blob: a339af5d1188157ee8daa5d14f3b7451e23fc634 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
commit fd42606e30e4
Author: Boris Zbarsky <bzbarsky@mit.edu>
Date: Tue Oct 3 18:50:10 2017 -0400
Bug 1402766 - Work around layout violating its own invariants and causing stylo code to crash. r=emilio, a=sledru
MozReview-Commit-ID: 3ggJI0qmOJV
--HG--
extra : source : 71d02a129bebc9dfd804b1babb8fae587d1930a8
extra : histedit_source : d36726bf4182c3820a3f8efd2d2599b114cb55c4
---
layout/generic/crashtests/1405443.html | 19 +++++++++++++++++++
layout/generic/crashtests/crashtests.list | 1 +
layout/generic/nsInlineFrame.cpp | 7 +++++++
3 files changed, 27 insertions(+)
diff --git layout/generic/crashtests/1405443.html layout/generic/crashtests/1405443.html
new file mode 100644
index 000000000000..79313ae1c4d4
--- /dev/null
+++ layout/generic/crashtests/1405443.html
@@ -0,0 +1,19 @@
+<style>
+#htmlvar00009 { page-break-inside: avoid; }
+* { padding-left: 1vw; border-right: solid green 3em; }
+#htmlvar00001 { columns: 1px; )
+</style>
+<script>
+function jsfuzzer() {
+try { htmlvar00009.appendChild(htmlvar00013); } catch(e) { }
+try { var var00143 = htmlvar00009.x; } catch(e) { }
+try { htmlvar00009.appendChild(document.createElement("table").createCaption()); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<dl id="htmlvar00001">
+A
+<img id="htmlvar00009" align="left"></img>
+<menu id="htmlvar00013">
+<menuitem>
+<hr>
diff --git layout/generic/crashtests/crashtests.list layout/generic/crashtests/crashtests.list
index 25c2c32470fc..07cc75ea0f9a 100644
--- layout/generic/crashtests/crashtests.list
+++ layout/generic/crashtests/crashtests.list
@@ -659,3 +659,4 @@ load 1367413-1.html
load 1368617-1.html
load 1373586.html
load 1401420-1.html
+asserts(11) load 1405443.html # bug 1405443
diff --git layout/generic/nsInlineFrame.cpp layout/generic/nsInlineFrame.cpp
index 089178a6ada2..ce62f822bda0 100644
--- layout/generic/nsInlineFrame.cpp
+++ layout/generic/nsInlineFrame.cpp
@@ -1065,6 +1065,13 @@ nsInlineFrame::UpdateStyleOfOwnedAnonBoxesForIBSplit(
}
nsIFrame* nextInline = blockFrame->GetProperty(nsIFrame::IBSplitSibling());
+
+ // This check is here due to bug 1405443. Please remove it once
+ // that bug is fixed.
+ if (!nextInline) {
+ break;
+ }
+
MOZ_ASSERT(nextInline, "There is always a trailing inline in an IB split");
for (nsIFrame* cont = nextInline; cont; cont = cont->GetNextContinuation()) {
|