Closed Bug 206937 Opened 22 years ago Closed 21 years ago

Mozilla crashes using this SELECT menu/weird layout of SELECTmenu [@ nsComboboxControlFrame::SetChildFrameSize]

Categories

(Core :: Layout: Form Controls, defect, P3)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7final

People

(Reporter: e.gerber, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase, verified1.7)

Crash Data

Attachments

(8 files, 10 obsolete files)

fullscreen view of the page in Firebird
52.33 KB, image/png
Details
a stripped-down test case
344 bytes, text/html
Details
screen shot of the test file in Mozilla
505 bytes, image/png
Details
even smaller testcase
266 bytes, text/html
Details
stacktrace from testcase (attachment 133075)
20.88 KB, text/plain
Details
Testcase without <table>
229 bytes, text/html
Details
Patch rev. 1
955 bytes, patch
bzbarsky
: review-
Details | Diff | Splinter Review
Another way to solve this...
959 bytes, patch
dbaron
: review+
dbaron
: superreview+
chofmann
: approval1.7+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4b) Gecko/20030522 Mozilla Firebird/0.6 Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4b) Gecko/20030522 Mozilla Firebird/0.6 this code (see attachments) from daimler chrysler's career website crashes Mozilla Firebird. In addition to this, some SELECT elements are missing the pulldown arrow button Reproducible: Always Steps to Reproduce: 1. download attached files (HTML and CSS) 2. open file index.htm in Firebird 3. watch the weird effects with some of the SELECT menus 4. change menu option in the 'Kompetenz' section 5. see Firebird crashing :-( Actual Results: Firebird crashes
Summary: crash with this page → Firebird crashes loading this page
Attached file the HTML file (obsolete) —
load this file into Firebird
Attached file the required CSS (obsolete) —
save this file into the same directory as index.htm
don't know if it's obvious or not but the CSS file needs to be named DC_STYLESHEET_GER_2.css Firebrid doesn't crash for me but on some of the pulldown menus the little arrows are missing, but they appear fine in IE, there's an obvious pattern where some puldown arrow elements are missing, I'll try and attach a screenshot
Reporter: Can you show me the URL where the crash occurs?
WFM using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6. I don't see the images, but it doesn't crash. Oleg, I wonder if that problem is related to your theme? I see everything just fine on the default (Classic?). I don't know enough to say, just that it works for me.
Attached image screenshot first step (obsolete) —
screenshot of career.daimlerchrysler.de
Attached image screenshot second step (obsolete) —
2.) screenshot of search results page
Attached image screenshot third step (obsolete) —
3.) screenshot of job details
Attached image screenshot fourth step (obsolete) —
4.) screenshot of login form
Attached image screenshot fifth step (obsolete) —
5.) screenshot of first page of your account
Attached image screenshot sixth step (obsolete) —
6.) screenshot of your address data
Attached image screenshot seventh (and last) step (obsolete) —
7.) screenshot of the relevant page (additional qualification details)
The first example you show is actually a Flash problem, not FB. The rest of your examples are all WFM using my version of Firebird, though I can't seem to switch themes to reproduce it perfectly.
Unfortunately, the relevant page ist part of DaimlerChrysler's career site. That is, you need to create an account to get there :-( I added some screenshots to illustrate the steps to get to the relevant page. 1.) dc_career-1.png shows the main screen of career.daimlerchrysler.de; choose 'skip intro', click on 'Jobwelt' and then select some options from the menus to the left of the screen ('Zielgruppe', 'Region') and select 'Suche starten' (start search). 2.) dc_career-2.png shows the list of search results your query returned. Choose any of the offers. 3.) dc_career-3.png shows the popup window with the selected job's details. Click on 'Onlinebewerbung' (apply online). 4.) dc_career-4.png shows the login/account creation screen (new popup window). Create an account by filling in the information in the left form and selecting 'Bewerben' (apply). Later you may return to this screen to log in again. 5.) dc_career-5.png shows the first page of your account - skip it by clicking on 'Weiter' 6.) dc_career-6.png shows you address data. Click on the tiny '4' on top of the screen. 7.) dc_career-7.png: the relevant page - finally!! I hope there's someone with a decent command of the German language ;-)
Attached image screenshot fourth step (obsolete) —
4.) screenshot of login/account creation form
Attachment #124139 - Attachment is obsolete: true
