Closed
Bug 411213
Opened 18 years ago
Closed 17 years ago
More issues with rtl, -moz-column, overflow: -moz-hidden-unscrollable
Categories
(Core :: Layout, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: dbaron)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch?)
Attachments
(3 files)
285 bytes,
text/html
|
Details | |
284 bytes,
application/xml
|
Details | |
723 bytes,
patch
|
roc
:
review+
roc
:
superreview+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
The testcases are similar to the testcase in bug 406380, but they still cause problems on trunk.
Flags: blocking1.9?
Reporter | ||
Comment 1•18 years ago
|
||
###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 66
I'm guessing this crashes. (In my tree, I have made this assertion abort.)
Reporter | ||
Comment 2•18 years ago
|
||
###!!! ASSERTION: integer overflow: 'mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 1081
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92
This testcase does not trigger a crash or abort.
Comment 3•18 years ago
|
||
In a windows debug build testcase 1 triggered a DEP error that shut down Firefox. Didn't see a problem with either testcase in a 1.8 branch debug build.
Flags: wanted1.8.1.x-
OS: Mac OS X → All
Whiteboard: [sg:critical?] post 1.8-branch?
Comment 4•18 years ago
|
||
Tentative P1 because it blocks further fuzzing.
Who is an appropriate owner?
Priority: -- → P1
Simon.
Assignee: nobody → smontagu
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Flags: wanted1.9.0.x+
Assignee | ||
Comment 6•17 years ago
|
||
Is overflow:-moz-hidden-unscrollable really needed here? If so, it probably shouldn't be too hard to figure out, since there are relatively few codepaths where that causes different behavior from overflow:visible. (We could potentially even limit it to trusted style sheets only.)
Flags: blocking1.9-
Updated•17 years ago
|
Flags: tracking1.9+
Reporter | ||
Comment 7•17 years ago
|
||
Yes, the testcase needs overflow:-moz-hidden-unscrollable. It doesn't crash with any of the standard overflow values (visible, hidden, scroll, auto).
Assignee | ||
Comment 8•17 years ago
|
||
I did the code audit I suggested in comment 6, and found one very suspicious piece of code. Removing it happens to fix the bug.
The idea of overflow:-moz-hidden-unscrollable is that it *doesn't* affect layout. So best not to change Reflow methods based on it (except overflow area computation).
Assignee: smontagu → dbaron
Status: NEW → ASSIGNED
Attachment #308783 -
Flags: superreview?(roc)
Attachment #308783 -
Flags: review?(roc)
Assignee | ||
Comment 9•17 years ago
|
||
(And, to be clear, I'm working on this non-blocking1.9+ bug because Jesse asked me to have a quick look since it blocks his fuzzing work.)
Attachment #308783 -
Flags: superreview?(roc)
Attachment #308783 -
Flags: superreview+
Attachment #308783 -
Flags: review?(roc)
Attachment #308783 -
Flags: review+
Assignee | ||
Comment 10•17 years ago
|
||
Comment on attachment 308783 [details] [diff] [review]
patch
Simple patch to make an rarely-used mostly-obsolete -moz-* value not change layout algorithms in unexpected and crashy ways.
Attachment #308783 -
Flags: approval1.9?
Comment 11•17 years ago
|
||
Comment on attachment 308783 [details] [diff] [review]
patch
a1.9=beltzner
Attachment #308783 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 12•17 years ago
|
||
Fix checked in to trunk, 2008-03-13 08:23 -0700.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Comment 13•17 years ago
|
||
This landed in March and doesn't apply to the 1.8 branch. Any reason not to open this bug up?
Flags: wanted1.9.0.x+
Updated•17 years ago
|
Group: core-security
Reporter | ||
Updated•17 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•