Closed
Bug 474377
Opened 16 years ago
Closed 9 years ago
"ASSERTION: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
|
251 bytes,
application/xhtml+xml
|
Details | |
|
14.61 KB,
text/html
|
Details | |
|
2.91 KB,
patch
|
Details | Diff | Splinter Review |
Loading this testcase triggers a fatal assertion that was added in bug 473871:
###!!! ABORT: must be in the same rule tree as parent: 'r1 == r2', file /Users/jruderman/central/layout/style/nsStyleContext.cpp, line 89
Initially security-sensitive because in bug 473871, dbaron said something about crashes due to dangling pointers.
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:investigate]
The testcase seems somewhat familiar, but I can't find anything. (I looked at bug 454276, bug 469432, bug 454736.)
This does seem pretty bad, though.
|
||
Comment 2•16 years ago
|
||
The blue frame (0x177b100) is going to be re-framed so we skip processing
its children, and continue with it's next sibling 0x177a8e8 (yellow),
which contains 0x177abe8 (red) which is a special sibling to the child
we skipped (green) which is the style context provider for (red).
|
|
||
Comment 3•16 years ago
|
||
|
|
||
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
I'm wondering if we should just remove the optimization of skipping things that are going to be reframed. It's also potentially problematic when reframing fails.
The only case I can think of where that could cause performance problems is toggling display:none on something high in the tree.
|
||
Comment 6•16 years ago
|
||
Or just something with lots of kids (e.g. a big table)?
Yeah, toggling display:none on something with large numbers of descendants.
|
|
||
Comment 8•16 years ago
|
||
That might not be that uncommon, esp. in code that tries to optimize things by toggling display, doing DOM manipulation, then toggling back...
Blocks: 469432
|
|
Reporter | |
Comment 9•16 years ago
|
||
Bug 475128 downgraded this abort to an assertion. The testcase in this bug still triggers it.
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
|
|
Reporter | |
Comment 10•15 years ago
|
||
Still happens on trunk. This bug has been in [sg:investigate] for quite a while :(
blocking2.0: --- → ?
Post-bug 475128, I think this no longer involves dangling pointers.
|
|
Reporter | |
Comment 12•15 years ago
|
||
Is it safe to make this bug public, thne?
blocking2.0: ? → -
|
|
Reporter | |
Updated•14 years ago
|
Severity: critical → normal
Summary: "ABORT: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after → "ASSERTION: must be in the same rule tree as parent: 'r1 == r2'" with MathML, {ib}, :after
|
|
||
Updated•13 years ago
|
Group: core-security
Whiteboard: [sg:investigate]
|
|
||
Comment 13•12 years ago
|
||
I may have a STR for this but not sure it's consistent. Will report.
|
||
Comment 14•9 years ago
|
||
Testcase works without issue now.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → WORKSFORME
|
||
Comment 15•9 years ago
|
||
|
||
Comment 16•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•