Closed Bug 898926 Opened 11 years ago Closed 11 years ago

"Assertion failure: mElements.Contains(cur)" with xbl:children, adding stylesheet

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26
Tracking Flags:
Tracking Status
firefox24 --- unaffected
firefox25 + fixed
firefox26 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- fixed

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords)

Attachments

(4 files, 1 obsolete file)

testcase
538 bytes, application/xhtml+xml
Details
stack
8.67 KB, text/plain
Details
xbl:children elements are insertion points if they're inactive.
1.61 KB, patch
sicking
: review+
abillings
: approval-mozilla-beta+
Details | Diff | Splinter Review
Add reftest.
2.30 KB, patch
sicking
: review+
Details | Diff | Splinter Review
Attached file testcase 
Assertion failure: mElements.Contains(cur), at layout/style/nsCSSRuleProcessor.cpp:3505

More fallout from bug 653881?
Blocks: randomclasses, stirdom
Attached file stack 
Assignee: nobody → mrbkap

    
    

    
  
That doesn't sound great, but feel free to adjust the rating as desired.
Keywords: sec-high

    
    

    
  
I'm not convinced that this is a security sensitive bug, but I don't know all of the possible consequences, so I'll leave it as is.

    
  

        Attachment #786583 -
        Flags: review?(jonas)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Add reftest. (obsolete)
        — Splinter Review
      

    


  

        Attachment #786607 -
        Flags: review?(jonas)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Add reftest.Splinter Review
      

    


  
Sorry for the spam -- I got overeager in simplifying the reftest and the
previous version didn't assert, even before the patch. This reftest
does, though.

        Attachment #786607 -
        Attachment is obsolete: true

        Attachment #786607 -
        Flags: review?(jonas)

        Attachment #786613 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 786613 [details] [diff] [review]
Add reftest.

Review of attachment 786613 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/reftests/dom/xbl-children-4.xhtml
@@ +13,5 @@
> +    <script>
> +        onload = function() {
> +            var newSheet = document.createElementNS("http://www.w3.org/1999/xhtml", "style");
> +            newSheet.appendChild(document.createTextNode("#nosuchelement { }"));
> +            document.head.appendChild(newSheet);

Please see if you can change this to just do layout flush by accessing document.body.offsetTop or some such.

        Attachment #786613 -
        Flags: review?(jonas) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ec3734c7c17f
https://hg.mozilla.org/mozilla-central/rev/7f28258bc04f
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox26:
          --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26

    
    

    
  
This was fixed in 26 but no one ever said how far back it went (and it didn't go through sec-approval, which implies trunk only at the time).

Are earlier versions unaffected? I'm specifically concerned about a potential unfixed sec-high in ESR24 or ESR17.

          status-firefox24:
          --- → ?

          status-firefox25:
          --- → ?

          status-firefox-esr17:
          --- → ?

          status-firefox-esr24:
          --- → ?

    
    

    
  
Just needs an approval request

          tracking-firefox25:
          ?+
Flags: needinfo?(mrbkap)

    
    

    
  
Comment on attachment 786583 [details] [diff] [review]
xbl:children elements are insertion points if they're inactive.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 653881
User impact if declined: Potential security hole.
Testing completed (on m-c, etc.): This has been on m-c for a while, as well as aurora

        Attachment #786583 -
        Flags: approval-mozilla-beta?

    
    

    
  
(In reply to Al Billings [:abillings] from comment #10)
> This was fixed in 26 but no one ever said how far back it went (and it
> didn't go through sec-approval, which implies trunk only at the time).

Yeah, this doesn't affect anything other than Beta at this point.
Flags: needinfo?(mrbkap)

    
    

    
  
Comment on attachment 786583 [details] [diff] [review]
xbl:children elements are insertion points if they're inactive.

Let's not ship this. :-)

        Attachment #786583 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
  
Keywords: checkin-needed
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: