So if I'm understanding correctly, this code https://searchfox.org/mozilla-central/rev/ce0d41b6033e2a104904327a43edf730245f5241/layout/generic/nsIFrame.cpp#11259-11273 seems to be assuming that if `aFrame` and `element` have the same nontrivial pseudo-type, then both of the following are true: (A) `element` must be native anonymous content. (B)`element` or some ancestor must return true for `IsRootOfNativeAnonymousSubtree` But in this case that's not true. Here: - `element` (which is `aFrame->GetContent()`) is the `HTMLSlotElement` for the ::details-content pseudo; and it returns false from `IsRootOfNativeAnonymousSubtree`. Walking up the tree from therE: - the parent frame's is a nsBlockFrame whose GetContent() is the `HTMLDetailsElement` - its parent frame is a nsBlockFrame whose GetContent() is the `HTMLDialogElement` - its parent frame is a ScrollContainerFrame whose GetContent() is also the `HTMLDialogElement` - its parent frame is the ViewportFrame whose GetContent() is nullptr. None of these element's content-nodes return true from `IsRootOfNativeAnonymousSubtree()`, so we walk until we get a null `GetContent()` pointer (from the `ViewportFrame`), and then there's one additional ` parent = parent->GetInFlowParent();` after the while loop which takes us to the `ViewportFrame`'s parent which is nullptr. And then we pass that into `nsIFrame::CorrectStyleParentFrame` and we crash. I don't have native-anonymous-content invariants paged into my head... but I presume *either* (B) above is an invalid assumption, or else one of our content nodes here (maybe the details element?) should be returning true from `IsRootOfNativeAnonymousSubtree`.
Bug 1982701 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
So if I'm understanding correctly, this code https://searchfox.org/mozilla-central/rev/ce0d41b6033e2a104904327a43edf730245f5241/layout/generic/nsIFrame.cpp#11259-11273 seems to be assuming that if `aFrame` and `element` have the same nontrivial pseudo-type, then both of the following are true: (A) `element` must be native anonymous content. (B)`element` or some ancestor must return true for `IsRootOfNativeAnonymousSubtree` But in this case that's not true. Here: - `element` (which is `aFrame->GetContent()`) is the `HTMLSlotElement` for the ::details-content pseudo; and it returns false from `IsRootOfNativeAnonymousSubtree`. Walking up the tree from therE: - the parent frame's is a nsBlockFrame whose GetContent() is the `HTMLDetailsElement` - its parent frame is a nsBlockFrame whose GetContent() is the `HTMLDialogElement` - its parent frame is a ScrollContainerFrame whose GetContent() is also the `HTMLDialogElement` - its parent frame is the ViewportFrame whose GetContent() is nullptr. None of these element's content-nodes return true from `IsRootOfNativeAnonymousSubtree()`, so we walk until we get a null `GetContent()` pointer (from the `ViewportFrame`), and then there's one additional ` parent = parent->GetInFlowParent();` after the while loop which takes us to the `ViewportFrame`'s parent which is nullptr. And then we pass that into `nsIFrame::CorrectStyleParentFrame` and we crash. I don't have native-anonymous-content invariants paged into my head... but I presume *either* (B) above is an invalid assumption, or else one of our content nodes here (maybe the `HTMLSlotElement` element?) should be returning true from `IsRootOfNativeAnonymousSubtree`.
So if I'm understanding correctly, this code in `GetCorrectedParent`... https://searchfox.org/mozilla-central/rev/ce0d41b6033e2a104904327a43edf730245f5241/layout/generic/nsIFrame.cpp#11259-11273 ...seems to be assuming that if `aFrame` and `element` have the same nontrivial pseudo-type, then both of the following are true: (A) `element` must be native anonymous content. (B) `element` or some ancestor must return true for `IsRootOfNativeAnonymousSubtree` But in this case that's not true. In Pernosco (with the original testcase), the following is true: - `element` (which is `aFrame->GetContent()`) is the `HTMLSlotElement` for the ::details-content pseudo; and it returns false from `IsRootOfNativeAnonymousSubtree`. Walking up the tree from there: - the parent frame is a nsBlockFrame whose GetContent() is the `HTMLDetailsElement` - its parent frame is a nsBlockFrame whose GetContent() is the `HTMLDialogElement` - its parent frame is a ScrollContainerFrame whose GetContent() is also the `HTMLDialogElement` - its parent frame is the ViewportFrame whose GetContent() is nullptr. None of these element's content-nodes return true from `IsRootOfNativeAnonymousSubtree()`, so we walk until we get a null `GetContent()` pointer (from the `ViewportFrame`), and then there's one additional ` parent = parent->GetInFlowParent();` after the while loop which takes us to the `ViewportFrame`'s parent which is nullptr. And then we pass that into `nsIFrame::CorrectStyleParentFrame` and we crash. I don't have native-anonymous-content invariants paged into my head... but I presume *either* (B) above is an invalid assumption, or else one of our content nodes here (maybe the `HTMLSlotElement` element?) should be returning true from `IsRootOfNativeAnonymousSubtree`.