Closed Bug 454736 Opened 12 years ago Closed 12 years ago

Crash [@ nsCachedStyleData::GetStylePadding] with XBL, MathML, XUL


(Core :: Layout, defect)

Not set





(Reporter: jruderman, Unassigned)


(Blocks 3 open bugs)


(Keywords: crash, helpwanted, testcase, Whiteboard: [sg:critical?])

Crash Data


(1 file)

Loading the testcase makes Firefox crash [@ nsCachedStyleData::GetStylePadding] dereferencing 0xddddddfd.

This bug is timing-dependent in an annoying way, so I'm having trouble making a testcase suitable for automated testing.

A related testcase (not attached) triggers this assertion before crashing:

###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 835
Flags: blocking1.9.1?
So... We have a frame pointing to a style context pointing to a destroyed rulenode.
Keywords: helpwanted
Doesn't happen on Firefox 3, afaict.
Flags: wanted1.9.0.x-
I can't repro on or 3.0.3 either.
I can still get trunk to crash, but I have to reload now.
Whiteboard: [sg:critical?]
Flags: blocking1.9.1? → wanted1.9.1+
I get (on stdout or stderr):

Security Error: Content at may not load data from data:text/xml,%3Cbindings%20xmlns%3D%...

Does that security error mean I'm not getting to the stuff that crashes?
Probably, yes.  You should be able to set the "layout.debug.enable_data_xbl" to true to let that security check succeed.
I meant the "layout.debug.enable_data_xbl" pref.
Yep, crashed on the first try with that pref set to true.
(But not any additional tries, unfortunately.)
The patch in bug 475128 will likely fix this by changing the underlying problem from a crash into a correctness bug.  I didn't try to reproduce the bug again without it, though.
I currently get:

###!!! ABORT: style context has old rule node: 'n == mRuleTree', file /Users/jruderman/central/layout/style/nsStyleSet.cpp, line 173
I don't get any crashes/assertions on mozilla-central now.  I'm assuming that's thanks to the fix for bug 475128.

If there's a correctness bug remaining, can you file a new bug report on it?
Closed: 12 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsCachedStyleData::GetStylePadding]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.