Closed Bug 1517299 Opened 1 year ago Closed 1 year ago

Assertion failure: IsInUncomposedDoc() || IsInShadowTree() (This will end badly!), at /builds/worker/workspace/build/src/dom/base/nsIContentInlines.h:29

Categories

(Core :: Layout: Columns, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1520722

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 5826b2352ac0.

Assertion failure: IsInUncomposedDoc() || IsInShadowTree() (This will end badly!), at /builds/worker/workspace/build/src/dom/base/nsIContentInlines.h:29

Unfortunately we still don't have symbolized debug builds so no stacktrace is available.
Flags: in-testsuite?
Edgar, looks at your wheelhouse. Do you want to take a look?
Flags: needinfo?(echen)
The assertion hints about some issue in frame constructions.

FWIW, I haven't managed to reproduce the issue, either with debug build or opt build + release assert.
Jason, what kind of build is needed to trigger the issue?
Flags: needinfo?(jkratzer)
Component: DOM → Layout
It's column-span related, you need the column-span pref, which is off by default. If you see test-cases from fuzzing with column-span: all, send them my (or Ting-Yu's) way.
Component: Layout → Layout: Columns
Flags: needinfo?(jkratzer)
Flags: needinfo?(echen)
Priority: -- → P3
Flags: needinfo?(aethanyc)
Attached file callstack

I can reproduce a crash in debug Firefox (see attached callstack) by loading the test case, and then single click by mouse on the page.

Before it crashes, I see assertions like

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()

This will be fixed by bug 1520722. The test there should be sufficient.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(aethanyc)
Resolution: --- → FIXED
Flags: in-testsuite?
Resolution: FIXED → DUPLICATE
Duplicate of bug: 1520722
You need to log in before you can comment on or make changes to this bug.