Closed Bug 411213 Opened 14 years ago Closed 14 years ago

More issues with rtl, -moz-column, overflow: -moz-hidden-unscrollable

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dbaron)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch?)

Attachments

(3 files)

testcase 1 (might crash Firefox when loaded)
285 bytes, text/html
Details
testcase 2
284 bytes, application/xml
Details
patch
723 bytes, patch
roc
: review+
roc
: superreview+
beltzner
: approval1.9+
Details | Diff | Splinter Review 
The testcases are similar to the testcase in bug 406380, but they still cause problems on trunk.
Flags: blocking1.9?
###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 66

I'm guessing this crashes.  (In my tree, I have made this assertion abort.)
Attached file testcase 2 
###!!! ASSERTION: integer overflow: 'mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 1081

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92

This testcase does not trigger a crash or abort.
In a windows debug build testcase 1 triggered a DEP error that shut down Firefox. Didn't see a problem with either testcase in a 1.8 branch debug build.
Flags: wanted1.8.1.x-
OS: Mac OS X → All
Whiteboard: [sg:critical?] post 1.8-branch?
Tentative P1 because it blocks further fuzzing.

Who is an appropriate owner?
Priority: -- → P1
Simon.
Assignee: nobody → smontagu
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Is overflow:-moz-hidden-unscrollable really needed here?  If so, it probably shouldn't be too hard to figure out, since there are relatively few codepaths where that causes different behavior from overflow:visible.  (We could potentially even limit it to trusted style sheets only.)
Flags: blocking1.9-
Flags: tracking1.9+
Yes, the testcase needs overflow:-moz-hidden-unscrollable.  It doesn't crash with any of the standard overflow values (visible, hidden, scroll, auto).
Attached patch patchSplinter Review 
I did the code audit I suggested in comment 6, and found one very suspicious piece of code.  Removing it happens to fix the bug.

The idea of overflow:-moz-hidden-unscrollable is that it *doesn't* affect layout.  So best not to change Reflow methods based on it (except overflow area computation).
Assignee: smontagu → dbaron
Status: NEW → ASSIGNED
Attachment #308783 - Flags: superreview?(roc)
Attachment #308783 - Flags: review?(roc)
(And, to be clear, I'm working on this non-blocking1.9+ bug because Jesse asked me to have a quick look since it blocks his fuzzing work.)
Attachment #308783 - Flags: superreview?(roc)
Attachment #308783 - Flags: superreview+
Attachment #308783 - Flags: review?(roc)
Attachment #308783 - Flags: review+
Comment on attachment 308783 [details] [diff] [review]
patch

Simple patch to make an rarely-used mostly-obsolete -moz-* value not change layout algorithms in unexpected and crashy ways.
Attachment #308783 - Flags: approval1.9?
Comment on attachment 308783 [details] [diff] [review]
patch

a1.9=beltzner
Attachment #308783 - Flags: approval1.9? → approval1.9+
Fix checked in to trunk, 2008-03-13 08:23 -0700.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
This landed in March and doesn't apply to the 1.8 branch. Any reason not to open this bug up?
Flags: wanted1.9.0.x+
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.