Attachment #8914905: Work around layout violating its own invariants and causing stylo code to crash for bug #1402766

View | Details | Raw Unified | Return to bug 1402766
Collapse All | Expand All

(-)a/layout/generic/crashtests/1405443.html (+19 lines)
Line     Link Here 
Line 0    Link Here 
1 
<style>
2 
#htmlvar00009 { page-break-inside: avoid; }
3 
* { padding-left: 1vw; border-right: solid green 3em; }
4 
#htmlvar00001 { columns: 1px; )
5 
</style>
6 
<script>
7 
function jsfuzzer() {
8 
try { htmlvar00009.appendChild(htmlvar00013); } catch(e) { }
9 
try { var var00143 = htmlvar00009.x; } catch(e) { }
10 
try { htmlvar00009.appendChild(document.createElement("table").createCaption()); } catch(e) { }
11 
}
12 
</script>
13 
<body onload=jsfuzzer()>
14 
<dl id="htmlvar00001">
15 
A
16 
<img id="htmlvar00009" align="left"></img>
17 
<menu id="htmlvar00013">
18 
<menuitem>
19 
<hr>
(-)a/layout/generic/crashtests/crashtests.list (+1 lines)
Line     Link Here 
 Lines 656-663   load 1349650.html Link Here 
656 
asserts-if(browserIsRemote,0-5) load 1349816-1.html # bug 1350352
 656 
asserts-if(browserIsRemote,0-5) load 1349816-1.html # bug 1350352
657 
load 1364361-1.html
 657 
load 1364361-1.html
658 
load 1367413-1.html
 658 
load 1367413-1.html
659 
load 1368617-1.html
 659 
load 1368617-1.html
660 
load 1373586.html
 660 
load 1373586.html
661 
load 1401420-1.html
 661 
load 1401420-1.html
662 
load 1401709.html
 662 
load 1401709.html
663 
load 1401807.html
 663 
load 1401807.html
664 
asserts(11) load 1405443.html # bug 1405443
(-)a/layout/generic/nsInlineFrame.cpp (+7 lines)
Line     Link Here 
 Lines 1010-1025   nsInlineFrame::UpdateStyleOfOwnedAnonBox Link Here 
1010 
    // We don't want to just walk through using GetNextContinuationWithSameStyle
 1010 
    // We don't want to just walk through using GetNextContinuationWithSameStyle
1011 
    // here, because we want to set updated style contexts on both our
 1011 
    // here, because we want to set updated style contexts on both our
1012 
    // ib-sibling blocks and inlines.
 1012 
    // ib-sibling blocks and inlines.
1013 
    for (nsIFrame* cont = blockFrame; cont; cont = cont->GetNextContinuation()) {
 1013 
    for (nsIFrame* cont = blockFrame; cont; cont = cont->GetNextContinuation()) {
1014 
      cont->SetStyleContext(newContext);
 1014 
      cont->SetStyleContext(newContext);
1015 
    }
 1015 
    }
1016 

1016






1017

    nsIFrame* nextInline = blockFrame->GetProperty(nsIFrame::IBSplitSibling());

1017

    nsIFrame* nextInline = blockFrame->GetProperty(nsIFrame::IBSplitSibling());







1018






1019

    // This check is here due to bug 1405443.  Please remove it once





1020

    // that bug is fixed.





1021

    if (!nextInline) {





1022

      break;





1023

    }





1024






1018

    MOZ_ASSERT(nextInline, "There is always a trailing inline in an IB split");

1025

    MOZ_ASSERT(nextInline, "There is always a trailing inline in an IB split");





1019


1026






1020

    for (nsIFrame* cont = nextInline; cont; cont = cont->GetNextContinuation()) {

1027

    for (nsIFrame* cont = nextInline; cont; cont = cont->GetNextContinuation()) {





1021

      cont->SetStyleContext(ourStyle);

1028

      cont->SetStyleContext(ourStyle);





1022

    }

1029

    }





1023

    blockFrame = nextInline->GetProperty(nsIFrame::IBSplitSibling());

1030

    blockFrame = nextInline->GetProperty(nsIFrame::IBSplitSibling());





1024

  }

1031

  }





1025

}

1032

}







Return to bug 1402766