Closed
Bug 476345
Opened 15 years ago
Closed 15 years ago
The memory allocator in nsCSSValue::Array is not alignment safe
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b3
People
(Reporter: martin, Assigned: dbaron)
Details
(Keywords: fixed1.9.1)
Attachments
(3 files, 2 obsolete files)
1.10 KB,
patch
|
Details | Diff | Splinter Review | |
2.86 KB,
patch
|
Details | Diff | Splinter Review | |
6.38 KB,
patch
|
roc
:
approval1.9.1+
|
Details | Diff | Splinter Review |
The file layout/style/nsCSSValue.h overrides operator new for nsCSSValue::Array. This implementation does not work on alignement critical 64 bit architectures. The natural alignement requirements of nsCSSValue (8 byte, since it contains pointers in the union) do not fit the "(char*)this + sizeof(*this)" calculation which results in only 4 byte aligned pointers.
Reporter | ||
Comment 1•15 years ago
|
||
This is only a hack to verify that fixing this alignement avoids a crash I've been seeing when visiting some websites (facebook being an example). With the patch, everything works fine. I bet NSPR offers better ALIGN/ROUNDUP or similar macros that preferably should be used for a real fix. I can test, or create a better fix if someone tells me which way it should be.
Assignee | ||
Comment 2•15 years ago
|
||
The far simpler fix would be to include the first item in the array in the Array struct; then the compiler would be required to include the alignment requirements of nsCSSValue as part of sizeof(nsCSSValue::Array), since sizeof() is (I believe) required to include the alignment requirements of the contents so that it can be used for allocating arrays.
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Priority: -- → P3
Version: unspecified → Trunk
Assignee | ||
Comment 3•15 years ago
|
||
Could you test this patch and check that it fixes the problem?
Reporter | ||
Comment 4•15 years ago
|
||
Nice solution - and empirically verified: works!
Assignee | ||
Updated•15 years ago
|
Summary: The memory allocator in nsCSSValue::Array is not alignement safe → The memory allocator in nsCSSValue::Array is not alignment safe
Assignee | ||
Comment 5•15 years ago
|
||
Comment on attachment 360007 [details] [diff] [review] patch I've never liked this approach in all the other places it's used in our code (since it depends on structure ordering, although maybe C++ guarantees that), but I guess now I know there's a reason for it. (I should probably add it to the portability guidelines...)
Attachment #360007 -
Flags: superreview?(bzbarsky)
Attachment #360007 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•15 years ago
|
Attachment #360007 -
Flags: superreview?(bzbarsky)
Attachment #360007 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 6•15 years ago
|
||
Er, sorry, meant to provide a new patch with missed substitution fixed. And I'll attach a diff of the moved code separately.
Attachment #360007 -
Attachment is obsolete: true
Attachment #360189 -
Flags: superreview?(bzbarsky)
Attachment #360189 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 7•15 years ago
|
||
Updated•15 years ago
|
Attachment #360189 -
Flags: superreview?(bzbarsky)
Attachment #360189 -
Flags: superreview+
Attachment #360189 -
Flags: review?(bzbarsky)
Attachment #360189 -
Flags: review+
Comment 8•15 years ago
|
||
Comment on attachment 360189 [details] [diff] [review] patch This looks fine, but can we NS_ABORT_IF_FALSE if someone passes 0 as the aItemCount to our operator new?
Assignee | ||
Comment 9•15 years ago
|
||
Comment on attachment 360189 [details] [diff] [review] patch Pretty straightforward portability fix that we should probably take on 1.9.1.
Attachment #360189 -
Flags: approval1.9.1?
Assignee | ||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d9eff1fb5e60
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Assignee | ||
Comment 11•15 years ago
|
||
Had to back out since it turns out that doesn't compile on Windows. http://hg.mozilla.org/mozilla-central/rev/c5044341110e http://hg.mozilla.org/mozilla-central/rev/a1f57294eb00
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•15 years ago
|
Attachment #360189 -
Flags: approval1.9.1?
Assignee | ||
Comment 12•15 years ago
|
||
It turns out Windows doesn't like it if you forward-declare the same nested struct twice in a class declaration. If I don't add the forward-decl (which duplicated an earlier one that I hadn't seen), it's fine.
Attachment #360189 -
Attachment is obsolete: true
Attachment #360653 -
Flags: approval1.9.1?
Assignee | ||
Comment 13•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/bded4e432e7a
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Attachment #360653 -
Flags: approval1.9.1? → approval1.9.1+
Assignee | ||
Comment 14•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/9c15e15e1361
Keywords: fixed1.9.1
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
You need to log in
before you can comment on or make changes to this bug.
Description
•