Bug 1543308 - Add crashtests that were fixed by bug 322678. r=bzbarsky
authorTing-Yu Lin <tlin@mozilla.com>
Mon, 15 Apr 2019 16:52:17 +0000
changeset 469549 58487e582e9e
parent 469548 284ef8e23db0
child 469550 ab2083ff97f4
push id35874
push userccoroiu@mozilla.com
push dateTue, 16 Apr 2019 04:04:58 +0000
treeherdermozilla-central@be3f40425b52 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbzbarsky
bugs1543308, 322678
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1543308 - Add crashtests that were fixed by bug 322678. r=bzbarsky Differential Revision: https://phabricator.services.mozilla.com/D26857
layout/base/crashtests/322678.html
layout/base/crashtests/325024.html
layout/base/crashtests/325218.xul
layout/base/crashtests/crashtests.list
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/322678.html
@@ -0,0 +1,27 @@
+<!-- Quirks mode on purpose -->
+<html>
+  <head>
+    <title>Testcase bug 322678 - Crash [@ nsIFrame::GetParent] with evil testcase position:relative/absolute/display:table-column, etc</title>
+    <script>
+    function run(){
+      document.body.offsetHeight;
+      document.getElementById('one').removeAttribute('style');
+      document.body.offsetHeight;
+      document.getElementById('two').removeAttribute('style');
+      document.body.offsetHeight;
+    }
+    </script>
+  </head>
+  <body onload="run();">
+    <span>
+      <div style="position: relative;">
+        <span style="position: absolute;"></span>
+      </div>
+
+      <span id="one" style="display: table-column;">
+        <span id="two" style="display: block; position: relative;">
+        </span>
+      </span><u style="display: table-cell;">  </u>
+    </span>
+  </body>
+</html>
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/325024.html
@@ -0,0 +1,20 @@
+<html><head>
+<title>Testcase bug 325024 - Crash with evil testcase, using object, display: table-column, etc</title>
+</head>
+<body>
+<object>
+<div>Mozilla should not crash on this page</div>
+<span style="display: table-column;">
+<span style="display: block;"></span>
+</span><span style="display: table-cell;">
+</span>
+<isindex style="position: absolute; ">
+</object>
+
+<script>
+document.body.getElementsByTagName('*')[2].removeAttribute('style');
+document.body.offsetHeight;
+document.body.getElementsByTagName('*')[3].removeAttribute('style');
+document.body.offsetHeight;
+</script>
+</body></html>
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/325218.xul
@@ -0,0 +1,25 @@
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        xmlns:html="http://www.w3.org/1999/xhtml"
+        class="reftest-wait"
+        title="Testcase bug 325218 - Crash with evil xul testcase, using box, tooltip, object, etc">
+<html:span>
+  <box>
+    <tooltip/>
+  </box>
+
+  <html:td/><html:object style="display: none;">This should not crash Mozilla
+      <html:span style="display: table;"/>
+  </html:object>
+</html:span>
+
+<html:script>
+function doe(){
+  document.getElementsByTagName('html:object')[0].removeAttribute('style');
+  document.getElementsByTagName('html:object')[0].offsetHeight;
+  document.getElementsByTagName('html:span')[1].removeAttribute('style');
+  document.getElementsByTagName('html:object')[0].setAttribute('style', 'text-decoration: underline');
+  document.documentElement.removeAttribute("class");
+}
+setTimeout(doe,50);
+</html:script>
+</window>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -68,16 +68,19 @@ load 313086-1.xml
 load 317285-1.html
 load 317934-1.html
 load 320459-1.html
 load 321058-1.xul
 load 321058-2.xul
 load 321077-1.xul
 load 321077-2.xul
 load 322436-1.html
+load 322678.html
+load 325024.html
+load 325218.xul
 load 325967-1.html
 load 325984-1.xhtml
 load 325984-2.html
 load 328944-1.xul
 load 329900-1.html
 load 330015-1.html
 load 331204-1.html
 load 331679-1.xhtml