Closed
Bug 308999
Opened 19 years ago
Closed 19 years ago
[FIX]Crash when changing node.style.background (with non-empty node.style.content) from JavaScript [@ nsStyleDisplay::CalcDifference ]
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
DUPLICATE
of bug 308890
mozilla1.8beta5
People
(Reporter: mash, Assigned: bzbarsky)
Details
(Keywords: regression, testcase)
Attachments
(2 files, 1 obsolete file)
|
55 bytes,
text/html
|
Details | |
|
1.22 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1
<p style="content:url('fake.gif');background:url('fake.gif');"
onclick="this.style.background=this.style.background;">
crash
</p>
Crash when <p> clicked.
Reproducible: Always
Steps to Reproduce:
1. Set nodes content and background CSS properties.
2. Change background from JavaScript.
Actual Results:
Mozilla crashes.
Expected Results:
Mozilla should not crash but background change.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
Comment on attachment 196481 [details]
Crash testcase
<p>Save page on disk, open in Firefox and click on «crash»</p>
<p style="content:url('fake.gif');background:url('fake.gif');"
onclick="this.style.background=this.style.background;">crash</p>|
|
Reporter | |
Comment 3•19 years ago
|
||
I mean... Testcase works only when I open it from disk (not http://).
|
||
Comment 4•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050916 Firefox/1.4 ID:2005091619 crash ->New Incident ID: 9459474 Stack Signature nsStyleDisplay::CalcDifference 42161a59 Product ID Firefox15 Build ID 2005091606 Trigger Time 2005-09-17 18:49:52.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module firefox.exe + (00216eb1) URL visited User Comments bug 308999 Since Last Crash 96477 sec Total Uptime 96477 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsStyleStruct.cpp, line 1220 Stack Trace nsStyleDisplay::CalcDifference [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsStyleStruct.cpp, line 1220] nsStyleContent::~nsStyleContent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsStyleStruct.cpp, line 1368] nsStyleContext::CalcStyleDifference [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp, line 492] nsFrameManager::ReResolveStyleContext [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 1195] nsFrameManager::ReParentStyleContext [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 953] nsFrameManager::ReResolveStyleContext [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 1220] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10230] nsCSSFrameConstructor::ProcessOneRestyle [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13633] nsCSSFrameConstructor::RestyleEnumerateData::`vector deleting destructor' nsCSSFrameConstructor::CreateInsertionPointChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13757] SETUPAPI.DLL + 0x30c24 (0x778b0c24)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Crash when changing node.style.background (with non-empty node.style.content) from JavaScript → Crash when changing node.style.background (with non-empty node.style.content) from JavaScript [@ nsStyleDisplay::CalcDifference ]
|
||
Comment 6•19 years ago
|
||
This regressed between 2004-07-11 and 2004-07-18
Severity: normal → critical
Component: General → Layout
Flags: blocking1.8b5?
Keywords: regression,
testcase
Product: Firefox → Core
QA Contact: general → layout
Version: unspecified → Trunk
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → bzbarsky
Component: Layout → Style System (CSS)
OS: Windows Server 2003 → All
Priority: -- → P3
Hardware: PC → All
Summary: Crash when changing node.style.background (with non-empty node.style.content) from JavaScript [@ nsStyleDisplay::CalcDifference ] → [FIX]Crash when changing node.style.background (with non-empty node.style.content) from JavaScript [@ nsStyleDisplay::CalcDifference ]
Target Milestone: --- → mozilla1.8beta5
|
|
Assignee | |
Comment 8•19 years ago
|
||
Attachment #196652 -
Flags: superreview?(dbaron)
Attachment #196652 -
Flags: review?(dbaron)
I think I prefer biesi's patch, slightly. *** This bug has been marked as a duplicate of 308890 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Comment on attachment 196652 [details] [diff] [review] mContent.mImage can be null... ...though this works as well.
Attachment #196652 -
Flags: superreview?(dbaron)
Attachment #196652 -
Flags: superreview+
Attachment #196652 -
Flags: review?(dbaron)
Attachment #196652 -
Flags: review+
|
||
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
|
||
Updated•19 years ago
|
Flags: blocking1.8b5+
You need to log in
before you can comment on or make changes to this bug.
Description
•