Closed Bug 334105 Opened 18 years ago Closed 18 years ago

[FIX]ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append)

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(4 keywords)

Attachments

(2 files)

testcase
654 bytes, application/xhtml+xml
Details
Fix
3.20 KB, patch
dbaron
: review+
dbaron
: superreview+
dbaron
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
###!!! ASSERTION: Bogus: '!mHead', file mozilla/layout/generic/nsLineBox.cpp, line 916

Marking security-sensitive for now because when I asked dbaron about this assertion failure, he said it "may be a sign of existing memory corruption".
Attached file testcase 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
We probably want this on the 1.8.1 branch, since we can leak the float cache entries off the free list without it...
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #218617 -
        Flags: superreview?(dbaron)

        Attachment #218617 -
        Flags: review?(dbaron)

        Attachment #218617 -
        Flags: approval-branch-1.8.1?(dbaron)

    
  
OS: MacOS X → All
Priority: -- → P3
Hardware: Macintosh → All
Summary: ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append) → [FIX]ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append)
Target Milestone: --- → mozilla1.9alpha

    
  
Keywords: mlk

    
    

    
  
Comment on attachment 218617 [details] [diff] [review]
Fix

That's what we get for using wacky representations of circularly linked lists, I suppose.

        Attachment #218617 -
        Flags: superreview?(dbaron)

        Attachment #218617 -
        Flags: superreview+

        Attachment #218617 -
        Flags: review?(dbaron)

        Attachment #218617 -
        Flags: review+

        Attachment #218617 -
        Flags: approval-branch-1.8.1?(dbaron)

        Attachment #218617 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 218617 [details] [diff] [review]
Fix

If this is really a potential security problem should this be nominated for 1.8.0.3 as well?

    
    

    
  
I think this is just a leak, not a security problem...  At least as far as I can see.  There's no memory corruption, just a bad algorithm for messing with the linked list that manages to lose parts of the list.

    
    

    
  
Thanks, bz.  Making public.
Group: security

    
    

    
  
Crashtest checked in.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: