Closed Bug 343608 Opened 18 years ago Closed 18 years ago

Crash [@ nsCachedStyleData::GetStyleData] using quotes and generated content

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 343206

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase (crashes on load)
371 bytes, application/vnd.mozilla.xul+xml
Details
Backtrace from debug build
10.37 KB, text/plain
Details 
See upcoming testcase, which crashes current trunk Mozilla builds.
It doesn't crash current Firefox2 build (1.8.1 branch), so this seems to be a regression.
A regression range might be useful here.

The testcase consists of this:
<q xmlns="http://www.w3.org/1999/xhtml">
<script xmlns="http://www.w3.org/1999/xhtml">
function addstyles(){
var x=document.createElementNS('http://www.w3.org/1999/xhtml','style');
x.innerHTML='\
*::before { content:"This page should not crash Mozilla"; float:right;}\
';
document.documentElement.appendChild(x);
}
setTimeout(addstyles,200);
</script>
</q>

Somehow the float:right rule is necessary for the crash, although it doesn't even work for generated content, currently.

    
    

    
  


  
In a debug build, I get an assertion first (stack attached):
###!!! ASSERTION: Must have parent context for generated content: '!generatedCon
tent || parentContext', file c:/mozilla/mozilla/layout/style/nsRuleNode.cpp, lin
e 2628

Then the crash:
#0  0x061cfed4 in nsCachedStyleData::GetStyleData (this=0x1c, aSID=@0x22f338)
    at c:/mozilla/mozilla/layout/style/nsRuleNode.h:215
#1  0x05d95100 in nsStyleContext::GetStyleData (this=0x0,
    aSID=eStyleStruct_Display)
    at c:/mozilla/mozilla/layout/style/nsStyleContext.cpp:221
#2  0x061b071f in nsStyleContext::GetStyleDisplay (this=0x0)
    at c:/mozilla/mozilla/layout/svg/base/src/../../../style/nsStyleStructList.h
:95
#3  0x05d8def5 in nsRuleNode::ComputeDisplayData (this=0xf307bc8,
    aStartStruct=0x10882f74, aData=@0x22f498, aContext=0x108b90d4,
    aHighestNode=0xf307bc8, aRuleDetail=@0x22f3fc, aInherited=0)
    at c:/mozilla/mozilla/layout/style/nsRuleNode.cpp:2630
#4  0x05d8a632 in nsRuleNode::WalkRuleTree (this=0xf307bc8,
    aSID=eStyleStruct_Display, aContext=0x108b90d4, aRuleData=0x22f448,
    aSpecificData=0x22f498)
    at c:/mozilla/mozilla/layout/style/nsStyleStructList.h:95
etc.

    
    

    
  
Crashed for the first time between 1.9a1_2006041419 and 1.9a1_2006041504


    
    

    
  
Ok, thanks Ria.
So with that regression range and the stacktrace I get, I would say this is somehow a regression from bug 332333.
Blocks: 332333

    
    

    
  
Martijn, I'm pretty sure this is a dupe of bug 343206.

    
    

    
  
Yeah, indeed a duplicate of that bug.

*** This bug has been marked as a duplicate of 343206 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE

    
  
Group: security
Group: security
Crash Signature: [@ nsCachedStyleData::GetStyleData]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: