Closed
Bug 1009036
Opened 10 years ago
Closed 10 years ago
Use-after-poison of nsStyleContext with bidi, convertPointFromNode
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox31 | --- | wontfix |
firefox32 | --- | verified |
firefox-esr24 | --- | wontfix |
firefox-esr31 | --- | wontfix |
b2g-v1.4 | --- | unaffected |
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [adv-main32-])
Attachments
(5 files, 1 obsolete file)
No description provided.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Assignee | ||
Comment 3•10 years ago
|
||
I think what happens is that the second GetFirstNonAnonymousFrameForGeometryNode call (for the text node) leads to EnsureFrameForTextNode which inserts a new child frame into 'fromFrame' which causes frames to be reconstructed for some reason and thus 'fromFrame' points to a destroyed frame. Checking the if it's still alive should be good enough I think. (iirc, we discussed this scenario during review but dismissed it since the second Flush_Layout couldn't possibly do anything after we had already flushed in the first call). http://mxr.mozilla.org/mozilla-central/source/layout/base/GeometryUtils.cpp#33
Assignee: nobody → matspal
Assignee | ||
Comment 4•10 years ago
|
||
And the "for some reason" is we destroy the whole frame tree for performance! :-) http://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#7806
Assignee | ||
Comment 5•10 years ago
|
||
It looks like GetBoxQuads might have same problem, so I fixed it too.
Attachment #8421142 -
Attachment is obsolete: true
Attachment #8421189 -
Flags: review?(roc)
Assignee | ||
Updated•10 years ago
|
Attachment #8421189 -
Flags: review?(roc) → review+
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/437e6e7eba92
Blocks: 917755
Flags: in-testsuite?
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/437e6e7eba92
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox32:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
status-firefox-esr24:
--- → wontfix
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
status-firefox31:
--- → wontfix
Comment 8•10 years ago
|
||
Confirmed crash in Fx32 2014-04-29. Verified fixed in Fx32 2014-08-22.
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
Whiteboard: [adv-main32-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e65f1cfed8f1 crashtest.
Assignee | ||
Updated•8 years ago
|
Flags: in-testsuite? → in-testsuite+
Comment 10•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e65f1cfed8f1
You need to log in
before you can comment on or make changes to this bug.
Description
•