Closed Bug 1834717 Opened 2 years ago Closed 2 years ago

Firefox crashes on :nth-child():before() selector combination

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 113
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- wontfix
firefox114 --- verified
firefox115 --- verified

People

(Reporter: schellmax01, Assigned: emilio)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Attachments

(3 files)

Reporters_Standalone_Testcase.html
384 bytes, text/html
Details
Bug 1834717 - Properly increase the nesting level when matching :nth-child(of) selectors. r=zrhoffman,#style,#layout
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Bug 1834717 - More gracefully deal with broken calls into selector matching. r=zrhoffman,#style
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

using the following css selector:

div:nth-child(odd of .b):before{content:'x'}

for an online demonstration, see https://codepen.io/schellmax01/pen/RwevJqv

Actual results:

firefox crashes

Expected results:

firefox should not crash :)

The Bugbug bot thinks this bug should belong to the 'Core::CSS Parsing and Computation' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Crash Signature: [@ selectors::parser::SelectorIter<T>::next_sequence ]
Ever confirmed: true
Flags: needinfo?(emilio)
Keywords: regression
Regressed by: 1819711

With layout.css.nth-child-of.enabled= True,

Bug 1808228 - Implement selector matching for :nth-child(An+B of selector list) and :nth-last-child(An+B of selector list) r=emilio

Since we have been using a single hash map to cache all :nth-child
indices (with no selector list), each different selector will need its
own cache.

As a side note, this patch does not address invalidation.

Differential Revision: https://phabricator.services.mozilla.com/D166266

Blocks: 1819711
Regressed by: 1808228
No longer regressed by: 1819711

Set release status flags based on info from the regressing bug 1808228

status-firefox113: --- → affected
status-firefox114: --- → affected
status-firefox115: --- → affected
status-firefox-esr102: --- → unaffected
Assignee: nobody → emilio
Flags: needinfo?(emilio)

If this happens again, it might be worth not matching rather than
potentially crashing. Though I guess crashing is a very good way getting
it reported soon...

Comment on attachment 9335626 [details]
Bug 1834717 - Properly increase the nesting level when matching :nth-child(of) selectors. r=zrhoffman,#style,#layout

Beta/Release Uplift Approval Request

  • User impact if declined: Trivial crash fix.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: open test-case.
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial fix, kinda sad that we didn't have coverage for this case o.O
  • String changes made/needed: none
  • Is Android affected?: Yes
Attachment #9335626 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ee81e273e78b Properly increase the nesting level when matching :nth-child(of) selectors. r=dshin
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b46c07780ebc More gracefully deal with broken calls into selector matching. r=dshin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/40196 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/ee81e273e78b

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Upstream PR merged by moz-wptsync-bot
QA Whiteboard: [qa-triaged]

Emilio, two patches landed on mozilla-central but you only requested uplift to one of them, is that intended? Thanks

Flags: needinfo?(emilio)

Yeah the second is basically a mitigation. The first is enough to fix the crash.

Flags: needinfo?(emilio)

Comment on attachment 9335626 [details]
Bug 1834717 - Properly increase the nesting level when matching :nth-child(of) selectors. r=zrhoffman,#style,#layout

Approved for 114 beta 9, thanks.

Attachment #9335626 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Verified as fixed on Windows 10 x64, macOS 11.6.

status-firefox115: fixedverified
status-firefox113: affectedwontfix
Flags: in-testsuite+

Verified as fixed on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04 x64.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox114: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: