Closed Bug 422011 Opened 16 years ago Closed 16 years ago

crashes [@ nsCSSValue::nsCSSValue] copy constructor due to float assignment on uninitialized data

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta5

People

(Reporter: dbaron, Assigned: dbaron)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(2 files)

incident a38720e3-ed40-11dc-b458-001a4bd43e5c
61.45 KB, text/html
Details
patch
2.35 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
damons
: approval1.9+
Details | Diff | Splinter Review 
I noticed a few of these incidents on crash-stats.mozilla.org : this crash is currently #80 for Fx 3.0b4.  I'm surprised it's not higher.

I'll attach a sample incident and a patch.  The problem is that nsCSSValue's copy constructor does float assignment in the else case, which looks like (at least on Windows) is compiled to something that uses floating point instructions, which can fault when certain bad float values are used.  (See bug 302536 for some more details.)
Severity: normal → critical
Keywords: crash, topcrash
Summary: crashes [@ nsCSSValue::nsCSSValue] copy constructor due to float assignment on unitialized data → crashes [@ nsCSSValue::nsCSSValue] copy constructor due to float assignment on uninitialized data
Assignee: nobody → dbaron
Status: NEW → ASSIGNED

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
I made a case for the valueless units in the copy constructor, and moved what seemed to me to be the most common cases to the front.  I also made the Dummy unit work a little better and cleaned up the whitespace/parens in the copy ctor.

Compiles and passes layout/style/test/ mochitests.

        Attachment #308556 -
        Flags: superreview?(bzbarsky)

        Attachment #308556 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 308556 [details] [diff] [review]
patch

r+sr=bzbarsky. Can we try to get in a crashtest for this?

        Attachment #308556 -
        Flags: superreview?(bzbarsky)

        Attachment #308556 -
        Flags: superreview+

        Attachment #308556 -
        Flags: review?(bzbarsky)

        Attachment #308556 -
        Flags: review+

    
    

    
  
Comment on attachment 308556 [details] [diff] [review]
patch

Simple fix for a not-quite-top-crash.

        Attachment #308556 -
        Flags: approval1.9?

    
    

    
  
Comment on attachment 308556 [details] [diff] [review]
patch

a1.9+=damons

        Attachment #308556 -
        Flags: approval1.9? → approval1.9+

    
    

    
  
I don't think a crashtest is practical since if this crashed reliably Firefox would crash on startup.

Fix checked in to trunk, 2008-03-12 15:05 -0700.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
OS: All → Windows XP
Hardware: All → PC
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9beta5

    
  
Flags: in-testsuite-
Crash Signature: [@ nsCSSValue::nsCSSValue]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: