Closed Bug 690990 Opened 13 years ago Closed 13 years ago

"ABORT: should not get marked modified during parsing"

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla10
Tracking Flags:
Tracking Status
firefox9 --- fixed

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(4 keywords, Whiteboard: [qa!])

Attachments

(3 files)

testcase (asserts fatally when loaded)
302 bytes, text/html
Details
stack trace
1.09 KB, text/plain
Details
Don't assert that sheets are not modified when it would be just fine for them to be modified.
2.61 KB, patch
peterv
: review+
christian
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
###!!! ABORT: should not get marked modified during parsing: '!data->mSheet->IsModified()', file layout/style/Loader.cpp, line 1748

Could this be a regression from bug 185236?
Attached file stack trace 

    
    

    
  
Yes.  The bug is in the assertion itself, though.

The issue is that the appendChild call in this case will go ahead and create a new stylesheet which is all set to go.  It will also post an async SheetComplete for it.  Then the very next line of script will modify the sheet.

The assertion just needs to move into the !mSheetAlreadyComplete block.
Assignee: nobody → bzbarsky
Blocks: 185236
Priority: -- → P1
Whiteboard: [need review]

        Attachment #564116 -
        Flags: review?(peterv) → review+

    
  
Whiteboard: [need review] → [need landing]

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/f5aa42137fbc
Flags: in-testsuite+
Whiteboard: [need landing]
Target Milestone: --- → mozilla10

    
    

    
  
Comment on attachment 564116 [details] [diff] [review]
Don't assert that sheets are not modified when it would be just fine for them to be modified.

I believe we should take this on aurora.  It's a very safe change (debug-only code moving around), and will keep this bug from getting in the way of Jesse's fuzzers.

        Attachment #564116 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f5aa42137fbc
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  

        Attachment #564116 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
  
Whiteboard: [qa+]

    
    

    
  
Hi guys.
In order to verify this bug, it's enough if I load the test case from the attachments and observe that Firefox isn't crashing?
Thanks

    
    

    
  
In a debug build, yes.

    
    

    
  
Setting resolution to Verified Fixed on debug builds:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111201 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111202 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111205 Firefox/11.0a1

Based on comment8 and comment9, I have loaded the test case from the description and Firefox did not crash.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, 
          
            verified-beta
Whiteboard: [qa+] → [qa!]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: