Closed Bug 424629 Opened 13 years ago Closed 13 years ago

"ASSERTION: child list is not empty for initial reflow" with RLO, wrapping

Categories

(Core :: Layout: Text and Fonts, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: jruderman)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Attachments

(1 file)

Loading the testcase triggers:

###!!! ASSERTION: child list is not empty for initial reflow: 'mFrames.IsEmpty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 326

Closing (e.g. reloading) the testcase triggers:

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673

This bug appears to be exploitable.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
I filed bug 424631 on an inconsistent-rendering issue that I noticed while making the testcase for this bug.  Is it related to the reason the testcase in this bug triggers assertion failures?
sg:critical bugs _should_ block the 1.9 release, although some have been moved to 1.9.0.x.
Moving to tracking - we'll take a fix as soon as we have one...
Flags: tracking1.9+
Flags: blocking1.9?
Flags: blocking1.9-
The testcase no longer triggers assertions now that bug 424631 is fixed.  Uri, does it make sense that the fix for bug 424631 could have fixed the memory-safety bug (as opposed to just making it go away for this testcase)?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Yes, I think it makes sense. That bug was about inconsistent inline continuation chains, which might very well have led to problems when freeing them.
Depends on: 424631
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.