Last Comment Bug 317934 - CVE-2006-0294 [FIX]Crash with evil testcase, switching from position:relative to static
: CVE-2006-0294 [FIX]Crash with evil testcase, switching from position:relative...
Status: VERIFIED FIXED
[sg:critical?]
: crash, regression, testcase, verified1.8.0.1, verified1.8.1
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: x86 All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (Out June 25-July 6)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-27 09:25 PST by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2009-04-24 11:24 PDT (History)
9 users (show)
dveditz: blocking1.7.13-
dveditz: blocking‑aviary1.0.8-
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.1+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (701 bytes, text/html)
2005-11-27 09:26 PST, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
valgrind log (9.49 KB, text/plain)
2005-11-27 12:35 PST, Andrew Schultz
no flags Details
This should fix it... (11.65 KB, patch)
2005-11-27 15:58 PST, Boris Zbarsky [:bz] (Out June 25-July 6)
roc: review+
roc: superreview+
mtschrep: approval1.8.0.1+
mtschrep: approval1.8.1+
Details | Diff | Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2005-11-27 09:25:02 PST
See upcoming testcase, when clicking on the button, current Mozilla builds crash.
This doesn't happen in Mozilla1.7.

Talkback ID: TB12309372W
0x00000000
nsIView::Destroy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 307]
nsSplittableFrame::Destroy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsSplittableFrame.cpp, line 71]
nsPositionedInlineFrame::Destroy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1052]
nsFrameList::DestroyFrames  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameList.cpp, line 138]
nsPositionedInlineFrame::Destroy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1052]
nsBlockFrame::RemoveFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 5516]
nsFrameManager::RemoveFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 704]
nsCSSFrameConstructor::ContentRemoved  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9946]
nsCSSFrameConstructor::RecreateFramesForContent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11495]
nsCSSFrameConstructor::RestyleElement  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10377]
nsCSSFrameConstructor::ProcessOneRestyle  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13211]
nsCSSFrameConstructor::ProcessPendingRestyles  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13259]
nsCSSFrameConstructor::RestyleEvent::HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13324]
SHELL32.dll + 0x520c24 (0x778b0c24)
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2005-11-27 09:26:14 PST
Created attachment 204292 [details]
testcase
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2005-11-27 09:52:16 PST
Well, this seems to have regressed between 2005-06-20 and 2005-06-22:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-06-20+05%3A00%3A00&maxdate=2005-06-22+12%3A00%3A00&cvsroot=%2Fcvsroot

I don't have really an idea which bug could have caused the regression.
Comment 3 Felix Miata 2005-11-27 10:27:16 PST
testcase crashes 1.5rc3 on OS/2
Comment 4 Andrew Schultz 2005-11-27 12:35:03 PST
Created attachment 204297 [details]
valgrind log

I crashed with builds back to 2005-06-10 but then couldn't crash with any build.  valgrind caught it trying to use already-freed memory.
Comment 5 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-27 14:03:11 PST
I see this only when we process the restyle for the inner <q> first.  Then when we're processing the restyle for the outer <q> we get to destroying the brand-new frame the inner restyle created for the positioned <span> and crash when trying to delete its view...
Comment 6 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2005-11-27 14:39:58 PST
The inner frame shouldn't have a view anymore ... did we somehow fail to remove the view from its parent when we reframed the inner element?
Comment 7 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-27 15:58:40 PST
Created attachment 204322 [details] [diff] [review]
This should fix it...

This looks like a regression from bug 292116 -- changing the parent means we get a mismatch between the frame and view trees....
Comment 8 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2005-11-28 13:51:46 PST
Comment on attachment 204322 [details] [diff] [review]
This should fix it...

don't you need to initialize appendAfterFrame to nsnull to avoid a 'possible use of uninitialized' warning?
Comment 9 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-28 13:55:39 PST
I didn't get those warnings when I compiled, so I assumed that gcc is finally sorta-smart enough...

I'll init them if warnings appear when I check in.
Comment 10 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-28 14:29:21 PST
Fixed.
Comment 11 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-28 14:30:01 PST
Comment on attachment 204322 [details] [diff] [review]
This should fix it...

This is a double-delete, hence potentially exploitable... I think we should take this on the 1.8 branch, after it bakes on the trunk a tad.
Comment 12 Stephen Donner [:stephend] 2005-11-29 17:15:58 PST
I can't speak to any *potential* regressions, but the crash itself is certainly fixed in trunk build 2005-11-29-09 of SeaMonkey trunk on Windows XP.

Verified (trunk)
Comment 13 Mike Schroepfer 2005-12-19 14:35:38 PST
Comment on attachment 204322 [details] [diff] [review]
This should fix it...

Please land on 1.8 and 1.8.1 branches.
Comment 14 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-12-23 22:30:29 PST
Could someone please land this for me?  If not, I'll do it in early January...
Comment 15 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-01-04 19:08:54 PST
*** Committing to MOZILLA_1_8_BRANCH... 
nsCSSFrameConstructor.h
new revision: 1.187.6.4; previous revision: 1.187.6.3
nsCSSFrameConstructor.cpp
new revision: 1.1110.6.13; previous revision: 1.1110.6.12

*** Committing layout/base/nsCSSFrameConstructor.cpp on MOZILLA_1_8_0_BRANCH... 
new revision: 1.1110.6.12.2.1; previous revision: 1.1110.6.12
*** Committing layout/base/nsCSSFrameConstructor.h on MOZILLA_1_8_0_BRANCH... 
new revision: 1.187.6.3.2.1; previous revision: 1.187.6.3
Comment 16 Jay Patel [:jay] 2006-01-11 16:05:45 PST
v.fixed on 1.8.0.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1, no crash with testcase in comment #1
Comment 17 Bob Clary [:bc:] 2006-01-14 14:08:31 PST
v test case does not crash 1.8.0.1, 1.8.1, 1.9a1 windows/linux
Comment 18 Bob Clary [:bc:] 2009-04-24 11:24:45 PDT
crash test landed
http://hg.mozilla.org/mozilla-central/rev/876c3596f749

Note You need to log in before you can comment on or make changes to this bug.