Closed Bug 284001 Opened 19 years ago Closed 19 years ago

Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;}

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: rbs)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Testcase
464 bytes, application/xhtml+xml
Details
patch
1.90 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
See testcase. Hovering over the text in there causes a crash in current trunk
Mozilla builds.

Talkback ID: 3987420

nsMathMLContainerFrame::GetType 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp,
line 1156]
nsCSSFrameConstructor::FindNextSibling 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 8206]
nsCSSFrameConstructor::ContentInserted 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9039]
nsCSSFrameConstructor::RecreateFramesForContent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11553]
nsCSSFrameConstructor::RestyleElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10143]
nsCSSFrameConstructor::ProcessOneRestyle 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13501]
nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13543]
nsCSSFrameConstructor::RestyleEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13595]
SHELL32.dll + 0x520c24 (0x778b0c24)
Attached file Testcase 

    
    

    
  
Crashes also with Mozilla1.4 and 1.7, so no (recent) regression.
Severity: normal → critical
Summary: Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;} → Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;}

    
    

    
  
So.. what happens here is that this->mEmbellishData.coreFrame is pointing to
0xdddddddd memory.  Not sure why that's happening...
OS: Windows XP → All
Hardware: PC → All

    
    

    
  
display:block is the evil bit.

With the markup of the testcase:

<math xmlns="http://www.w3.org/1998/Math/MathML">
<munder>
  <mo>Hovering over this should not cause a crash</mo>
  <mrow><mi></mi></mrow>
</munder>
</math>

The |this| container is <munder> and its coreFrame is <mo>. Things seem to go
out of sync when :hover changes <mo> to a block, and frames get destroyed/recreated.

What is interesting is that changing to inline doesn't cause any problem (maybe
because the coreFrame is not taken out of the child list since it is inline).

    
    

    
  
Isn't it display:inline by default?

    
    

    
  
That's right. But the evil testcase is doing:

mo:hover{display:block;}


    
    

    
  
Sure.  But you said:

> What is interesting is that changing to inline doesn't cause any problem

The point is, there is no change involved there... it's already inline, right?

    
    

    
  
Yes, you are right, nothing happens, mo:hover{display:inline;} doesn't trigger
any re-resolve because there is no style change.

Nor is there any trouble with mo:{display:block;} if set initially in the CSS.
But then adding mo:hover{display:inline;} triggers a similar crash.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
MathML has a little helper |nsMathMLContainerFrame::ChildListChanged| that is
called at the tail-end of its overloaded |AppendFrames|, |InsertFrames|, etc.
It is meant to cater for situations such as in this crash -- where a change of
children invalidates certain pointers. 

The old code was just doing a |ReLayoutChildren(this)|. The patch changes
changes the |this| to a more suitable ancestor.

    
  

        Attachment #177340 -
        Flags: superreview?(bzbarsky)

        Attachment #177340 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 177340 [details] [diff] [review]
patch

r+sr=bzbarsky.	Seems reasonable..

        Attachment #177340 -
        Flags: superreview?(bzbarsky)

        Attachment #177340 -
        Flags: superreview+

        Attachment #177340 -
        Flags: review?(bzbarsky)

        Attachment #177340 -
        Flags: review+

    
    

    
  
Checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsMathMLContainerFrame::GetType]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: