The default bug view has changed. See this FAQ.

[FIX]Possible to reflow while quote/counter lists are dirty

RESOLVED FIXED in mozilla1.9alpha4

Status

()

Core
Layout
P1
normal
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: bz, Assigned: bz)

Tracking

({fixed1.8.0.12, fixed1.8.1.4})

Trunk
mozilla1.9alpha4
fixed1.8.0.12, fixed1.8.1.4
Points:
---
Bug Flags:
blocking1.8.1.4 +
wanted1.8.1.x +
blocking1.8.0.12 +
wanted1.8.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:investigate] possible use of dangling pointers?)

Attachments

(2 attachments)

If a reflow flush happens in the middle of an update (e.g. document.body.offsetWidth is accessed in a mutation event handler) on a page with quotes or counters, it's possible to reflow while the quote/counter lists have dangling pointers...  This is pretty undesirable.

I don't have a testcase that demonstrates a problem here, offhand, but I bet fuzz-testing could find one!
Though I would also be interested in seeing whether the quote/counter flush triggers mutation events for the text content changes!
Created attachment 261311 [details] [diff] [review]
Perhaps like so
Attachment #261311 - Flags: superreview?(dbaron)
Attachment #261311 - Flags: review?(dbaron)
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Summary: Possible to reflow while quote/counter lists are dirty → [FIX]Possible to reflow while quote/counter lists are dirty
Target Milestone: --- → mozilla1.9alpha4
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Whiteboard: [sg:investigate] possible use of dangling pointers?
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

r+sr=dbaron
Attachment #261311 - Flags: superreview?(dbaron)
Attachment #261311 - Flags: superreview+
Attachment #261311 - Flags: review?(dbaron)
Attachment #261311 - Flags: review+
Checked in on trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

I think this is a pretty safe patch that we should take on 1.8.
Attachment #261311 - Flags: approval1.8.1.4?
Attachment #261311 - Flags: approval1.8.0.12?
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #261311 - Flags: approval1.8.1.4?
Attachment #261311 - Flags: approval1.8.1.4+
Attachment #261311 - Flags: approval1.8.0.12?
Attachment #261311 - Flags: approval1.8.0.12+
Created attachment 261705 [details] [diff] [review]
Merged to branch
Fixed on both branches.
Keywords: fixed1.8.0.12, fixed1.8.1.4
Is there a good way to verify this bug without a testcase?
No.  We need to create a testcase if we're serious about verifying it...
Group: security
You need to log in before you can comment on or make changes to this bug.