Jesse Ruderman Reporter
	Description • 18 years ago

This testcase triggers 

###!!! ASSERTION: Shallow unbind won't clear document and binding parent on kids!: 'aDeep || (!GetCurrentDoc() && !GetBindingParent())', file /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 1963

during GC.

Filing as security-sensitive because variations on this testcase (e.g. removing subDocElement instead of moving it) trigger the assertion in bug 323978.

	Boris Zbarsky [:bzbarsky]
	Comment 2 • 18 years ago

This is basically the same situation as when you see this assert in bug 335896 comment 4.  Similar reasons for it happening.

	Martijn Wargers (dead)
	Comment 3 • 17 years ago

The testcase doesn't work anymore, because bug 47903 was fixed. I guess adoptNode or something like that is needed.

	Jesse Ruderman Reporter
	Comment 4 • 17 years ago

Not sure I converted this correctly.  It gives me

JavaScript error: , line 0: uncaught exception: [Exception... "Node cannot be inserted at the specified point in the hierarchy"  code: "3" nsresult: "0x80530003 (NS_ERROR_DOM_HIERARCHY_REQUEST_ERR)"  location: "file:///Users/jruderman/Sites/fuzz3/344881.xhtml Line: 16"]

which seems perfectly reasonable, since it creates an cycle of child elements (if you consider an iframe to have its contents as "children").

	Jesse Ruderman Reporter
	Comment 5 • 17 years ago

WFM, since the testcase (converted to use adoptNode) doesn't trigger the assertion.

	Martijn Wargers (dead)
	Comment 6 • 17 years ago

I'm seeing this assertion in my debug build with:
https://bugzilla.mozilla.org/attachment.cgi?id=268571
(testcase from bug 384663)
Should I file a new bug, or can this one be reopened?

	Jesse Ruderman Reporter
	Comment 7 • 17 years ago

Please file a new bug.  The testcase is completely different.  And maybe it doesn't need to be security-sensitive if you can reduce the testcase more :)