Wide <xul:button> causes nsNativeThemeCocoa::DrawCellWithScaling to autorelease a freed object

VERIFIED FIXED

Status

()

defect
P1
critical
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: jruderman, Assigned: smichaud)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
blocking1.9.0.4 +
wanted1.9.0.x +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments, 2 obsolete attachments)

Version: trunk debug build on Leopard

Loading the testcase causes a malloc error "can't allocate region" (perhaps bug 435223), and then:

objc[20992]: FREED(id): message autorelease sent to freed object=0x1ca0afe0

The malloc error doesn't bother me too much, but touching freed objects is pretty bad.  In fact, with MallocScribble enabled, Firefox dereferences 0x55555575 instead of triggering the error message above.
Whiteboard: [sg:critical?]
Here's a gdb trace of this crash, made with an opt 1.9.0-branch build
containing debug symbols.  It has both console messages and a stack
trace.

I'll be working on this.
Assignee: joshmoz → smichaud
Status: NEW → ASSIGNED
Posted patch Trivial fix (somewhat ugly) (obsolete) — Splinter Review
Here's a trivial patch that fixes the crash -- it refuses to draw when
CGBitmapContextCreate() fails (when it returns NULL).

But the impossibly large button does get drawn on other platforms
(e.g. Windows and Linux), so I suppose we should try to work some kind
of fallback into the drawing code, so that it will still "work" even
when it's called with parameters that are far too large.

Since I'm not very familiar with this code, I'd prefer to leave this
to others.

Josh? :-)
On second thought, maybe I _can_ do better.

Here's a slightly less trivial patch that's considerably less ugly.
You still see errors in the console (which I think is entirely
appropriate), but the button does get drawn (and in the same way as on
Windows and Linux).
Attachment #328691 - Attachment is obsolete: true
Attachment #328698 - Flags: review?(joshmoz)
Comment on attachment 328698 [details] [diff] [review]
Less ugly fix (still pretty trivial)

This patch is (I think) superceded by my current patch for bug 444864
(attachment 329570 [details] [diff] [review]).
Attachment #328698 - Attachment is obsolete: true
Attachment #328698 - Flags: review?(joshmoz)
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
Priority: -- → P1
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.3?
The autorelease-after-deletion problem is an Apple bug.  See bug 449111
comment #5.
Flags: blocking1.9.1?
Does that mean we can't fix it? Can we work around it?
Is there an Apple bug reference for the problem?
We can work around the problem.  The patch for bug 444864 does so.
Fixed by patch for bug 444864, which was just landed on mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reopened because I've backed out my patch for bug 444864 (which
probably caused some reftest failures).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Fixed by my new patch for bug 444864, which was just landed on mozilla-central.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Crashtest is in (bug 444864 comment 26).
Flags: in-testsuite+
I assume this isn't needed for Firefox 2 because it's cocoa? I'm that's incorrect please nominate for blocking 1.8.1.x
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.3?
Flags: blocking1.9.0.3+
This bug (bug 444260), bug 444864 and bug 449111 only effect (happen on)
Firefox 3.X -- not Firefox 2.
Fixed on the 1.9.0 branch by the patch for bug 444864.
Keywords: fixed1.9.0.4
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified by using the testcase in Comment 0.
Status: RESOLVED → VERIFIED
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Group: core-security
Keywords: verified1.9.1
Keywords: fixed1.9.1
You need to log in before you can comment on or make changes to this bug.