If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>

RESOLVED FIXED in mozilla1.9alpha8

Status

()

Core
SVG
--
critical
RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 2 bugs, {assertion, crash, testcase})

Trunk
mozilla1.9alpha8
x86
Mac OS X
assertion, crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Created attachment 268637 [details]
testcase

###!!! ASSERTION: null check on startContent should be sufficient to null check nodeContent as well, since if nodeContent is for the root, startContent (which is before it) must be too: 'nodeContent || !startContent', file /Users/jruderman/trunk/mozilla/layout/base/nsCounterManager.cpp, line 145

###!!! ASSERTION: The possible descendant is null!: 'aPossibleDescendant', file /Users/jruderman/trunk/mozilla/content/base/src/nsContentUtils.cpp, line 1144

Crash
0  nsINode::GetNodeParent
1  nsContentUtils::ContentIsDescendantOf
2  nsCounterList::SetScope
...

The crash is similar to the crash in bug 383129.  The combination of <svg:use> and counters causing trouble reminds me of bug 380101.
So in this case, startContent is nsSVGDefsElement and nodeContent is null.

In this case, the nsSVGGElement which is aNode->mPseudoFrame->GetContent() has no parent.  aNode->mPseudoFrame is an nsSVGGFrame* which DOES have a parent, which is a nsSVGUseFrame.

Sounds like perhaps nsSVGUseFrame::Destroy should destroy self before destroying the anon content, to avoid violating layout invariants...
Created attachment 268725 [details] [diff] [review]
Indeed, this fixes it
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #268725 - Flags: superreview?
Attachment #268725 - Flags: review?
Attachment #268725 - Flags: superreview?(tor)
Attachment #268725 - Flags: superreview?
Attachment #268725 - Flags: review?(tor)
Attachment #268725 - Flags: review?
Component: Style System (CSS) → SVG
QA Contact: style-system → general
Summary: Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use> → [FIX]Crash [@ nsContentUtils::ContentIsDescendantOf] with CSS counters, <svg:use>
Target Milestone: --- → mozilla1.9beta1

Updated

10 years ago
Attachment #268725 - Flags: superreview?(tor)
Attachment #268725 - Flags: superreview+
Attachment #268725 - Flags: review?(tor)
Attachment #268725 - Flags: review+
Checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
(Reporter)

Comment 4

10 years ago
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsContentUtils::ContentIsDescendantOf]
You need to log in before you can comment on or make changes to this bug.