Closed Bug 534366 Opened 15 years ago Closed 15 years ago

"ASSERTION: Some pres arena objects were not freed" with MathML, :first-line, :before

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- alpha1+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: roc)

References

Details

(4 keywords, Whiteboard: [sg:investigate])

Attachments

(3 files)

testcase 1 - ASSERTION: Some pres arena objects were not freed
1014 bytes, text/html
Details
testcase 2 - poison crash [@ nsLayoutUtils::GetNextContinuationOrSpecialSibling]
1.07 KB, text/html
Details
fix
789 bytes, patch
dbaron
: review+
Details | Diff | Splinter Review 
###!!! ASSERTION: Some pres arena objects were not freed: 'mPresArenaAllocCount == 0', file /Users/jruderman/mozilla-central/layout/base/nsPresShell.cpp, line 1550

This assertion often indicates the presence of a security hole (which frame poisoning does not mitigate).
Caused by bug 504524.
Blocks: 504524
Assignee: nobody → roc
blocking2.0: --- → ?
Attached patch fixSplinter Review 
Trivial fix
Attachment #417273 - Flags: review?(dbaron)
Comment on attachment 417273 [details] [diff] [review]
fix

r=dbaron

(seems like an additional piece of the fix in bug 523468)
Attachment #417273 - Flags: review?(dbaron) → review+
This also fixes bug 525986.
(In reply to comment #4)
> (seems like an additional piece of the fix in bug 523468)

Indeed.

(In reply to comment #5)
> This also fixes bug 525986.

Great!
Blocks: 525986
Whiteboard: [needs landing]
from the patch we're using an uninitialzed irs.mLineLayout?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Keywords: regression
Whiteboard: [needs landing] → [needs landing][sg:investigate]
No. The constructor initializes mLineLayout to null.
http://hg.mozilla.org/mozilla-central/rev/56f45a084369
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing][sg:investigate] → [sg:investigate]
I need to check this test in.
Flags: in-testsuite?
Whiteboard: [sg:investigate] → [sg:investigate][needs landing]
blocking2.0: ? → alpha1
Priority: -- → P1
Group: core-security
Crashtests: http://hg.mozilla.org/mozilla-central/rev/4a4e6dea49bd
Flags: in-testsuite? → in-testsuite+
Whiteboard: [sg:investigate][needs landing] → [sg:investigate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: