Closed
Bug 634291
Opened 14 years ago
Closed 14 years ago
"ASSERTION: Walking off beginning of list" and crash with navigated-away designMode document
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: assertion, crash, testcase)
Attachments
(3 files)
|
448 bytes,
text/html
|
Details | |
|
16.57 KB,
text/plain
|
Details | |
|
1019 bytes,
patch
|
bzbarsky
:
review+
dholbert
:
feedback+
beltzner
:
approval2.0+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Walking off beginning of list: 'mChild', file layout/base/nsChildIterator.h, line 114
Crash [@ nsCSSFrameConstructor::FindFrameForContentSibling]
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
Crash report: bp-a99c7cb2-d765-47ee-8e47-516032110215
|
Assignee | |
Updated•14 years ago
|
Group: core-security
|
|
Assignee | |
Comment 3•14 years ago
|
||
nsHTMLEditor is doing things at unsafe time.
|
|
Assignee | |
Comment 4•14 years ago
|
||
...I think
|
||
Comment 5•14 years ago
|
||
I don't know the implications of this bug, but noming for blocking to get it on the radar.
blocking2.0: --- → ?
|
|
Assignee | |
Comment 7•14 years ago
|
||
This is a regression from bug 574529.
It is hard to understand the patch for that bug.
Depends on: 574529
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
|
|
Assignee | |
Comment 8•14 years ago
|
||
I think this is what was meant to bug 574529.
Fixes this bug, but I couldn't verify if this regress bug 574529
since that doesn't have a testcase.
Attachment #512809 -
Flags: review?(bzbarsky)
Attachment #512809 -
Flags: feedback?(dholbert)
|
||
Comment 9•14 years ago
|
||
Comment on attachment 512809 [details] [diff] [review]
patch
> It is hard to understand the patch for that bug.
The point of that bug was to allow ourselves to flush layout in an SVG-as-an-image document *during* (in service to) its host document's paint. The patch did that by extending the "safe to flush layout" condition to disregard "IsSafeToRunScript" if scripts are disabled.
> since that doesn't have a testcase.
There's no testcase on that bug because it was a helper-bug for implementing SVG-as-an-image. No standalone testcase was possible. I'd suggest running reftests on the "reftests/svg/as-image" directory to test this -- in particular, a locally-viewed copy of layout/reftests/svg/as-image/img-and-image-1.html will work this pretty vigorously.
RE the patch here -- it looks good to me! I wasn't aware of the distinction between GetScriptGlobalObject vs. GetScriptHandlingObject until now, but from reading their documentation in nsIDocument.h, it looks like we do indeed want the latter here.
Attachment #512809 -
Flags: feedback?(dholbert) → feedback+
|
|
Assignee | |
Comment 10•14 years ago
|
||
layout/reftests/svg/as-image/ reftests work.
|
||
Comment 11•14 years ago
|
||
Comment on attachment 512809 [details] [diff] [review]
patch
r=me
Attachment #512809 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 12•14 years ago
|
||
Comment on attachment 512809 [details] [diff] [review]
patch
This should either block or just approved.
Attachment #512809 -
Flags: approval2.0?
|
||
Comment 13•14 years ago
|
||
Comment on attachment 512809 [details] [diff] [review]
patch
a=beltzner
Attachment #512809 -
Flags: approval2.0? → approval2.0+
|
|
||
Comment 14•14 years ago
|
||
Does not look exploitable from the stack (near 0 crash).
|
|
Assignee | |
Comment 15•14 years ago
|
||
Not that particular case, but I believe there a other cases when we shouldn't be
flushing.
|
|
Assignee | |
Comment 16•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•