Closed
Bug 317855
Opened 19 years ago
Closed 19 years ago
[FIX]Crash on reload with evil xul testcase, using -moz-box, -moz-grid-group, float: left [@ nsIFrame::GetNextSibling]
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
537 bytes,
text/html
|
Details | |
12.78 KB,
text/plain
|
Details | |
4.27 KB,
patch
|
roc
:
review+
roc
:
superreview+
mtschrep
:
approval1.8.0.1+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase. Mozilla crashes when reloading that testcase. Also happens in Mozilla1.7, so no (recent) regression.
Reporter | ||
Comment 1•19 years ago
|
||
Talkback ID: TB12271663H nsFrame::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 669] nsContinuingTextFrame::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsTextFrame.cpp, line 1005] DestroyPropertyEnumerator [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsPropertyTable.cpp, line 305] nsPropertyTable::PropertyList::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsPropertyTable.cpp, line 315]
Assignee | ||
Comment 2•19 years ago
|
||
I get lots of the same asserts as in bug 317682.... Marking dependent on the same bugs. That said, the issue is that the presshell destructor frees the frame arena, and then later the prescontext destructor clears the prescontext's property table. Unfortunately, when the latter happens there is an overflow list hanging off of _something_ and we try to destroy those frames. But the arena they were allocated from is already finished, so we're accessing memory we don't own, and we crash...
Assignee | ||
Comment 3•19 years ago
|
||
And unfortunately, I see no way to clear/destroy the property table when the presshell is destroyed (that is, when the prescontext's presshell is set to null). Bryner, what do you think about adding a Clear() method to property table and using it here?
Depends on: 316318
Comment 5•19 years ago
|
||
Updated•19 years ago
|
Summary: Crash on reload with evil xul testcase, using -moz-box, -moz-grid-group, float: left → Crash on reload with evil xul testcase, using -moz-box, -moz-grid-group, float: left [@ nsIFrame::GetNextSibling]
Comment 6•19 years ago
|
||
(In reply to comment #3) > Bryner, what do you think about adding a Clear() method to property table and > using it here? > Sounds fine to me.
Assignee | ||
Comment 7•19 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #204987 -
Flags: superreview?(roc)
Attachment #204987 -
Flags: review?(roc)
Assignee | ||
Comment 8•19 years ago
|
||
We should probably try to take this on the branch... :(
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Priority: -- → P1
Summary: Crash on reload with evil xul testcase, using -moz-box, -moz-grid-group, float: left [@ nsIFrame::GetNextSibling] → [FIX]Crash on reload with evil xul testcase, using -moz-box, -moz-grid-group, float: left [@ nsIFrame::GetNextSibling]
Target Milestone: --- → mozilla1.9alpha
Attachment #204987 -
Flags: superreview?(roc)
Attachment #204987 -
Flags: superreview+
Attachment #204987 -
Flags: review?(roc)
Attachment #204987 -
Flags: review+
Assignee | ||
Comment 9•19 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•19 years ago
|
||
Comment on attachment 204987 [details] [diff] [review] Fix We should take this on the branch -- without this, we make virtual calls on pointers to freed memory, which is potentially exploitable.
Attachment #204987 -
Flags: approval1.8.0.1?
No crash loading and reloading testcase https://bugzilla.mozilla.org/attachment.cgi?id=204217&action=view with SeaMonkey trunk build 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Mozilla/1.0 Verified FIXED on trunk
Status: RESOLVED → VERIFIED
Comment 12•19 years ago
|
||
Comment on attachment 204987 [details] [diff] [review] Fix Please land on 1.8 and 1.8.1 branches. Thanks!
Attachment #204987 -
Flags: approval1.8.1+
Attachment #204987 -
Flags: approval1.8.0.1?
Attachment #204987 -
Flags: approval1.8.0.1+
Assignee | ||
Comment 13•19 years ago
|
||
Could someone please land this for me? If not, I'll do it in early January...
Comment 14•19 years ago
|
||
Comment on attachment 204987 [details] [diff] [review] Fix MOZILLA_1_8_BRANCH: mozilla/content/base/src/nsPropertyTable.cpp 3.7.12.1 mozilla/content/base/src/nsPropertyTable.h 1.7.18.1 mozilla/layout/base/nsPresShell.cpp 3.852.2.12 MOZILLA_1_8_0_BRANCH: mozilla/content/base/src/nsPropertyTable.cpp 3.7.20.1 mozilla/content/base/src/nsPropertyTable.h 1.7.26.1 mozilla/layout/base/nsPresShell.cpp 3.852.2.11.2.1 the nsPropertyTable changes didn't apply quite as cleanly as i had hoped. i manually merged them later. i hope i got it right :).
Keywords: fixed1.8.0.1,
fixed1.8.1
Updated•19 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1+
Comment 15•19 years ago
|
||
verified fixed on the branch using the testcase in https://bugzilla.mozilla.org/show_bug.cgi?id=317855, and Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1. Repeatedly clicking on the testcase did not produce a crash.
Keywords: fixed1.8.0.1 → verified1.8.0.1
Updated•13 years ago
|
Crash Signature: [@ nsIFrame::GetNextSibling]
You need to log in
before you can comment on or make changes to this bug.
Description
•