Closed Bug 384728 Opened 18 years ago Closed 18 years ago

[FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

testcase
511 bytes, image/svg+xml
Details
Indeed, this fixes it
1.03 KB, patch
tor
: review+
tor
: superreview+
Details | Diff | Splinter Review
Attached image testcase
###!!! ASSERTION: null check on startContent should be sufficient to null check nodeContent as well, since if nodeContent is for the root, startContent (which is before it) must be too: 'nodeContent || !startContent', file /Users/jruderman/trunk/mozilla/layout/base/nsCounterManager.cpp, line 145 ###!!! ASSERTION: The possible descendant is null!: 'aPossibleDescendant', file /Users/jruderman/trunk/mozilla/content/base/src/nsContentUtils.cpp, line 1144 Crash 0 nsINode::GetNodeParent 1 nsContentUtils::ContentIsDescendantOf 2 nsCounterList::SetScope ... The crash is similar to the crash in bug 383129. The combination of <svg:use> and counters causing trouble reminds me of bug 380101.
So in this case, startContent is nsSVGDefsElement and nodeContent is null. In this case, the nsSVGGElement which is aNode->mPseudoFrame->GetContent() has no parent. aNode->mPseudoFrame is an nsSVGGFrame* which DOES have a parent, which is a nsSVGUseFrame. Sounds like perhaps nsSVGUseFrame::Destroy should destroy self before destroying the anon content, to avoid violating layout invariants...
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #268725 - Flags: superreview?
Attachment #268725 - Flags: review?
Attachment #268725 - Flags: superreview?(tor)
Attachment #268725 - Flags: superreview?
Attachment #268725 - Flags: review?(tor)
Attachment #268725 - Flags: review?
Component: Style System (CSS) → SVG
QA Contact: style-system → general
Summary: Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use> → [FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>
Target Milestone: --- → mozilla1.9beta1
Attachment #268725 - Flags: superreview?(tor)
Attachment #268725 - Flags: superreview+
Attachment #268725 - Flags: review?(tor)
Attachment #268725 - Flags: review+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsContentUtils::ContentIsDescendantOf]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: