Mercurial > mozreview > gecko / changeset / 2db641f09e66b7e5f1e6d48deb5bfb5fa9026948
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1308848 - Not request style of comment node when checking valid sibling. r=bz draft
authorXidorn Quan <me@upsuper.org>
Mon, 17 Oct 2016 17:29:38 +1100
changeset 442269 2db641f09e66b7e5f1e6d48deb5bfb5fa9026948
parent 442223 cc94ba5b3434af913db17415eae1497a8352009b
child 537754 49a38f6ab0f321ba438d941adadbdbf383486d1a
push id36648
push userxquan@mozilla.com
push dateTue, 22 Nov 2016 05:43:26 +0000
reviewersbz
bugs1308848
milestone53.0a1
Bug 1308848 - Not request style of comment node when checking valid sibling. r=bz MozReview-Commit-ID: 6Sq8C2LUkpT
layout/base/crashtests/1308848-1.html file | annotate | diff | comparison | revisions
layout/base/crashtests/1308848-2.html file | annotate | diff | comparison | revisions
layout/base/crashtests/crashtests.list file | annotate | diff | comparison | revisions
layout/base/nsCSSFrameConstructor.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1308848-1.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<table><tbody></tbody><tfoot></tfoot></table>
+<script>
+  document.body.offsetTop;
+  let parent = document.querySelector("table");
+  let comment = document.createComment("hello");
+  let footer = document.querySelector("tfoot");
+  parent.insertBefore(comment, footer);
+</script>
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1308848-2.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<table><tbody></tbody><tfoot></tfoot></table>
+<script>
+  document.body.offsetTop;
+  let parent = document.querySelector("table");
+  let pi = document.createProcessingInstruction('xml-stylesheet', 'href="test.css"');
+  let footer = document.querySelector("tfoot");
+  parent.insertBefore(pi, footer);
+</script>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -475,8 +475,10 @@ load 1235467-1.html
 pref(dom.webcomponents.enabled,true) load 1261351.html
 load 1270797-1.html
 load 1278455-1.html
 load 1286889.html
 load 1297835.html
 load 1288608.html
 load 1299736-1.html
 load 1308793.svg
+load 1308848-1.html
+load 1308848-2.html
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -6559,16 +6559,22 @@ nsCSSFrameConstructor::IsValidSibling(ns
       aSibling->GetParentStyleContext(&styleParent);
       if (!styleParent) {
         styleParent = aSibling->GetParent();
       }
       if (!styleParent) {
         NS_NOTREACHED("Shouldn't happen");
         return false;
       }
+      if (aContent->IsNodeOfType(nsINode::eCOMMENT) ||
+          aContent->IsNodeOfType(nsINode::ePROCESSING_INSTRUCTION)) {
+        // Comments and processing instructions never have frames, so we
+        // should not try to generate style contexts for them.
+        return false;
+      }
       // XXXbz when this code is killed, the state argument to
       // ResolveStyleContext can be made non-optional.
       RefPtr<nsStyleContext> styleContext =
         ResolveStyleContext(styleParent, aContent, nullptr);
       const nsStyleDisplay* display = styleContext->StyleDisplay();
       aDisplay = display->mDisplay;
     }
     if (nsGkAtoms::menuFrame == parentType) {
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.