Closed Bug 384649 Opened 17 years ago Closed 17 years ago

[FIXr]Memory corruption with MathML table, position: fixed, position: inherit

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])

Attachments

(3 files)

testcase (causes memory corruption / crashes)
529 bytes, application/xhtml+xml
Details
stack traces for the assertions
27.93 KB, text/plain
Details
Getting the right parent style context up front helps
2.02 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review 
Loading the testcase causes several of each of these assertions:

###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 318

###!!! ASSERTION: wrong display type on rowframe: 'NS_STYLE_DISPLAY_TABLE_ROW == childFrame->GetStyleDisplay()->mDisplay', file /Users/jruderman/trunk/mozilla/layout/tables/nsTableRowFrame.cpp, line 1287

It often leads to a random crash, either immediately or later.  I'm guessing this means the bug causes Firefox to corrupt a random part of its heap.

The symptoms are very similar to those in bug 372376.
Flags: blocking1.9?
Crashes in random places, with random addresses on top --> [sg:critical]
Whiteboard: [sg:critical]

    
    

    
  
We have a nsMathMLmtrFrame which has a display:block mContent...  Specifically, it's the one for the <mtr>.

I assume that testcase is pretty minimal?

    
    

    
  
> I assume that testcase is pretty minimal?

I think so, but I've been proven wrong before.

    
    

    
  
>ASSERTION: wrong display type on rowframe: 'NS_STYLE_DISPLAY_TABLE_ROW
This is a very serious assert, once you see this crashing is the rule not the exception. The assert usually indicates a frame construction problem which typically is the result of style resolution issue as one can see in bug 372376.
>It often leads to a random crash, either immediately or later.  

    
    

    
  
Yeah, the frame tree is pretty busted.  See comment 3.  The question is how we got there...

    
    

    
  
Looks like a possible regression from bug 323656.  Hard to tell.  In any case, patch coming up.  The basic problem is using a different style parent for the initial style resolution and the style reresolve...
Blocks: 323656

    
    

    
  


  
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #271244 -
        Flags: superreview?(dbaron)

        Attachment #271244 -
        Flags: review?(dbaron)

    
    

    
  
This might not be as much of an issue on branch because of the style rules we have there... but I think we still want this fix on branch.
Summary: Memory corruption with MathML table, position: fixed, position: inherit → [FIX]Memory corruption with MathML table, position: fixed, position: inherit
Flags: blocking1.9? → blocking1.9+

    
    

    
  
Comment on attachment 271244 [details] [diff] [review]
Getting the right parent style context up front helps

r+sr=dbaron.  Sorry for the delay.

Do you think any other similar calls should be fixed?  I'm particularly suspicious of the ones in CreateFloatingLetterFrame, CreateLetterFrame, RemoveFloatingFirstLetterFrames, and RemoveFirstLetterFrames.  And maybe also the ones in PropagateScrollToViewport.

        Attachment #271244 -
        Flags: superreview?(dbaron)

        Attachment #271244 -
        Flags: superreview+

        Attachment #271244 -
        Flags: review?(dbaron)

        Attachment #271244 -
        Flags: review+

    
    

    
  
CreateFloatingLetterFrame resolves the following style contexts:
  - Style context for the text inside the first-letter, parented to the 
    first-letter.  This is correct.
  - Style context for the text outside the first-letter, parented to the
    first-letter's parent context.  This is also correct.

CreateLetterFrame just does the first of those two, again correctly.

RemoveFloatingFirstLetterFrames resolves style for the text using the style parent of the first-letter.  Again, correct.

Same for RemoveFirstLetterFrames.

PropagateScrollToViewport uses the style resolved for the root element as the parent for the style resolved for a child of the root element.  That's correct as well.

In general, the issues arise when an anon box is incorrectly used as the style parent for an element or pseudo-element or text.  In all the cases above, that's not happening.

I just checked all the callers of ResolveStyleFor(), and the following look fishy:

* nsSplitterFrame::Init: this should be getting the right style parent
                         directly off its style context.
* nsMathMLmactionFrame::Init: same
* ReResolveStyleContext when reresolving the undisplayed content.  I'm just
  not sure how that works, given that it's keyed off the content, and various
  stacked anonymous boxes can share the same content pointer...  Do you happen
  to know?

For ResolveStyleForNonElement, the only issue I see is the ReResolveStyleContext one.

For ResolvePseudoStyleFor resolving style for pseudo-elements (which is where we might need to adjust the style context):
* nsBlockFrame::SetInitialChildList is covered by another patch you just
  reviewed.
* I think the tree style cache is ok.
* ReResolveStyleContext... I can't tell offhand.  :(
* Frameset should be ok
* Frame constructor is ok.

    
  
Summary: [FIX]Memory corruption with MathML table, position: fixed, position: inherit → [FIXr]Memory corruption with MathML table, position: fixed, position: inherit

    
    

    
  
Comment on attachment 271244 [details] [diff] [review]
Getting the right parent style context up front helps

Fixes a bug in MathML frame construction which leads to frametree corruption.  Fairly low risk, and we need this.

        Attachment #271244 -
        Flags: approval1.9?

    
    

    
  
Comment on attachment 271244 [details] [diff] [review]
Getting the right parent style context up front helps

Er, nevermind.  This is blocking+, so I'm set.  ;)

        Attachment #271244 -
        Flags: approval1.9?

    
    

    
  
Fixed.  Filed bug 390689 on comment 11.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M8

    
    

    
  
I don't see any assertions or crashes on branch, so I'm making this bug report public.
Group: security
Flags: wanted1.8.1.x-

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: