Closed Bug 1314531 Opened 3 years ago Closed 3 years ago

Assertion failure: aType < Type::Count, at layout/style/nsCSSPseudoElements.h:121

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox49 --- ?
firefox50 --- ?
firefox51 --- ?
firefox52 --- fixed

People

(Reporter: cpeterson, Assigned: xidorn)

References

(Blocks 1 open bug)

Details

(Keywords: assertion)

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html (obsolete) —
idorn, running Jesse's CSS fuzzer from bug 476744 in a debug build, I hit the following assertion failure you added in bug 1269976.

I have only tested debug builds of Nightly 52, but bug 1269976 landed in Firefox 49, so 49-51 may also be affected.

See the attached minimal test case.

Assertion failure: aType < Type::Count, at /Users/chris/Code/mozilla/inbound/layout/style/nsCSSPseudoElements.h:121
#01: (anonymous namespace)::CSSParserImpl::ParseSelectorGroup(nsCSSSelectorList*&)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2ff0759]
#02: (anonymous namespace)::CSSParserImpl::ParseSelectorList(nsCSSSelectorList*&, char16_t)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2ff023b]
#03: (anonymous namespace)::CSSParserImpl::ParseRuleSet(void (*)(mozilla::css::Rule*, void*), void*, bool)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2fb7483]
#04: nsCSSParser::ParseSheet(nsAString_internal const&, nsIURI*, nsIURI*, nsIPrincipal*, unsigned int, mozilla::css::LoaderReusableStyleSheets*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2f6bc95]
#05: mozilla::css::Loader::ParseSheet(nsAString_internal const&, mozilla::css::SheetLoadData*, bool&)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2f3569d]
#06: mozilla::css::Loader::LoadInlineStyle(nsIContent*, nsAString_internal const&, unsigned int, nsAString_internal const&, nsAString_internal const&, mozilla::dom::Element*, nsICSSLoaderObserver*, bool*, bool*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2f38317]
#07: nsStyleLinkElement::DoUpdateStyleSheet(nsIDocument*, mozilla::dom::ShadowRoot*, nsICSSLoaderObserver*, bool*, bool*, bool)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x14534f3]
#08: nsStyleLinkElement::UpdateStyleSheet(nsICSSLoaderObserver*, bool*, bool*, bool)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1452d5c]
#09: nsHtml5DocumentBuilder::UpdateStyleSheet(nsIContent*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xdd111c]
#10: nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xe1fb64]
#11: nsHtml5TreeOpExecutor::RunFlushLoop()[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xe189a2]
#12: nsHtml5ExecutorFlusher::Run()[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xe1af71]
#13: nsThread::ProcessNextEvent(bool, bool*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0xf7217]
#14: NS_ProcessNextEvent(nsIThread*, bool)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x134483]
#15: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x64c543]
#16: MessageLoop::Run()[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x610a7c]
#17: XRE_RunAppShell[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3a70d58]
#18: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x64ce07]
#19: MessageLoop::Run()[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x610a7c]
#20: XRE_InitChildProcess[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3a706d4]
#21: content_process_main(int, char**)[/Users/chris/Code/mozilla/inbound/obj-x86_64-apple-darwin16.1.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container +0x1ad4]
Flags: needinfo?(xidorn+moz)
I cannot reproduce this assertion with reasonably new local nightly builds on Windows and Mac. (The Windows build is based on m-c of Oct 30, and the Mac build is based on Oct 25.)

Could you confirm that the testcase is correct? Probably there is some other condition to trigger that assertion?
Flags: needinfo?(xidorn+moz)
Attached file testcase-v2.html
Sorry. Try this test case instead.
Attachment #8806610 - Attachment is obsolete: true
Flags: needinfo?(xidorn+moz)
This isn't really an assertion I added. It preexists bug 1269976, but was a non-fatal assertion at that time. I convert it to a fatal assertion with the small refactor.
But anyway, this single issue is not hard to fix. But I'm a bit worried about the "XULTree" item in CSSPseudoElementType which may lead to similiar issues in other places.
Flags: needinfo?(xidorn+moz)
Comment on attachment 8806961 [details]
Bug 1314531 - Disallow xul tree pseudo-elements with user action pseudo-classes.

https://reviewboard.mozilla.org/r/90200/#review89968

Yeah, we could move XULTree up in CSSPeudoElementType so it's within Count but I'm not sure what the consequences of this would be.  There are plenty of explicit checks that CSSPseudoElementType values are < Count, so probably we have a similar problem with AnonBox anyway.
Attachment #8806961 - Flags: review?(cam) → review+
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c7a9f3fd2ca6
Disallow xul tree pseudo-elements with user action pseudo-classes. r=heycam
Assignee: nobody → xidorn+moz
https://hg.mozilla.org/mozilla-central/rev/c7a9f3fd2ca6
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.