Closed
Bug 422011
Opened 16 years ago
Closed 16 years ago
crashes [@ nsCSSValue::nsCSSValue] copy constructor due to float assignment on uninitialized data
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9beta5
People
(Reporter: dbaron, Assigned: dbaron)
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(2 files)
61.45 KB,
text/html
|
Details | |
2.35 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
I noticed a few of these incidents on crash-stats.mozilla.org : this crash is currently #80 for Fx 3.0b4. I'm surprised it's not higher. I'll attach a sample incident and a patch. The problem is that nsCSSValue's copy constructor does float assignment in the else case, which looks like (at least on Windows) is compiled to something that uses floating point instructions, which can fault when certain bad float values are used. (See bug 302536 for some more details.)
Assignee | ||
Updated•16 years ago
|
Assignee | ||
Comment 1•16 years ago
|
||
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•16 years ago
|
||
I made a case for the valueless units in the copy constructor, and moved what seemed to me to be the most common cases to the front. I also made the Dummy unit work a little better and cleaned up the whitespace/parens in the copy ctor. Compiles and passes layout/style/test/ mochitests.
Attachment #308556 -
Flags: superreview?(bzbarsky)
Attachment #308556 -
Flags: review?(bzbarsky)
Comment 3•16 years ago
|
||
Comment on attachment 308556 [details] [diff] [review] patch r+sr=bzbarsky. Can we try to get in a crashtest for this?
Attachment #308556 -
Flags: superreview?(bzbarsky)
Attachment #308556 -
Flags: superreview+
Attachment #308556 -
Flags: review?(bzbarsky)
Attachment #308556 -
Flags: review+
Assignee | ||
Comment 4•16 years ago
|
||
Comment on attachment 308556 [details] [diff] [review] patch Simple fix for a not-quite-top-crash.
Attachment #308556 -
Flags: approval1.9?
Comment 5•16 years ago
|
||
Comment on attachment 308556 [details] [diff] [review] patch a1.9+=damons
Attachment #308556 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 6•16 years ago
|
||
I don't think a crashtest is practical since if this crashed reliably Firefox would crash on startup. Fix checked in to trunk, 2008-03-12 15:05 -0700.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
OS: All → Windows XP
Hardware: All → PC
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9beta5
Updated•16 years ago
|
Flags: in-testsuite-
Updated•13 years ago
|
Crash Signature: [@ nsCSSValue::nsCSSValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•