Closed Bug 454736 Opened 11 years ago Closed 11 years ago

Crash [@ nsCachedStyleData::GetStylePadding] with XBL, MathML, XUL

Categories

(Core :: Layout, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, helpwanted, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

Loading the testcase makes Firefox crash [@ nsCachedStyleData::GetStylePadding] dereferencing 0xddddddfd.

This bug is timing-dependent in an annoying way, so I'm having trouble making a testcase suitable for automated testing.

A related testcase (not attached) triggers this assertion before crashing:

###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 835
Flags: blocking1.9.1?
So... We have a frame pointing to a style context pointing to a destroyed rulenode.
Doesn't happen on Firefox 3, afaict.
Flags: wanted1.9.0.x-
I can't repro on 2.0.0.17 or 3.0.3 either.
I can still get trunk to crash, but I have to reload now.
Whiteboard: [sg:critical?]
Flags: blocking1.9.1? → wanted1.9.1+
I get (on stdout or stderr):

Security Error: Content at https://bugzilla.mozilla.org/attachment.cgi?id=338044 may not load data from data:text/xml,%3Cbindings%20xmlns%3D%...


Does that security error mean I'm not getting to the stuff that crashes?
Probably, yes.  You should be able to set the "layout.debug.enable_data_xbl" to true to let that security check succeed.
I meant the "layout.debug.enable_data_xbl" pref.
Yep, crashed on the first try with that pref set to true.
(But not any additional tries, unfortunately.)
The patch in bug 475128 will likely fix this by changing the underlying problem from a crash into a correctness bug.  I didn't try to reproduce the bug again without it, though.
I currently get:

###!!! ABORT: style context has old rule node: 'n == mRuleTree', file /Users/jruderman/central/layout/style/nsStyleSet.cpp, line 173
I don't get any crashes/assertions on mozilla-central now.  I'm assuming that's thanks to the fix for bug 475128.

If there's a correctness bug remaining, can you file a new bug report on it?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsCachedStyleData::GetStylePadding]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.