ASSERTION: reflowing in the middle of frame construction with onoverflow, bindings and iframe

RESOLVED WORKSFORME

Status

()

Core
Layout
P3
normal
RESOLVED WORKSFORME
10 years ago
3 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

({assertion, testcase})

Trunk
assertion, testcase
Points:
---
Bug Flags:
blocking1.9 -
wanted1.8.1.x ?
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(1 attachment)

910 bytes, application/vnd.mozilla.xul+xml
Details
(Reporter)

Description

10 years ago
Created attachment 291886 [details]
testcase

See testcase, which triggers this assertion for me in current debug trunk build:
###!!! ASSERTION: reflowing in the middle of frame construction: 'mPresContext->
mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file c:\mozilla-build\mozilla\layo
ut\base\nsPresContext.h, line 929

Maybe this is an event handling issue, because I use onoverflow?

The first binding has a field that calls getBoxObjectFor on the root element.
The second binding is just an empty binding.

Comment 1

10 years ago
I can reproduce on Mac.
OS: Windows XP → All
Hardware: PC → All
Usual deal.  This is the relevant part of the stack:

#23 0xb4c8a7e4 in nsFrameLoader::Destroy (this=0xb19eee78)
    at ../../../../mozilla/content/base/src/nsFrameLoader.cpp:265
#24 0xb4a53828 in nsSubDocumentFrame::Destroy (this=0x87aa8b4)
    at ../../../mozilla/layout/generic/nsFrameFrame.cpp:739

That stops the loadgroup, which fires onload.  In this case, the onload layout flush is what's causing the assert, but we could have script running there just as easily.

I swear we have bugs on this....
Group: security

Comment 3

10 years ago
We have: Bug 395609 is one, and IIRC there are more
Depends on: 395609

Comment 4

10 years ago
bz et al, is this likely to be exploitable?
Flags: blocking1.9?
Yes.

Updated

10 years ago
Whiteboard: [sg:critical?]

Comment 6

10 years ago
Given comment #5 moving to blocking list
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Priority: P2 → P3
Flags: wanted1.9.0.x+
Flags: blocking1.9-

Comment 7

10 years ago
WFM on Mac.  I get an error message about seeing </binding> but expecting </content>.

Updated

9 years ago
Flags: tracking1.9+
(Reporter)

Comment 8

9 years ago
Yeah, also worksforme here on current windows debug trunk build.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
Could _really_ use a test.
Flags: in-testsuite?

Comment 10

9 years ago
I'd check in the testcase as a crashtest if this bug wasn't security-sensitive.
Well... is this a problem on branch?

Comment 12

9 years ago
It might be hard to tell, since the 1.8 branch doesn't have the "reflowing in the middle of frame construction" assertion.
What have we done in similar cases? Don't lots of our current crash tests crash on branch, possibly exploitably?
Flags: wanted1.9.0.x+ → wanted1.8.1.x?
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/31c3029265eb
Group: core-security
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/31c3029265eb
Assignee: nobody → martijn.martijn
Assignee: martijn.martijn → nobody
You need to log in before you can comment on or make changes to this bug.