Closed
Bug 369150
Opened 18 years ago
Closed 18 years ago
Crash [@ nsHTMLFramesetFrame::GetNoResize] with dynamic changes
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(5 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(7 files, 1 obsolete file)
384 bytes,
text/html
|
Details | |
936 bytes,
patch
|
Details | Diff | Splinter Review | |
480 bytes,
text/html
|
Details | |
2.37 KB,
patch
|
Details | Diff | Splinter Review | |
1.95 KB,
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
1.23 KB,
patch
|
bzbarsky
:
review-
bzbarsky
:
superreview-
|
Details | Diff | Splinter Review |
1.29 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
Loading the testcase makes Firefox crash [@ nsHTMLFramesetFrame::GetNoResize].
Reporter | ||
Updated•18 years ago
|
Severity: normal → critical
Assignee | ||
Comment 1•18 years ago
|
||
I think we could just add a simple null check.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #254195 -
Flags: superreview?(roc)
Attachment #254195 -
Flags: review?(roc)
![]() |
||
Comment 2•18 years ago
|
||
Er.... but why are we ending up with an out-of-bounds index here?
![]() |
||
Comment 3•18 years ago
|
||
In particular, aren't we also reading past the bounds of the aChildTypes array, etc?
Assignee | ||
Comment 4•18 years ago
|
||
Comment on attachment 254195 [details] [diff] [review]
possible patch
True. There is something else going wrong.
The testcase seems to change mNumRows or mNumCols before NS_FRAME_FIRST_REFLOW.
Attachment #254195 -
Flags: superreview?(roc)
Attachment #254195 -
Flags: review?(roc)
Assignee | ||
Updated•18 years ago
|
Assignee: Olli.Pettay → nobody
Status: ASSIGNED → NEW
![]() |
||
Comment 5•18 years ago
|
||
Well, there should be multiple NS_FRAME_FIRST_REFLOWs here -- appending a text node and changing the "rows" attribute like that should both trigger a frame reconstruct.
![]() |
||
Updated•18 years ago
|
Flags: blocking1.9?
Comment 7•18 years ago
|
||
We're seeing a "similar" frame problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=372013
crash is in a different place, but we are seeing it intermittently with this crash.
Comment 8•18 years ago
|
||
Crashes FF2.0.0.2 also, have not tested FF1.5.x
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Comment 9•18 years ago
|
||
(In reply to comment #2) (from bug 372013)
> Does bug 369150 have the same regression window?
Yes.
doesn't crash in a 2005-09-05 build, does crash in a 2005-09-06 build.
Comment 11•18 years ago
|
||
marking sg:critical based on comment 2 and 3
Group: security
Whiteboard: [sg:critical]
Comment 12•18 years ago
|
||
Smaug: Can you take this bug?
Critical security bugs need to have an owner. If you are not the correct person for this bug, please help us find someone else. Thanks.
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 13•18 years ago
|
||
Well, Boris said already "I'll look into this, I guess. ;)"
Bz, do you have time for this?
![]() |
||
Comment 14•18 years ago
|
||
The right owner is probably me; I'm just not sure I'll get a chance to debug it before March 27. Between now and then I'm at home for about 90 hours all told. :(
So if I don't get to it tomorrow and we need it fixed Soon, someone else would need to help...
Assignee | ||
Comment 15•18 years ago
|
||
hmm, doesn't crash currently in linux-trunk.
Comment 16•18 years ago
|
||
This seems to have been fixed between 2007-03-04 and 2007-03-05:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+09&cvsroot=%2Fcvsroot
Fixed by bug 370430, somehow?
Comment 17•18 years ago
|
||
This crash still happens when appending a frame element instead of a text node.
Updated•18 years ago
|
Assignee: Olli.Pettay → bzbarsky
Assignee | ||
Comment 18•18 years ago
|
||
Assignee | ||
Comment 19•18 years ago
|
||
or not "where", but "what"
Assignee | ||
Comment 20•18 years ago
|
||
This is simple, though a bit ugly fix.
Better would be to make sure that the old frame isn't reflowed at all
if the number of cols or rows has changed, but I don't know
how to do that in any elegant way. Flushing in SetAttr is not good enough (someone may use mutation events to do something evil).
The patch works also in branches (with --fuzz=4).
bz is still away, so maybe you roc can look at this?
I think this is a good approach.
Should we do the early exit if drag is active too? It seems to me that we should.
Assignee | ||
Comment 22•18 years ago
|
||
Attachment #259353 -
Attachment is obsolete: true
Attachment #259372 -
Flags: review?(roc)
Attachment #259353 -
Flags: review?(roc)
Attachment #259372 -
Flags: superreview+
Attachment #259372 -
Flags: review?(roc)
Attachment #259372 -
Flags: review+
Assignee | ||
Updated•18 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #259372 -
Flags: approval1.8.1.4?
Attachment #259372 -
Flags: approval1.8.0.12?
Updated•18 years ago
|
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Comment 23•18 years ago
|
||
Comment on attachment 259372 [details] [diff] [review]
v2
approved for 1.8.0.12/1.8.1.4, a=dveditz for release-drivers
Attachment #259372 -
Flags: approval1.8.1.4?
Attachment #259372 -
Flags: approval1.8.1.4+
Attachment #259372 -
Flags: approval1.8.0.12?
Attachment #259372 -
Flags: approval1.8.0.12+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
![]() |
||
Comment 24•18 years ago
|
||
Smaug, thanks for hunting this down! Sorry I didn't get a chance to do that before I disappeared. :(
I do have two comments about the patch:
1) This patch assumes that the caller doesn't check the return value from Reflow(). If the caller does, we'll abort reflow of the caller and its other kids, possibly ending up in an inconsistent state. If the caller doesn't, it'll ignore our retval and look at the reflow metrics. So I would much prefer it if we'd set the reflow metrics to sane values (like 0 by 0 or whatnot, or whatever we set them to right now) and returned NS_OK. I think we should make that change on both trunk and branches.
2) The real problem is that reflowing off an event doesn't process pending restyles before reflowing, isn't it? Perhaps we should simply change that instead and back out this change? Or are we also hitting this via FlushPendingNotifications(Flush_OnlyReflow) calls too? I would be happy to drop support for flushing only reflow, expecially since at the moment that already flushes out content anyway, just not style reresolves... Maybe that's the approach we should take on trunk? Or maybe file a followup bug to back this patch out once roc's compositor thing happens?
![]() |
||
Comment 25•18 years ago
|
||
Smaug, could you please post a followup patch or bug about item 1 in comment 24?
Assignee | ||
Comment 26•18 years ago
|
||
Like this?
Attachment #261150 -
Flags: superreview?(bzbarsky)
Attachment #261150 -
Flags: review?(bzbarsky)
![]() |
||
Comment 27•18 years ago
|
||
Hmm. We should probably also set aStatus and call NS_FRAME_SET_TRUNCATION. Note that aDesiredSize seems to be already set to the right size by this point, so we shouldn't need to munge that.
![]() |
||
Comment 28•18 years ago
|
||
Comment on attachment 261150 [details] [diff] [review]
set aDesiredSize.width and .height to 0
See previous comment
Attachment #261150 -
Flags: superreview?(bzbarsky)
Attachment #261150 -
Flags: superreview-
Attachment #261150 -
Flags: review?(bzbarsky)
Attachment #261150 -
Flags: review-
Assignee | ||
Comment 29•18 years ago
|
||
Also Unsetting mDrag, just like what is done after a normal reflow.
Attachment #261171 -
Flags: superreview?(bzbarsky)
Attachment #261171 -
Flags: review?(bzbarsky)
![]() |
||
Comment 30•18 years ago
|
||
Comment on attachment 261171 [details] [diff] [review]
well then this :)
Looks good!
Attachment #261171 -
Flags: superreview?(bzbarsky)
Attachment #261171 -
Flags: superreview+
Attachment #261171 -
Flags: review?(bzbarsky)
Attachment #261171 -
Flags: review+
Assignee | ||
Updated•18 years ago
|
Attachment #261171 -
Flags: approval1.8.1.4?
Attachment #261171 -
Flags: approval1.8.0.12?
Comment 31•18 years ago
|
||
Comment on attachment 261171 [details] [diff] [review]
well then this :)
approved for 1.8.0.12 and 1.8.1.4, a=dveditz
Attachment #261171 -
Flags: approval1.8.1.4?
Attachment #261171 -
Flags: approval1.8.1.4+
Attachment #261171 -
Flags: approval1.8.0.12?
Attachment #261171 -
Flags: approval1.8.0.12+
Comment 32•18 years ago
|
||
Removing branch-fixed keywords so we don't forget we have to land an additional tweak.
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Assignee | ||
Comment 33•18 years ago
|
||
Comment on attachment 261171 [details] [diff] [review]
well then this :)
Checked in to branches
Updated•18 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Comment 34•18 years ago
|
||
verified on the 1.8.0 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with the testcases. Adding branch verified keyword.
Keywords: fixed1.8.0.12 → verified1.8.0.12
Comment 35•18 years ago
|
||
Also verified on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070501 Firefox/2.0.0.4, and 15012rc1 version as well
Updated•18 years ago
|
Group: security
![]() |
||
Updated•18 years ago
|
Flags: wanted1.8.0.x?
Flags: in-testsuite?
Flags: blocking1.9?
Updated•14 years ago
|
Crash Signature: [@ nsHTMLFramesetFrame::GetNoResize]
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•