Closed Bug 474377 Opened 16 years ago Closed 9 years ago

"ASSERTION: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase (triggers a fatal assertion when loaded)
251 bytes, application/xhtml+xml
Details
Frame dump
14.61 KB, text/html
Details
wip
2.91 KB, patch
Details | Diff | Splinter Review 
Loading this testcase triggers a fatal assertion that was added in bug 473871:

###!!! ABORT: must be in the same rule tree as parent: 'r1 == r2', file /Users/jruderman/central/layout/style/nsStyleContext.cpp, line 89

Initially security-sensitive because in bug 473871, dbaron said something about crashes due to dangling pointers.
Whiteboard: [sg:investigate]
The testcase seems somewhat familiar, but I can't find anything.  (I looked at bug 454276, bug 469432, bug 454736.)

This does seem pretty bad, though.
Attached file Frame dump 
The blue frame (0x177b100) is going to be re-framed so we skip processing
its children, and continue with it's next sibling 0x177a8e8 (yellow),
which contains 0x177abe8 (red) which is a special sibling to the child
we skipped (green) which is the style context provider for (red).
Attached patch wipSplinter Review 
OS: Mac OS X → All
Hardware: x86 → All

    
    

    
  
I'm wondering if we should just remove the optimization of skipping things that are going to be reframed.  It's also potentially problematic when reframing fails.

    
    

    
  
The only case I can think of where that could cause performance problems is toggling display:none on something high in the tree.

    
    

    
  
Or just something with lots of kids (e.g. a big table)?

    
    

    
  
Yeah, toggling display:none on something with large numbers of descendants.

    
    

    
  
That might not be that uncommon, esp. in code that tries to optimize things by toggling display, doing DOM manipulation, then toggling back...

    
    

    
  
Bug 475128 downgraded this abort to an assertion.  The testcase in this bug still triggers it.
Flags: wanted1.9.0.x+

    
    

    
  
Still happens on trunk.  This bug has been in [sg:investigate] for quite a while :(
blocking2.0: --- → ?

    
    

    
  
Post-bug 475128, I think this no longer involves dangling pointers.

    
    

    
  
Is it safe to make this bug public, thne?

    
  
Severity: critical → normal
Summary: "ABORT: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after → "ASSERTION: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after
Group: core-security
Whiteboard: [sg:investigate]

    
    

    
  
I may have a STR for this but not sure it's consistent.  Will report.

    
    

    
  
Testcase works without issue now.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: