Mercurial > integration > mozilla-inbound / changeset / 31b943721eba82e77b8673e7ef11c749136244f0
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1116104 - Null-check the do_QueryFrame result before using it. r=roc
authorMats Palmgren <mats@mozilla.com>
Wed, 31 Dec 2014 07:10:11 +0000
changeset 221716 31b943721eba82e77b8673e7ef11c749136244f0
parent 221715 a58f4fffeed222e5b807bc8dc7e2129b5b95e53c
child 221717 e66b5fdd480c6728db85ef8ac047f47856bd631a
push id53412
push usermpalmgren@mozilla.com
push dateWed, 31 Dec 2014 07:10:24 +0000
treeherdermozilla-inbound@31b943721eba [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs1116104
milestone37.0a1
first release with
nightly linux32
3c296aa11c51 / 37.0a1 / 20150101030214 / files
nightly linux64
3c296aa11c51 / 37.0a1 / 20150101030214 / files
nightly mac
3c296aa11c51 / 37.0a1 / 20150101030214 / files
nightly win32
3c296aa11c51 / 37.0a1 / 20150101030214 / files
nightly win64
3c296aa11c51 / 37.0a1 / 20150101030214 / files
last release without
nightly linux32
88037f94b7d7 / 37.0a1 / 20141231030205 / files
nightly linux64
88037f94b7d7 / 37.0a1 / 20141231030205 / files
nightly mac
88037f94b7d7 / 37.0a1 / 20141231030205 / files
nightly win32
88037f94b7d7 / 37.0a1 / 20141231030205 / files
nightly win64
88037f94b7d7 / 37.0a1 / 20141231030205 / files
Bug 1116104 - Null-check the do_QueryFrame result before using it. r=roc
layout/base/crashtests/1116104.html file | annotate | diff | comparison | revisions
layout/base/crashtests/crashtests.list file | annotate | diff | comparison | revisions
layout/base/nsCSSFrameConstructor.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1116104.html
@@ -0,0 +1,15 @@
+<html>
+
+<head>
+
+</head>
+
+<body>
+<style>colgroup::after { content:"after"; }</style>
+
+<table>
+<colgroup><col style="display: inline;">t</col></colgroup>
+</table>
+
+</body>
+</html>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -449,9 +449,10 @@ load 936988-1.html
 load 931450.html
 load 931460-1.html
 load 935765-1.html
 load 942690.html
 load 973390-1.html
 load 1001237.html
 load 1043163-1.html
 load 1061028.html
+load 1116104.html
 load 1107508-1.html
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -6065,18 +6065,21 @@ AdjustAppendParentForAfterContent(nsFram
     while (!done && parent) {
       // Ensure that all normal flow children are on the principal child list.
       parent->DrainSelfOverflowList();
 
       nsIFrame* child = parent->GetLastChild(nsIFrame::kPrincipalList);
       if (child && child->IsPseudoFrame(aContainer) &&
           !child->IsGeneratedContentFrame()) {
         // Drill down into non-generated pseudo frames of aContainer.
-        parent = nsLayoutUtils::LastContinuationWithChild(do_QueryFrame(child));
-        continue;
+        nsContainerFrame* childAsContainer = do_QueryFrame(child);
+        if (childAsContainer) {
+          parent = nsLayoutUtils::LastContinuationWithChild(childAsContainer);
+          continue;
+        }
       }
 
       for (; child; child = child->GetPrevSibling()) {
         nsIContent* c = child->GetContent();
         if (child->IsGeneratedContentFrame()) {
           nsIContent* p = c->GetParent();
           if (c->Tag() == nsGkAtoms::mozgeneratedcontentafter) {
             if (!nsContentUtils::ContentIsDescendantOf(aChild, p) &&
mozilla-inbound
Deployed from 18d8b634a3eb at 2022-06-27T19:41:41Z.