Closed Bug 322656 Opened 19 years ago Closed 19 years ago

Crash [@ nsCachedStyleData::GetStyleData] with evil MathML testcase, involving mrow:hover {display: -moz-box;}

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: rbs)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

testcase
516 bytes, application/xhtml+xml
Details
backtrace from debug build
11.24 KB, text/plain
Details
fix
1.60 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
testcase that doesn't involve a XUL display style
625 bytes, application/xhtml+xml
Details 
See upcoming testcase, it crashes Mozilla when hovering over the text.
Attached file testcase 

    
    

    
  


  

    
    

    
  
Also crashes Mozilla1.7, so no recent regression.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  

        Attachment #207820 -
        Flags: superreview?(bzbarsky)

        Attachment #207820 -
        Flags: review?(bzbarsky)

    
    

    
  
this is now wfm with the patch for bug 322185

    
    

    
  
rbs, is the patch in this bug still desirable?

    
    

    
  


  
The patch is still worthwhile. The bug has exposed that some internal pointers are outdated when child frames of <maction> are changed dynamically. Here is another testcase that illustrates the problem without the XUL display style.

    
  

        Attachment #207867 -
        Attachment mime type: application/xhtml+xm → application/xhtml+xml

    
  
Summary: Crash [@  nsCachedStyleData::GetStyleData] with evil MathML testcase, involving mrow:hover {display: -moz-box;} → Crash [@ nsCachedStyleData::GetStyleData] with evil MathML testcase, involving mrow:hover {display: -moz-box;}

    
    

    
  
Comment on attachment 207820 [details] [diff] [review]
fix

r+sr=bzbarsky

        Attachment #207820 -
        Flags: superreview?(bzbarsky)

        Attachment #207820 -
        Flags: superreview+

        Attachment #207820 -
        Flags: review?(bzbarsky)

        Attachment #207820 -
        Flags: review+

    
    

    
  
Checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed, using latest nighlty trunk build.
Status: RESOLVED → VERIFIED

    
    

    
  
Is this needed on branches?

    
    

    
  
(In reply to comment #11)
> Is this needed on branches?

No, it doesn't crash with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061002 Firefox/2.0
So I guess it's not needed on branch.

Crash Signature: [@ nsCachedStyleData::GetStyleData]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: