Closed Bug 397007 Opened 17 years ago Closed 17 years ago

"ASSERTION: no element to return" and memory corruption with :before, -moz-column

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla1.9beta1

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])

Attachments

(3 files, 1 obsolete file)

testcase (may crash Firefox or make Firefox unstable) 17 years ago Jesse Ruderman 508 bytes, text/html		Details
Patch rev. 1 17 years ago Mats Palmgren (inactive) 3.23 KB, patch		Details \| Diff \| Splinter Review
patch rev. 2 17 years ago Robert O'Callahan (:roc) (email my personal email if necessary) 9.55 KB, patch	MatsPalmgren_bugz : review- MatsPalmgren_bugz : superreview-	Details \| Diff \| Splinter Review
Patch rev. 3 17 years ago Mats Palmgren (inactive) 9.75 KB, patch	roc : review+ roc : superreview+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

17 years ago

Attached file testcase (may crash Firefox or make Firefox unstable) — Details

Loading the testcase triggers two assertions and corrupts random memory, often leading to a crash later. ###!!! ASSERTION: no element to return: '!empty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsLineBox.h, line 1247 ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file /Users/jruderman/trunk/mozilla/layout/base/../generic/nsLineBox.h, line 620

Flags: blocking1.9?

Jesse Ruderman

Reporter

Updated

•

17 years ago

Whiteboard: [sg:critical]

Mats Palmgren (inactive)

Comment 1

•

17 years ago

I'm also seeing (on Linux): ###!!! ASSERTION: ResolveBidi called on non-first continuation: '!GetPrevInFlow()', file nsBlockFrame.cpp, line 6627 The crash is caused by setting a bit in arbitrary memory when |line| is an overflow line and |mLines| is empty: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/generic/nsBlockFrame.cpp&rev=3.866&root=/cvsroot&mark=5225-5226#5197

Assignee: nobody → mats.palmgren

OS: Mac OS X → All

Hardware: PC → All

Mats Palmgren (inactive)

Comment 2

•

17 years ago

Attached patch Patch rev. 1 (obsolete) — Details — Splinter Review

* fix the assertion in comment 1. * fix the crash. (I'm guessing we don't need to set this bit in case the frame is in an overflow line.) * remove an unused variable

Attachment #281822 - Flags: superreview?(roc)

Attachment #281822 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 3

•

17 years ago

#ifdef IBMBIDI - ResolveBidi(); + if (!GetPrevInFlow()) + ResolveBidi(); #endif // IBMBIDI This is not the correct fix for this. Simon is working on a better fix in bug 394805. + if (!searchingOverflowList && line != mLines.front()) { We should still set the bit when the frame is an overflow line. We just need to check against the right first-line.

Mats Palmgren (inactive)

Comment 4

•

17 years ago

Ok, how about the case when it's the first overflow line - do we want to set the bit on the last line (if any) in mLines in that case?

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 5

•

17 years ago

Yes, actually. Good call.

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 6

•

17 years ago

Attached patch patch rev. 2 — Details — Splinter Review

This crash is annoying me, so here's my stab at a patch.

Assignee: mats.palmgren → roc

Attachment #281822 - Attachment is obsolete: true

Status: NEW → ASSIGNED

Attachment #282242 - Flags: superreview?(mats.palmgren)

Attachment #282242 - Flags: review?(mats.palmgren)

Attachment #281822 - Flags: superreview?(roc)

Attachment #281822 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 7

•

17 years ago

I need review here, Mats

Jesse Ruderman

Reporter

Updated

•

17 years ago

Blocks: 376419

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Updated

•

17 years ago

Flags: blocking1.9? → blocking1.9+

Mats Palmgren (inactive)

Comment 8

•

17 years ago

Comment on attachment 282242 [details] [diff] [review] patch rev. 2 Looks good so far, but you forgot the case in comment 4.

Attachment #282242 - Flags: superreview?(mats.palmgren)

Attachment #282242 - Flags: superreview-

Attachment #282242 - Flags: review?(mats.palmgren)

Attachment #282242 - Flags: review-

Mats Palmgren (inactive)

Comment 9

•

17 years ago

Attached patch Patch rev. 3 — Details — Splinter Review

Your patch + an added else-block for the first overflow line case.

Attachment #283874 - Flags: superreview?(roc)

Attachment #283874 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Updated

•

17 years ago

Attachment #283874 - Flags: superreview?(roc)

Attachment #283874 - Flags: superreview+

Attachment #283874 - Flags: review?(roc)

Attachment #283874 - Flags: review+

Mats Palmgren (inactive)

Comment 10

•

17 years ago

mozilla/layout/generic/nsBlockFrame.cpp 3.874 mozilla/layout/generic/nsBlockFrame.h 3.252 -> FIXED

Status: ASSIGNED → RESOLVED

Closed: 17 years ago

Flags: in-testsuite?

Resolution: --- → FIXED

Target Milestone: --- → mozilla1.9 M9

Mats Palmgren (inactive)

Updated

•

17 years ago

Blocks: 398821

Samuel Sidler (old account; do not CC)

Comment 11

•

17 years ago

v. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007110610 Minefield/3.0a9pre

Status: RESOLVED → VERIFIED

Jesse Ruderman

Reporter

Comment 12

•

17 years ago

The testcase doesn't trigger any assertions or crashes on branch.

Group: security

Flags: wanted1.8.1.x-

Jesse Ruderman

Reporter

Comment 13

•

17 years ago

Crashtest checked in.

Flags: in-testsuite? → in-testsuite+

You need to log in before you can comment on or make changes to this bug.