Closed Bug 822842 Opened 12 years ago Closed 12 years ago

Crash [@ nsROCSSPrimitiveValue::Reset] after setting padding-left-value (!?)

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox20 + verified

People

(Reporter: jruderman, Assigned: tbsaunde)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

testcase
400 bytes, text/html
Details
stacks
6.23 KB, text/plain
Details
patch
1.77 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file testcase
1. Load the testcase 2. Quit Firefox immediately. Result: Some subset of the following three symptoms: ###!!! ASSERTION: Null string should never happen: 'mValue.mString', file layout/style/nsROCSSPrimitiveValue.cpp, line 643 ###!!! ASSERTION: Null RGBColor should never happen: 'mValue.mColor', file layout/style/nsROCSSPrimitiveValue.cpp, line 655 Null deref [@ nsROCSSPrimitiveValue::Reset] Maybe a regression from some of the work in bug 821593?
Attached file stacks
Very likely, yes (or rather the combination of that and bug 798567). The problem, at first glance, is that nsROCSSPrimitiveValue::Reset does not reset mType. So if you Reset() twice in a row after starting with a color/uri/rect/counter/attr/string type, you crash. And you get the reset-twice behavior if you first unlink and then call the destructor, since unlink resets... Trevor, mind taking a look?
Assignee: nobody → trev.saunders
Blocks: 821593, 798567
tracking-firefox20: --- → ?
(In reply to Boris Zbarsky (:bz) from comment #2) > Very likely, yes (or rather the combination of that and bug 798567). The > problem, at first glance, is that nsROCSSPrimitiveValue::Reset does not > reset mType. So if you Reset() twice in a row after starting with a > color/uri/rect/counter/attr/string type, you crash. I'd hope that nsMemory::Free() behaves like free() and accepts null without crashing, but this is the issue here. > And you get the reset-twice behavior if you first unlink and then call the > destructor, since unlink resets... yeah, Reset() should just make mType CSS_UNKNOWN so calling it again is a nop. Can we force a cycle to test this? > Trevor, mind taking a look? I already was, thanks for the guess.
nsMemory::Free accepting null might help string/attr/counter. But the rect and rgbcolor cases both use NS_RELEASE, which is not null-safe. We could NS_IF_RELEASE, but it seems better to reset mType to me.
(In reply to Boris Zbarsky (:bz) from comment #4) > nsMemory::Free accepting null might help string/attr/counter. But the rect > and rgbcolor cases both use NS_RELEASE, which is not null-safe. We could > NS_IF_RELEASE, but it seems better to reset mType to me. agreed, I mostly didn't write a patch doing that already because I wasn't sure if there was a reasonable way to test this.
SpecialPowers should give you the ability to gc/cc which might trigger this. Just make sure to set an expando on the RGBColor to force cc to be needed to clean it up.
Attached patch patchSplinter Review
In theory the test should work, but I can't figure out how to run it so I can't really test that. However manually I could nolong reproduce with the given test case.
Comment on attachment 693714 [details] [diff] [review] patch Hmm. Is there SpecialPowers in crashtests?
(In reply to Boris Zbarsky (:bz) from comment #8) > Comment on attachment 693714 [details] [diff] [review] > patch > > Hmm. Is there SpecialPowers in crashtests? I got this working, and image/test/crashtests/ownerdiscard.html seems to assume so too, so I think yes. It turns out my problem was make crashtest TESt_PATH=blah makes the test harness try and use srcdir/<random unicode> as the manifest instead of blah or srcdir/blah. However TEST_PATH=blah make crashtest works.
Comment on attachment 693714 [details] [diff] [review] patch >+ x.getRGBColor().blue.d = x; that should be getRGBColorValue() of course which is fixed locally.
Attachment #693714 - Flags: review?(bzbarsky)
Comment on attachment 693714 [details] [diff] [review] patch r=me
Attachment #693714 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/dc7bc91d2e7d
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Reproduced the issue on 2012-12-18-mozilla-central-debug. Verified fixed on 2013-03-21-mozilla-beta-debug on Mac OS X 10.7.5
Status: RESOLVED → VERIFIED
status-firefox20: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: