Closed
Bug 343293
Opened 18 years ago
Closed 18 years ago
[FIX]Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] using ::first-line, floats, caption and generated content
Categories
(Core :: Layout: Floats, defect, P1)
Core
Layout: Floats
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
Details
(5 keywords, Whiteboard: [sg:critical?] null deref but maybe worse)
Crash Data
Attachments
(6 files, 1 obsolete file)
617 bytes,
application/xhtml+xml
|
Details | |
28.27 KB,
text/plain
|
Details | |
297 bytes,
application/xhtml+xml
|
Details | |
8.10 KB,
patch
|
dveditz
:
approval1.8.1.2+
dveditz
:
approval1.8.0.10+
|
Details | Diff | Splinter Review |
7.11 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
8.08 KB,
patch
|
Details | Diff | Splinter Review |
See upcoming testcase which crashes Mozilla upon load.
It doesn't crash Mozilla1.7, but it crashes in Firefox1.5.0.4 (that's why I'm marking it security sensitive for now).
I haven't looked for a regression range for now, I don't have the necessary builds on this computer, I could look for the regression range when I am at home.
Talkback ID: TB20463441M
nsLayoutUtils::GetFloatFromPlaceholder
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Backtrace from debug build.
Some assertions:
###!!! ASSERTION: Reparenting something that has no usable parent? Shouldn't hap
pen!: 'Not Reached', file c:/mozilla/mozilla/layout/base/nsFrameManager.cpp, lin
e 916
This is bug 334602.
###!!! ASSERTION: Can only remove a singleton element: '!aElement->mNext', file
c:/mozilla/mozilla/layout/generic/nsLineBox.cpp, line 941
This is bug 342322 (there is a patch which removes the assertion).
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file c:/mozill
a/mozilla/layout/base/../generic/nsPlaceholderFrame.h, line 127
I've added the stack for that assertion.
Reporter | ||
Updated•18 years ago
|
Group: security
Assignee | ||
Comment 3•18 years ago
|
||
Assignee | ||
Comment 4•18 years ago
|
||
Assignee | ||
Comment 5•18 years ago
|
||
Assignee | ||
Comment 6•18 years ago
|
||
This one was fun! What happened was that we detected an {ib} situation and decided to blow away the containing block. So in WipeContainingBlock we called CleanupFrameReferences on aFrameList. But one of the frames in that list was a pseudo outer table (since the caption wants one), and its mContent was of course the root content of the document. So we blew away the primary frame mapping for the root content.
Then we go to actually reframe, realize we're looking at the root content, and end up in ReconstructDocElementHierarchy(Internal). We look up the primary frame for the root, get nothing (since the mapping is gone and one can't find that frame by walking the frame tree starting at the parent, since there's no parent), so we blow away the primary frame and placeholder maps, null out the out-of-flow pointers in all placeholders, and then bail out(!). The result is that we have a placeholder with a null out of flow pointer in the tree, so when we reflow we crash.
This patch fixes things so we don't incorrectly blow away the root's primary frame mapping. But maybe we should also add an early return in ReconstructDocElementHierarchy when there's no frame for the root content?
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #247207 -
Flags: superreview?(roc)
Attachment #247207 -
Flags: review?(roc)
Assignee | ||
Updated•18 years ago
|
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] using ::first-line, floats, caption and generated content → [FIX]Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] using ::first-line, floats, caption and generated content
Attachment #247207 -
Flags: superreview?(roc)
Attachment #247207 -
Flags: superreview+
Attachment #247207 -
Flags: review?(roc)
Attachment #247207 -
Flags: review+
Instead of bailing out early, shouldn't ReconstructDocElementHierarchy actually create the frame tree?
Assignee | ||
Comment 8•18 years ago
|
||
Well, the problem is that there _is_ a frame tree there... ReconstructDocElementHierarchy just can't find it. Without this patch, that is.
Assignee | ||
Comment 9•18 years ago
|
||
Attachment #247204 -
Attachment is obsolete: true
Assignee | ||
Comment 10•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #247205 -
Flags: approval1.8.1.2?
Attachment #247205 -
Flags: approval1.8.0.10?
Assignee | ||
Updated•18 years ago
|
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.2?
Comment 11•18 years ago
|
||
So is this a security bug? comment 6 makes it sound like a null-deref crash.
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Assignee | ||
Comment 12•18 years ago
|
||
I _think_ this is always a null-deref crash, but we're violating all sorts of frame tree invariants in this case, so if we don't hit the null-deref we could easily crash in truly nasty ways... I can't guarantee that that won't happen. :(
Comment 13•18 years ago
|
||
Comment on attachment 247205 [details] [diff] [review]
Branch patch
approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #247205 -
Flags: approval1.8.1.2?
Attachment #247205 -
Flags: approval1.8.1.2+
Attachment #247205 -
Flags: approval1.8.0.10?
Attachment #247205 -
Flags: approval1.8.0.10+
Comment 14•18 years ago
|
||
Comment on attachment 247205 [details] [diff] [review]
Branch patch
Approved for both branches, a=jay for drivers.
Assignee | ||
Comment 15•18 years ago
|
||
Fixed for 1.8.1.2 and 1.8.0.10.
Flags: in-testsuite?
Keywords: fixed1.8.0.10,
fixed1.8.1.2
(In reply to comment #6)
> This patch fixes things so we don't incorrectly blow away the root's primary
> frame mapping. But maybe we should also add an early return in
> ReconstructDocElementHierarchy when there's no frame for the root content?
Is there a bug filed on this?
Comment 17•18 years ago
|
||
verified fixed on the 1.8 branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.2pre) Gecko/20070111 BonEcho/2.0.0.2pre. Neither of Martijn's testcases crash. Adding verified keyword.
Also verified on the 1.8.0 branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.10pre) Gecko/20070111 Firefox/1.5.0.10pre. Same results as with the 1.8 branch, no crash. Adding verified keyword.
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Updated•18 years ago
|
Group: security
Whiteboard: [sg:critical?] → [sg:critical?] null deref but maybe worse
Assignee | ||
Comment 18•18 years ago
|
||
> Is there a bug filed on this?
Filed bug 377850.
Comment 19•16 years ago
|
||
crash tests landed
http://hg.mozilla.org/mozilla-central/rev/5c9e24b8e99c
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ nsLayoutUtils::GetFloatFromPlaceholder]
You need to log in
before you can comment on or make changes to this bug.
Description
•