Closed Bug 411213 Opened 14 years ago Closed 14 years ago
More issues with rtl, -moz-column, overflow: -moz-hidden-unscrollable
The testcases are similar to the testcase in bug 406380, but they still cause problems on trunk.
###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 66 I'm guessing this crashes. (In my tree, I have made this assertion abort.)
###!!! ASSERTION: integer overflow: 'mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 1081 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92 This testcase does not trigger a crash or abort.
In a windows debug build testcase 1 triggered a DEP error that shut down Firefox. Didn't see a problem with either testcase in a 1.8 branch debug build.
OS: Mac OS X → All
Whiteboard: [sg:critical?] post 1.8-branch?
Tentative P1 because it blocks further fuzzing. Who is an appropriate owner?
Priority: -- → P1
Assignee: nobody → smontagu
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Is overflow:-moz-hidden-unscrollable really needed here? If so, it probably shouldn't be too hard to figure out, since there are relatively few codepaths where that causes different behavior from overflow:visible. (We could potentially even limit it to trusted style sheets only.)
Yes, the testcase needs overflow:-moz-hidden-unscrollable. It doesn't crash with any of the standard overflow values (visible, hidden, scroll, auto).
I did the code audit I suggested in comment 6, and found one very suspicious piece of code. Removing it happens to fix the bug. The idea of overflow:-moz-hidden-unscrollable is that it *doesn't* affect layout. So best not to change Reflow methods based on it (except overflow area computation).
(And, to be clear, I'm working on this non-blocking1.9+ bug because Jesse asked me to have a quick look since it blocks his fuzzing work.)
Comment on attachment 308783 [details] [diff] [review] patch Simple patch to make an rarely-used mostly-obsolete -moz-* value not change layout algorithms in unexpected and crashy ways.
Attachment #308783 - Flags: approval1.9?
Comment on attachment 308783 [details] [diff] [review] patch a1.9=beltzner
Attachment #308783 - Flags: approval1.9? → approval1.9+
Fix checked in to trunk, 2008-03-13 08:23 -0700.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This landed in March and doesn't apply to the 1.8 branch. Any reason not to open this bug up?
You need to log in before you can comment on or make changes to this bug.