Closed Bug 384344 Opened 18 years ago Closed 18 years ago

free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [sg:critical?] 1.8-branch only)

Attachments

(4 files)

Testcase
288 bytes, text/html
Details
stack
6.21 KB, text/plain
Details
patch
4.03 KB, patch
dveditz
: review+
dveditz
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
A few remaining assertions after patch
5.82 KB, text/plain
Details
Attached file Testcase
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1223562608 (LWP 4878)] 0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, aSID=@0xbfe65950) at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210 210 char* resetOrInherit = NS_REINTERPRET_CAST(char*, *NS_REINTERPRET_CAST(void**, resetOrInheritSlot)); (gdb) print resetOrInheritSlot $1 = 0xddddddfd <Address 0xddddddfd out of bounds> (gdb) bt #0 0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, aSID=@0xbfe65950) at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210 #1 0x085c1b28 in nsStyleContext::GetStyleData (this=0xdddddddd, aSID=eStyleStruct_Display) at /home/pvnick/Desktop/mozilla/layout/style/nsStyleContext.cpp:248 #2 0x08435842 in nsIFrame::GetStyleData (this=0xb145adf0, aSID=eStyleStruct_Display) at /home/pvnick/Desktop/mozilla/layout/mathml/base/src/../../../generic/nsIFrame.h:608 #3 0x0843585d in nsIFrame::GetStyleDisplay (this=0xb145adf0) at ../../../dist/include/layout/nsStyleStructList.h:90 #4 0x08413d51 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, aRemovedFrame=0xaf55b9c8, aFrame=0xaf55bad0) at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9755 #5 0x08413d21 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, aRemovedFrame=0xaf55b9c8, aFrame=0xaf55b9c8) at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9740 #6 0x084150f5 in DeletingFrameSubtree (aPresContext=0xb1481fe8, aFrameManager=0xb14aec6c, aFrame=0xaf55b9c8) at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9812
Assignee: roc → nobody
Component: Layout: View Rendering → Layout
QA Contact: ian → layout
Summary: Read AV at nsCachedStyleData:GetStyleData → free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree
I think this is a duplicate of bug 366128 / bug 322436...
Keywords: crash, testcase
Attached file stack
Attached patch patchSplinter Review
Merging rev. 1.1352 -> 1.1353 + rev. 1.1354 -> 1.1355 of layout/base/nsCSSFrameConstructor.cpp fixes the crash. There are still a few line layout assertions though...
What assertions?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
I happened to have a diagnostic frame dump on the "How'd we get a floated inline frame?" assertion in this tree so I'm including that as well.
Assignee: nobody → mats.palmgren
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:moderate?] 1.8-branch only
Do we need to fix those assertions? If we've got a fix for a crash involving deleted objects that sounds like good progress to get into FF2.0.0.5. Time is tight: please get some reviews and request approval on this.
Whiteboard: [sg:moderate?] 1.8-branch only → [sg:critical?] 1.8-branch only
Comment on attachment 268290 [details] [diff] [review] patch r/sr=bzbarsky over IRC approved for 1.8.1.5 and 1.8.0.13, a=dveditz
Attachment #268290 - Flags: superreview+
Attachment #268290 - Flags: review+
Attachment #268290 - Flags: approval1.8.1.5+
Attachment #268290 - Flags: approval1.8.0.13+
MOZILLA_1_8_BRANCH mozilla/layout/base/nsCSSFrameConstructor.cpp 1.1110.6.81 MOZILLA_1_8_0_BRANCH mozilla/layout/base/nsCSSFrameConstructor.cpp 1.1110.6.12.2.58 -> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.13, fixed1.8.1.5
Resolution: --- → FIXED
verified fixed 1.8.1.5 using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007071216 BonEcho/2.0.0.5pre and the Testcase from comment 0 . No crash on testcase - build remain stable - adding verified keyword.
Keywords: fixed1.8.1.5verified1.8.1.5
Depends on: 322436, 366128
verified fixed in 1.8.0.13 using Thunderbird build 2007080918 on Windows XP (en-US). No crash with test case.
Keywords: fixed1.8.0.13verified1.8.0.13
Group: security
Flags: in-testsuite?
crash test landed http://hg.mozilla.org/mozilla-central/rev/d849dbf33b4f
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: