Closed Bug 457375 Opened 16 years ago Closed 16 years ago

"ASSERTION: comparing iterators over different lists" with -moz-column, null character, height

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(5 keywords, Whiteboard: [sg:critical?])

Attachments

(4 files)

testcase (hangs/crashes Firefox when loaded)
(deleted), text/html
Details
Trace + frame dump
(deleted), text/html
Details
Patch rev. 1
(deleted), patch
roc
: review+
roc
: superreview+
dveditz
: approval1.9.0.4+
Details | Diff | Splinter Review
crashtest.diff
(deleted), patch
Details | Diff | Splinter Review
Loading the testcase in a trunk debug build triggers: ###!!! ASSERTION: comparing iterators over different lists: 'mListLink == aOther.mListLink', file /Users/jruderman/central/layout/base/../generic/nsLineBox.h, line 690 ###!!! ABORT: running past end: 'mCurrent != mListLink', file /Users/jruderman/central/layout/base/../generic/nsLineBox.h, line 611 The abort usually indicates heap corruption. This testcase makes nightlies hang rather than crash, but I'm filing as security-sensitive to be on the safe side. Gary Kwong did the hard part of finding a reproducible testcase triggering the bug. I just did the easy part of reducing it ;)
Flags: blocking1.9.1?
Attached file Trace + frame dump (deleted) —
Attached patch Patch rev. 1 (deleted) — Splinter Review
When switching from the overflow lines to normal lines we must reset 'mInOverflowLines' or we'll compare 'mLine' to wrong list on the next call. See the printf's at the top and frame dump in the previous attachment for details.
Assignee: nobody → mats.palmgren
Attachment #342020 - Flags: superreview?(roc)
Attachment #342020 - Flags: review?(roc)
OS: Mac OS X → All
Hardware: PC → All
Attachment #342020 - Flags: superreview?(roc)
Attachment #342020 - Flags: superreview+
Attachment #342020 - Flags: review?(roc)
Attachment #342020 - Flags: review+
Comment on attachment 342020 [details] [diff] [review] Patch rev. 1 r+sr if you move it into "if (currentlyInOverflowLines) {"
That's not necessary for correctness though, do you think it's faster? If so, why?
It's cleaner there. If we're currentlyInOverflowLines, then we toggle mInOverflowLines to null; otherwise the other branch of the 'if' toggles it to something non-null.
Ok, I'll fix that.
Whiteboard: [sg:critical?]
Attached patch crashtest.diff (deleted) — Splinter Review
http://hg.mozilla.org/mozilla-central/rev/f6ed4aa2071c Holding the crashtest until 1.9.0.x is released with the fix. -> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: wanted1.9.0.x?
Flags: in-testsuite?
Resolution: --- → FIXED
(In reply to comment #8) > http://hg.mozilla.org/mozilla-central/rev/f6ed4aa2071c FWIW, the URL for the fixed (landed) version of the patch, addressing the change suggested in comment 3 & comment 5, is: http://hg.mozilla.org/mozilla-central/raw-diff/f6ed4aa2071c/layout/generic/nsBlockFrame.cpp
Target Milestone: --- → mozilla1.9.1b2
Attachment #342020 - Flags: approval1.9.0.4?
Comment on attachment 342020 [details] [diff] [review] Patch rev. 1 Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #342020 - Flags: approval1.9.0.4? → approval1.9.0.4+
Landed on CVS trunk for 1.9.0.4: mozilla/layout/generic/nsBlockFrame.cpp 3.958
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Keywords: fixed1.9.0.4
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4verified1.9.0.4
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: