Closed Bug 334105 Opened 19 years ago Closed 19 years ago

[FIX]ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append)

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(4 keywords)

Attachments

(2 files)

testcase
654 bytes, application/xhtml+xml
Details
Fix
3.20 KB, patch
dbaron
: review+
dbaron
: superreview+
dbaron
: approval-branch-1.8.1+
Details | Diff | Splinter Review
###!!! ASSERTION: Bogus: '!mHead', file mozilla/layout/generic/nsLineBox.cpp, line 916 Marking security-sensitive for now because when I asked dbaron about this assertion failure, he said it "may be a sign of existing memory corruption".
Attached file testcase
Attached patch FixSplinter Review
We probably want this on the 1.8.1 branch, since we can leak the float cache entries off the free list without it...
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #218617 - Flags: superreview?(dbaron)
Attachment #218617 - Flags: review?(dbaron)
Attachment #218617 - Flags: approval-branch-1.8.1?(dbaron)
OS: MacOS X → All
Priority: -- → P3
Hardware: Macintosh → All
Summary: ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append) → [FIX]ASSERTION: Bogus: '!mHead' (nsLineBox.cpp#916 - nsFloatCacheFreeList::Append)
Target Milestone: --- → mozilla1.9alpha
Keywords: mlk
Comment on attachment 218617 [details] [diff] [review] Fix That's what we get for using wacky representations of circularly linked lists, I suppose.
Attachment #218617 - Flags: superreview?(dbaron)
Attachment #218617 - Flags: superreview+
Attachment #218617 - Flags: review?(dbaron)
Attachment #218617 - Flags: review+
Attachment #218617 - Flags: approval-branch-1.8.1?(dbaron)
Attachment #218617 - Flags: approval-branch-1.8.1+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Comment on attachment 218617 [details] [diff] [review] Fix If this is really a potential security problem should this be nominated for 1.8.0.3 as well?
I think this is just a leak, not a security problem... At least as far as I can see. There's no memory corruption, just a bad algorithm for messing with the linked list that manages to lose parts of the list.
Thanks, bz. Making public.
Group: security
Crashtest checked in.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: