Closed
Bug 533379
Opened 15 years ago
Closed 15 years ago
"ASSERTION: overflow list w/o frames" or "ABORT: running past end" with -moz-column, list-style-position
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a1
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
First testcase: ###!!! ASSERTION: overflow list w/o frames: 'mFrames.NotEmpty()', file /Users/jruderman/mozilla-central/layout/generic/nsInlineFrame.cpp, line 375 Second testcase: ###!!! ABORT: running past end: 'mCurrent != mListLink', file /Users/jruderman/mozilla-central/layout/generic/nsLineBox.h, line 637
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
Reporter | |
Comment 2•15 years ago
|
||
|
Assignee | |
Updated•15 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
Assignee | |
Comment 4•15 years ago
|
||
Looks like a regression from bug 512471. I suspect that the if-condition really meant to test 'aFromLine == ...' rather than testing nsLineBox pointers? It looks simpler to just test the parameter that says if it's an overflow line or not. Changing the if-condition fixes the ABORT_IF_FALSE crash in debug builds, then testcase 2 just asserts as testcase 1. The assert is caused by nsInlineFrame::PullOneFrame removing the last frame on the principal child list, while still having an overflow frame. Not sure if we really should have overflow at that point, but moving the overflow frames to mFrames when it becomes empty fixes the assert and pass TryServer unit tests. (It appears there's still a rendering error for testcase 2 - the 'A' is black when it should be red according to the first-letter style. I think it's an unrelated bug.)
Attachment #416806 -
Flags: review?(bzbarsky)
|
||
Updated•15 years ago
|
Attachment #416806 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 5•15 years ago
|
||
Comment on attachment 416806 [details] [diff] [review] Patch rev. 1 > I suspect that the if-condition really meant to test 'aFromLine == ...' rather > than testing nsLineBox pointers? aFromLine == fromLine, no? Point taken about not doing begin() on an empty line list, though. ;)
|
|
Assignee | |
Comment 6•15 years ago
|
||
> aFromLine == fromLine, no? No, that would always be true since fromLine is initialized from aFromLine (implicitly using "operator pointer()"). > Point taken about not doing begin() on an empty line list, though. ;) Creating the iterator isn't the problem, but there's an implicit conversion to nsLineBox* through "operator pointer()" to be able to compare it with fromLine and inside that operator there's a NS_ABORT_IF_FALSE which aborts DEBUG builds if the list is empty. In an opt build we compare fromLine to a bogus pointer which actually does the right thing - always executing the 'else' block. So this bug isn't a security problem.
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ac78d85dd932 http://hg.mozilla.org/mozilla-central/rev/ec1f0c9136d0 http://hg.mozilla.org/mozilla-central/rev/bf4186834437
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
|
|
||
Comment 8•15 years ago
|
||
> No, that would always be true Right, so |fromLine == aFromContainer->mLines.begin()| and the |aFromLine == aFromContainer->mLines.begin()| you were suggesting are completely equivalent. Or did I misunderstand what you were suggesting in comment 4?
|
|
Assignee | |
Comment 9•15 years ago
|
||
They invoke different operator methods... but yeah, I see now that nsLineList_iterator::operator==" has its own a NS_ABORT_IF_FALSE(... "comparing iterators over different lists") which would trigger in this case.
|
||
Comment 10•14 years ago
|
||
the assertion ###!!! ASSERTION: overflow list w/o frames: 'mFrames.NotEmpty()', file /work/mozilla/builds/1.9.2/mozilla/layout/generic/nsInlineFrame.cpp, line 374 is also triggered by the testcase from bug 542136 , so shouldn't this patch also not land on 1.9.2 ?
blocking1.9.2: --- → ?
|
||
Comment 11•14 years ago
|
||
If we take this we would also probably want bug 537645.
|
||
Comment 12•14 years ago
|
||
Bug 537645 is pretty huge in terms of patch size. Do we think that this is something that we need to take on 1.9.2 for security reasons (there's no sg: rating), or just assertion cleanup.
|
|
||
Comment 13•14 years ago
|
||
Are you looking at the right bug? Bug 537645 has a 1.42kb patch and an sg: rating.
|
||
Comment 14•14 years ago
|
||
Does this affect 1.9.1, too?
|
|
Assignee | |
Comment 15•14 years ago
|
||
> Does this affect 1.9.1, too? No. The crash in this bug is a regression from bug 512471 and does not affect 1.9.2 or 1.9.1. The nsBlockFrame change fixed this part. The nsInlineFrame change fixed "ASSERTION: overflow list w/o frames" which do occur on 1.9.2 and 1.9.1, but the code deals with it: http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsInlineFrame.cpp#371 http://mxr.mozilla.org/mozilla1.9.1/source/layout/generic/nsInlineFrame.cpp#354 so it's harmless and doesn't seem worth fixing on branches.
|
|
||
Updated•14 years ago
|
Group: core-security
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•