Closed
Bug 377216
Opened 18 years ago
Closed 18 years ago
[FIX]Possible to reflow while quote/counter lists are dirty
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha4
People
(Reporter: bzbarsky, Assigned: bzbarsky)
Details
(Keywords: fixed1.8.0.12, fixed1.8.1.4, Whiteboard: [sg:investigate] possible use of dangling pointers?)
Attachments
(2 files)
3.67 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
3.66 KB,
patch
|
Details | Diff | Splinter Review |
If a reflow flush happens in the middle of an update (e.g. document.body.offsetWidth is accessed in a mutation event handler) on a page with quotes or counters, it's possible to reflow while the quote/counter lists have dangling pointers... This is pretty undesirable.
I don't have a testcase that demonstrates a problem here, offhand, but I bet fuzz-testing could find one!
![]() |
Assignee | |
Comment 1•18 years ago
|
||
Though I would also be interested in seeing whether the quote/counter flush triggers mutation events for the text content changes!
![]() |
Assignee | |
Comment 2•18 years ago
|
||
Attachment #261311 -
Flags: superreview?(dbaron)
Attachment #261311 -
Flags: review?(dbaron)
![]() |
Assignee | |
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Summary: Possible to reflow while quote/counter lists are dirty → [FIX]Possible to reflow while quote/counter lists are dirty
Target Milestone: --- → mozilla1.9alpha4
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Whiteboard: [sg:investigate] possible use of dangling pointers?
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so
r+sr=dbaron
Attachment #261311 -
Flags: superreview?(dbaron)
Attachment #261311 -
Flags: superreview+
Attachment #261311 -
Flags: review?(dbaron)
Attachment #261311 -
Flags: review+
![]() |
Assignee | |
Comment 4•18 years ago
|
||
Checked in on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
![]() |
Assignee | |
Comment 5•18 years ago
|
||
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so
I think this is a pretty safe patch that we should take on 1.8.
Attachment #261311 -
Flags: approval1.8.1.4?
Attachment #261311 -
Flags: approval1.8.0.12?
Comment 6•18 years ago
|
||
Comment on attachment 261311 [details] [diff] [review]
Perhaps like so
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #261311 -
Flags: approval1.8.1.4?
Attachment #261311 -
Flags: approval1.8.1.4+
Attachment #261311 -
Flags: approval1.8.0.12?
Attachment #261311 -
Flags: approval1.8.0.12+
![]() |
Assignee | |
Comment 7•18 years ago
|
||
Comment 9•18 years ago
|
||
Is there a good way to verify this bug without a testcase?
![]() |
Assignee | |
Comment 10•18 years ago
|
||
No. We need to create a testcase if we're serious about verifying it...
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•