
|
||
This crashes every time for me when clicking in the document.
|
|
Assignee | |
Comment 15•20 years ago
|
||
Martijn, thanks that look like someting one could work on
|
|
||
Comment 16•20 years ago
|
||
Yet another testcase. This testcase gives the same stacktrace, but follows a
different codepath to trigger the bug.
It might be interesting, because I think the testcase could be in essence
simpler than the previous one.
But it currently still depends on the xforms xbl code.
|
|
||
Comment 17•20 years ago
|
||
This testcase gives for me also a crash at
BasicTableLayoutStrategy::AssignNonPctColumnWidths, and it's simpler than
testcase3.
|
|
Reporter | |
Updated•20 years ago
|
Whiteboard: [sg:fix]
|
|
Assignee | |
Comment 18•20 years ago
|
||
Martijn, it seems to me that this bug is a dupe of the bug that you filed (bug
288790), Boris did fix this today. At least my debug build with that patch does
not crash anymore. But be warned too often my WFM is bogus.
|
|
Reporter | |
Comment 19•20 years ago
|
||
All testcases in this bug WFM with my opt build (checkout an hour or two ago).
I'm going to mark this as a dup, but leave it as security-sensitive until bug
306663 is made public.
*** This bug has been marked as a duplicate of 288790 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•20 years ago
|
Whiteboard: [sg:fix]
|
||
Updated•19 years ago
|
Whiteboard: [sg:dupe 288799] hold for stirDOM code
|
|
||
Updated•18 years ago
|
Summary: StirDOM crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths] → crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
Whiteboard: [sg:dupe 288799] hold for stirDOM code → [sg:dupe 288799] hold for 306663-derived testcase
|
|
||
Updated•18 years ago
|
Attachment #195516 -
Attachment is private: true
|
|
||
Updated•18 years ago
|
Attachment #195516 -
Attachment is private: false
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•14 years ago
|
Crash Signature: [@ nsCellMap::GetCellInfoAt]
[@ BasicTableLayoutStrategy::Initialize]
[@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
You need to log in
before you can comment on or make changes to this bug.
Description
•