Bugzilla@Mozilla – Bug 457375
"ASSERTION: comparing iterators over different lists" with -moz-column, null character, height
Last modified: 2008-11-29 19:14:55 PST
Summon comment box
Created attachment 340690 [details] testcase (hangs/crashes Firefox when loaded) Loading the testcase in a trunk debug build triggers: ###!!! ASSERTION: comparing iterators over different lists: 'mListLink == aOther.mListLink', file /Users/jruderman/central/layout/base/../generic/nsLineBox.h, line 690 ###!!! ABORT: running past end: 'mCurrent != mListLink', file /Users/jruderman/central/layout/base/../generic/nsLineBox.h, line 611 The abort usually indicates heap corruption. This testcase makes nightlies hang rather than crash, but I'm filing as security-sensitive to be on the safe side. Gary Kwong did the hard part of finding a reproducible testcase triggering the bug. I just did the easy part of reducing it ;)
Created attachment 342018 [details] Trace + frame dump
Created attachment 342020 [details] [review] Patch rev. 1 When switching from the overflow lines to normal lines we must reset 'mInOverflowLines' or we'll compare 'mLine' to wrong list on the next call. See the printf's at the top and frame dump in the previous attachment for details.
Comment on attachment 342020 [details] [review] Patch rev. 1 r+sr if you move it into "if (currentlyInOverflowLines) {"
That's not necessary for correctness though, do you think it's faster? If so, why?
It's cleaner there. If we're currentlyInOverflowLines, then we toggle mInOverflowLines to null; otherwise the other branch of the 'if' toggles it to something non-null.
Ok, I'll fix that.
Created attachment 342746 [details] [review] crashtest.diff
http://hg.mozilla.org/mozilla-central/rev/f6ed4aa2071c Holding the crashtest until 1.9.0.x is released with the fix. -> FIXED
(In reply to comment #8) > http://hg.mozilla.org/mozilla-central/rev/f6ed4aa2071c FWIW, the URL for the fixed (landed) version of the patch, addressing the change suggested in comment 3 & comment 5, is: http://hg.mozilla.org/mozilla-central/raw-diff/f6ed4aa2071c/layout/generic/nsBlockFrame.cpp
Comment on attachment 342020 [details] [review] Patch rev. 1 Approved for 1.9.0.4, a=dveditz for release-drivers
Landed on CVS trunk for 1.9.0.4: mozilla/layout/generic/nsBlockFrame.cpp 3.958
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.