Closed
Bug 457514
Opened 16 years ago
Closed 15 years ago
Crash [@ NeedFrameFor] with floating :first-letter
Categories
(Core :: Layout: Floats, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta2-fixed |
| blocking1.9.1 | --- | .6+ |
| status1.9.1 | --- | .6-fixed |
People
(Reporter: jruderman, Assigned: tnikkel)
References
Details
(5 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(3 files)
|
488 bytes,
text/html
|
Details | |
|
1.60 KB,
patch
|
bzbarsky
:
review+
roc
:
approval1.9.2+
|
Details | Diff | Splinter Review |
|
1.57 KB,
patch
|
bzbarsky
:
review+
dveditz
:
superreview+
dveditz
:
approval1.9.1.6+
dveditz
:
approval1.9.0.16+
|
Details | Diff | Splinter Review |
This testcase triggers
###!!! ASSERTION: Should have Reset() before destruction!: 'mCurrentWord.Length() == 0', file /Users/jruderman/central/content/base/src/nsLineBreaker.cpp, line 51
(like bug 448615), then crashes [@ NeedFrameFor].
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
|
|
||
Comment 1•16 years ago
|
||
OK. So we crash in NeedFrameFor because aParentFrame is 0xdddddddd. No idea why that is, yes.
the testcase reports in !exploitable
>
> Exploitability Classification: PROBABLY_EXPLOITABLE
> Recommended Bug Title: Probably Exploitable - Data from Faulting Address
> controls Code Flow starting at gklayout!NeedFrameFor+0x11
> (Hash=0x67336e00.0x705c1723)
>
> The data from the faulting address is later used as the target for a branch.
Group: core-security
Whiteboard: [sg:critical?]
|
||
Comment 3•15 years ago
|
||
This still crashes trunk, but with a slightly different stack. Using a trunk debug build from 20090929 I hit two assertions (same one as Jesse plus a second) before the crash, which now happens in ContentAppended:
###!!! ASSERTION: Should have been cleared: 'mBreakSinks.IsEmpty()', file /build/m-c/src/layout/generic/nsTextFrameThebes.cpp, line 650
###!!! ASSERTION: Should have Reset() before destruction!: 'mCurrentWord.Length() == 0', file /build/m-c/src/content/base/src/nsLineBreaker.cpp, line 51
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xf0dea91f
0x10e6565a in nsCSSFrameConstructor::ContentAppended (this=0xf131320, aContainer=0x150fa530, aNewIndexInContainer=2) at /build/m-c/src/layout/base/nsCSSFrameConstructor.cpp:6344
6344 nsIAtom* frameType = parentFrame->GetType();
|
Assignee | |
Comment 4•15 years ago
|
||
The assertions are a separate issue; they can be triggered without the crash, and the crash can happen without the assertions. This is to fix the crash.
When we insert the "T", the parent frame gets set to the first letter frame in GetInsertionPrevSibling. Then when we adjust the parent for first-letter style, we use its parent which is the containing block, and so we end up trying to insert the "T" with the div as the parent and it ends up just wrong. Instead we need to get the parent of the placeholder frame and use that as parent.
Assignee: nobody → tnikkel
Attachment #406414 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•15 years ago
|
Flags: in-testsuite?
|
Reporter | |
Comment 5•15 years ago
|
||
Bug 448615 covers the assertions, I think.
|
|
||
Comment 6•15 years ago
|
||
Comment on attachment 406414 [details] [diff] [review]
patch
Ah, nice catch! r=bzbarsky
Attachment #406414 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 7•15 years ago
|
||
We'll want this on all branches.
blocking1.9.1: --- → ?
Flags: blocking1.9.0.16?
|
|
Assignee | |
Updated•15 years ago
|
Attachment #406414 -
Flags: approval1.9.2?
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .5+
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.16?
Flags: blocking1.9.0.16+
|
|
Assignee | |
Comment 8•15 years ago
|
||
Boris, can you give this a quick once over?
Attachment #406892 -
Flags: review?(bzbarsky)
Attachment #406892 -
Flags: approval1.9.1.5?
Attachment #406892 -
Flags: approval1.9.0.16?
|
|
||
Comment 9•15 years ago
|
||
Comment on attachment 406892 [details] [diff] [review]
patch for 1.9.1 and 1.9.0
Looks good.
Attachment #406892 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 10•15 years ago
|
||
Is there any reason this hasn't landed on mozilla-central for testing yet?
Flags: blocking1.9.2?
|
|
Assignee | |
Comment 11•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Attachment #406414 -
Flags: approval1.9.2? → approval1.9.2+
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [needs 1.9.2 landing][sg:critical?]
Flags: blocking1.9.2? → wanted1.9.2+
Whiteboard: [needs 1.9.2 landing][sg:critical?] → [needs 192 landing][sg:critical?]
|
|
Assignee | |
Comment 12•15 years ago
|
||
status1.9.2:
--- → final-fixed
Whiteboard: [needs 192 landing][sg:critical?] → [sg:critical?]
Target Milestone: mozilla1.9.3a1 → mozilla1.9.2
|
|
Assignee | |
Comment 13•15 years ago
|
||
Reminder to myself to add bug 503936 as crashtest when landing this on the remaining branches.
|
|
||
Comment 14•15 years ago
|
||
Comment on attachment 406892 [details] [diff] [review]
patch for 1.9.1 and 1.9.0
sr=dveditz
Approved for 1.9.1.6 and 1.9.0.16, a=dveditz for release-drivers
Attachment #406892 -
Flags: superreview+
|
|
||
Updated•15 years ago
|
Attachment #406892 -
Flags: approval1.9.1.6?
Attachment #406892 -
Flags: approval1.9.1.6+
Attachment #406892 -
Flags: approval1.9.0.16?
Attachment #406892 -
Flags: approval1.9.0.16+
|
|
Assignee | |
Comment 15•15 years ago
|
||
|
|
||
Comment 16•15 years ago
|
||
Checking in nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v <-- nsCSSFrameConstructor.cpp
new revision: 1.1488; previous revision: 1.1487
Checking in layout/base/crashtests/503936-1.html;
/cvsroot/mozilla/layout/base/crashtests/503936-1.html,v <-- 503936-1.html
initial revision: 1.1
Checking in layout/base/crashtests/crashtests.list;
/cvsroot/mozilla/layout/base/crashtests/crashtests.list,v <-- crashtests.list
new revision: 1.103; previous revision: 1.102
Keywords: fixed1.9.0.16
|
||
Comment 17•15 years ago
|
||
Verified for 1.9.1.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6pre) Gecko/20091110 Shiretoko/3.5.6pre using the testcase. Testcase crashes with 1.9.1.5 easily.
Keywords: verified1.9.1
|
|
||
Comment 18•15 years ago
|
||
Verified for 1.9.0.16 using testcase and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Crashes 1.9.0.15 cleanly.
Keywords: fixed1.9.0.16 → verified1.9.0.16
|
||
Updated•14 years ago
|
Crash Signature: [@ NeedFrameFor]
|
||
Comment 20•12 years ago
|
||
Flags: in-testsuite? → in-testsuite+
|
||
Comment 21•12 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•