Closed Bug 384728 Opened 17 years ago Closed 17 years ago

[FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

testcase
511 bytes, image/svg+xml
Details
Indeed, this fixes it
1.03 KB, patch
tor
: review+
tor
: superreview+
Details | Diff | Splinter Review
Attached image testcase 
###!!! ASSERTION: null check on startContent should be sufficient to null check nodeContent as well, since if nodeContent is for the root, startContent (which is before it) must be too: 'nodeContent || !startContent', file /Users/jruderman/trunk/mozilla/layout/base/nsCounterManager.cpp, line 145

###!!! ASSERTION: The possible descendant is null!: 'aPossibleDescendant', file /Users/jruderman/trunk/mozilla/content/base/src/nsContentUtils.cpp, line 1144

Crash
0  nsINode::GetNodeParent
1  nsContentUtils::ContentIsDescendantOf
2  nsCounterList::SetScope
...

The crash is similar to the crash in bug 383129.  The combination of <svg:use> and counters causing trouble reminds me of bug 380101.
So in this case, startContent is nsSVGDefsElement and nodeContent is null.

In this case, the nsSVGGElement which is aNode->mPseudoFrame->GetContent() has no parent.  aNode->mPseudoFrame is an nsSVGGFrame* which DOES have a parent, which is a nsSVGUseFrame.

Sounds like perhaps nsSVGUseFrame::Destroy should destroy self before destroying the anon content, to avoid violating layout invariants...
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #268725 -
        Flags: superreview?

        Attachment #268725 -
        Flags: review?

    
  

        Attachment #268725 -
        Flags: superreview?(tor)

        Attachment #268725 -
        Flags: superreview?

        Attachment #268725 -
        Flags: review?(tor)

        Attachment #268725 -
        Flags: review?

    
  
Component: Style System (CSS) → SVG
QA Contact: style-system → general
Summary: Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use> → [FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>
Target Milestone: --- → mozilla1.9beta1

    
  

        Attachment #268725 -
        Flags: superreview?(tor)

        Attachment #268725 -
        Flags: superreview+

        Attachment #268725 -
        Flags: review?(tor)

        Attachment #268725 -
        Flags: review+

    
    

    
  
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsContentUtils::ContentIsDescendantOf]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: