1517299 - Assertion failure: IsInUncomposedDoc() || IsInShadowTree() (This will end badly!), at /builds/worker/workspace/build/src/dom/base/nsIContentInlines.h:29

Status: RESOLVED DUPLICATE of bug 1520722

(Core :: Layout: Columns, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 5826b2352ac0.

Assertion failure: IsInUncomposedDoc() || IsInShadowTree() (This will end badly!), at /builds/worker/workspace/build/src/dom/base/nsIContentInlines.h:29

Unfortunately we still don't have symbolized debug builds so no stacktrace is available.

Comment 1

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Edgar, looks at your wheelhouse. Do you want to take a look?

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

The assertion hints about some issue in frame constructions.

FWIW, I haven't managed to reproduce the issue, either with debug build or opt build + release assert.
Jason, what kind of build is needed to trigger the issue?

Comment 3

[Emilio Cobos Álvarez (:emilio)]

It's column-span related, you need the column-span pref, which is off by default. If you see test-cases from fuzzing with column-span: all, send them my (or Ting-Yu's) way.

Comment 4

[Ting-Yu Lin [:TYLin] (UTC-8)]

Attachment: callstack

I can reproduce a crash in debug Firefox (see attached callstack) by loading the test case, and then single click by mouse on the page.

Before it crashes, I see assertions like

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()

Comment 5

[Ting-Yu Lin [:TYLin] (UTC-8)]

This will be fixed by bug 1520722. The test there should be sufficient.