Closed Bug 975397 Opened 10 years ago Closed 10 years ago

border-image on element with :visited-dependent styles gives ###!!! ABORT: Should be tracking any image we're going to use!: 'mImageTracked', layout\style \nsStyleStruct.h, line 208

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla31
Tracking Flags:
Tracking Status
firefox29 --- affected
firefox30 --- affected
firefox31 - fixed

People

(Reporter: cbook, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: [qa-])

Attachments

(3 files, 1 obsolete file)

testcase
748 bytes, text/html
Details
stack
5.21 KB, text/plain
Details
Call TrackImage when constructing a new nsStyleBorder
3.23 KB, patch
heycam
: review+
Details | Diff | Splinter Review 
found via bughunter on https://itunes.apple.com/br/app/three-little-pigs-by-nosy/id418543664?mt=8&ign-mpt=uo=4

(feel free to open this bug if its not a security issue)

loading this page results in a trunk debug build on win7 with:

[720] ###!!! ABORT: Should be tracking any image we're going to use!: 'mImageTracked', file c:\users\mozilla\debug-builds\mozilla-central\layout\style
\nsStyleStruct.h, line 208
Attached file bughunter stack (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  

    
  
Keywords: testcase

    
    

    
  
Fwiw, the assertion was added in bug 512260 part 3.
Keywords: assertion
Priority: -- → P3

    
    

    
  

      
      
      
      

        Attached file
          
        stack
      

    


  

        Attachment #8379710 -
        Attachment is obsolete: true

    
    

    
  
dbaron: how bad is this assertion?
Flags: needinfo?(dbaron)
Flags: needinfo?(dbaron)

    
    

    
  
Oops, bugzilla doesn't let me transfer a needinfo? to somebody else unless I *also* uncheck the checkbox that says I'm answering it.
Flags: needinfo?(tnikkel)

    
    

    
  
Believe it or not I haven't ever dealt with tracking of CSS images, only img elements and related. So I don't know the answer off the top of my head.
Flags: needinfo?(tnikkel)

    
    

    
  
After a quick look I would think that if we didn't track an image the worst that could happen is we don't keep around the decoding image, so we have to do more decoding work, maybe we might not draw the image at all in some situations, and if it's an animated image we might not animate it. There could be worse consequences but at the surface that's what I would guess.
Group: core-security

    
  
Depends on: 987015

    
    

    
  
I repro this consistently on a new profile accessing http://www.apple.com with  34c6e4261eb036cb6050d5b1a73cd9bc4f5f6251 as my head

    
    

    
  
I can reproduce this 100% on current trunk on nexus 4:

Go to maps.google.com
Search for Mozilla and click on Mozilla SF office address.

    
    

    
  


  
I confirmed that the crashtest crashes in the harness without the patch.

        Attachment #8400924 -
        Flags: review?(cam)

    
    

    
  
I'm somewhat curious as to why fuzzers didn't find this until very recently (bug 987015).  Did we only recently start fuzzing in a way that triggered painting?

It doesn't seem like it should be a recent regression, although maybe I'm missing something.  It looks to me like a regression from bug 512260 (August 2010), since bug 147777 was slightly earlier (April 2010).
Flags: needinfo?(jruderman)

        Attachment #8400924 -
        Flags: review?(cam) → review+

    
    

    
  
> I'm somewhat curious as to why fuzzers didn't find this until very recently (bug 987015).

My guess is that https://hg.mozilla.org/mozilla-central/rev/13a5fb1e8525 helped by giving the fuzzer an example of giving the "border-image-source" property a data: image-URL value.  I filed two bugs involving that pattern in the last month.
Flags: needinfo?(jruderman)

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2d529d8aa2b
Flags: in-testsuite+
OS: Windows 7 → All
Hardware: x86 → All
Summary: ###!!! ABORT: Should be tracking any image we're going to use!: 'mImageTracked', layout\style \nsStyleStruct.h, line 208 → border-image on element with :visited-dependent styles gives ###!!! ABORT: Should be tracking any image we're going to use!: 'mImageTracked', layout\style \nsStyleStruct.h, line 208

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c2d529d8aa2b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31

    
    

    
  
I don't think this needs tracking or QA verification. Please correct me if you think I am wrong.
Whiteboard: [qa?] → [qa-]

    
    

    
  
I don't think we need to track this please re-nominate if there is some additional justification.

          tracking-firefox31:
          ?-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: