Last Comment Bug 377216 - [FIX]Possible to reflow while quote/counter lists are dirty
: [FIX]Possible to reflow while quote/counter lists are dirty
[sg:investigate] possible use of dang...
: fixed1.8.0.12, fixed1.8.1.4
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.9alpha4
Assigned To: Boris Zbarsky [:bz] (TPAC)
Depends on:
  Show dependency treegraph
Reported: 2007-04-11 15:58 PDT by Boris Zbarsky [:bz] (TPAC)
Modified: 2007-05-30 15:37 PDT (History)
3 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Perhaps like so (3.67 KB, patch)
2007-04-11 16:11 PDT, Boris Zbarsky [:bz] (TPAC)
dbaron: review+
dbaron: superreview+
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Splinter Review
Merged to branch (3.66 KB, patch)
2007-04-16 11:33 PDT, Boris Zbarsky [:bz] (TPAC)
no flags Details | Diff | Splinter Review

Description Boris Zbarsky [:bz] (TPAC) 2007-04-11 15:58:43 PDT
If a reflow flush happens in the middle of an update (e.g. document.body.offsetWidth is accessed in a mutation event handler) on a page with quotes or counters, it's possible to reflow while the quote/counter lists have dangling pointers...  This is pretty undesirable.

I don't have a testcase that demonstrates a problem here, offhand, but I bet fuzz-testing could find one!
Comment 1 Boris Zbarsky [:bz] (TPAC) 2007-04-11 16:01:50 PDT
Though I would also be interested in seeing whether the quote/counter flush triggers mutation events for the text content changes!
Comment 2 Boris Zbarsky [:bz] (TPAC) 2007-04-11 16:11:36 PDT
Created attachment 261311 [details] [diff] [review]
Perhaps like so
Comment 3 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2007-04-15 16:50:21 PDT
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

Comment 4 Boris Zbarsky [:bz] (TPAC) 2007-04-15 17:11:34 PDT
Checked in on trunk.
Comment 5 Boris Zbarsky [:bz] (TPAC) 2007-04-15 17:12:14 PDT
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

I think this is a pretty safe patch that we should take on 1.8.
Comment 6 Daniel Veditz [:dveditz] 2007-04-16 10:47:34 PDT
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

approved for and, a=dveditz for release-drivers
Comment 7 Boris Zbarsky [:bz] (TPAC) 2007-04-16 11:33:39 PDT
Created attachment 261705 [details] [diff] [review]
Merged to branch
Comment 8 Boris Zbarsky [:bz] (TPAC) 2007-04-16 11:34:36 PDT
Fixed on both branches.
Comment 9 Samuel Sidler (old account; do not CC) 2007-04-30 16:44:54 PDT
Is there a good way to verify this bug without a testcase?
Comment 10 Boris Zbarsky [:bz] (TPAC) 2007-04-30 19:45:17 PDT
No.  We need to create a testcase if we're serious about verifying it...

Note You need to log in before you can comment on or make changes to this bug.