The crash occurs on Mozilla SeaMonkey too. -> Browser -> DOM HTML
Assignee: blaker → dom_bugs
Component: General → DOM HTML
Product: Phoenix → Browser
QA Contact: asa → desale
Version: unspecified → Trunk
Summary: Firebird crashes loading this page → Mozilla crashes loading this page
Keywords: crash
I can still see this with Firebird 20030910 on Win2K/WinXP
Attachment #124136 - Attachment is obsolete: true
Attachment #124137 - Attachment is obsolete: true
Attachment #124138 - Attachment is obsolete: true
Attachment #124140 - Attachment is obsolete: true
Attachment #124141 - Attachment is obsolete: true
Attachment #124142 - Attachment is obsolete: true
Attachment #124145 - Attachment is obsolete: true
Attachment #124102 - Attachment is obsolete: true
Attachment #124103 - Attachment is obsolete: true
Loading this test file with Mozilla 1.5 RC1 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20030916) on Win2K SP4 and changing the selected option in the first menu crashes the browser. Please note the weird layout of the second menu (outside the table)!
this crashes latest Firebird (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030916 Firebird/0.6.1+) on Win2k SP4 as well
URL: http://career.daimlerchrysler.de/dc/w...
OS: Windows NT → Windows 2000
Summary: Mozilla crashes loading this page → Mozilla crashes loading this page/weird layout of select menu
Summary: Mozilla crashes loading this page/weird layout of select menu → Mozilla crashes using this SELECT menu/weird layout of SELECTmenu
Severity: critical → blocker
A talkback: TB24325887Y crashed with 1.5rc on w2k
Keywords: testcase
does not block Mozilla development
Severity: blocker → critical
Keywords: stackwanted
Whiteboard: TB24325887Y
(gdb) frame 4 #4 0x40fd72d6 in nsComboboxControlFrame::SetChildFrameSize(nsIFrame*, int, int) (this=0x874be40, aFrame=0x8753a84, aWidth=-1073770896, aHeight=-1073770368) at nsComboboxControlFrame.cpp:690 690 nsresult result = aFrame->QueryInterface(NS_GET_IID(nsIFormControlFrame), (void**)&fcFrame); (gdb) p aFrame $1 = (class nsIFrame *) 0x8753a84 (gdb) p *aFrame $2 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddd, mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, mState = 3722304989}
crash occurs with linux trunk 2003101005 ==> form controls
Assignee: dom_bugs → form
Status: UNCONFIRMED → NEW
Component: DOM HTML → Layout: Form Controls
Ever confirmed: true
Keywords: stackwanted
OS: Windows 2000 → All
QA Contact: desale → ian
Summary: Mozilla crashes using this SELECT menu/weird layout of SELECTmenu → Mozilla crashes using this SELECT menu/weird layout of SELECTmenu [@ nsComboboxControlFrame::SetChildFrameSize]
This is a testcase without using <table> as parent for the <select> - it does not crash. I do see an assertion though: ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file nsLineBox.h, line 546
A bit of trace output, comments to follow: START nsComboboxControlFrame::Reflow nsComboboxControlFrame::Reflow: nsFormControlFrame::SkipResizeReflow() nsComboboxControlFrame::Reflow: ReflowComboChildFrame() START nsComboboxControlFrame::ReflowComboChildFrame ReflowComboChildFrame: ReflowChild() ReflowComboChildFrame: FinishReflowChild() END nsComboboxControlFrame::ReflowComboChildFrame nsComboboxControlFrame::Reflow: 3 ReflowCombobox START nsComboboxControlFrame::ReflowCombobox mDisplayFrame=0x827ab14 aDropDownBtn=0x827ae8c SetChildFrameSize 0x827ae8c 240 256 ReflowCombobox: nsAreaFrame::Reflow() ReflowCombobox: aDisplayFrame->Reflow() SetChildFrameSize 0x827ae8c 240 288 END nsComboboxControlFrame::ReflowCombobox END nsComboboxControlFrame::Reflow START nsComboboxControlFrame::Reflow nsComboboxControlFrame::Reflow: nsFormControlFrame::SkipResizeReflow() nsLineLayout::ReflowFrame: parent->DeleteNextInFlowChild(kidNextInFlow) parent = Block(td)(1)@0x825e068) kidNextInFlow = Area(select)(1)@0x8236a84) nsFrame::Destroy: Text(-1)@0x827b0e4 nsFrame::Destroy: Area(input)(-1)@0x827af80 nsFrame::Destroy: ButtonControl(input)(-1)@0x827ae8c ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file nsFrameManager.cpp, line 1015 Break: at file nsFrameManager.cpp, line 1015 nsFrame::Destroy: Area(select)(1)@0x8236a84 START nsComboboxControlFrame::Reflow nsComboboxControlFrame::Reflow: nsFormControlFrame::SkipResizeReflow() nsComboboxControlFrame::Reflow: 1 ReflowCombobox() START nsComboboxControlFrame::ReflowCombobox mDisplayFrame=0x827ab14 aDropDownBtn=0x827ae8c SetChildFrameSize 0x827ae8c 240 224 ./dist/bin/run-mozilla.sh: line 73: 6308 Segmentation fault (core dumped) "$prog" ${1+"$@"}
The nsComboboxControlFrame instance holds a number of weak refs to its various frames. When nsLineLayout::ReflowFrame() starts to Destroy() these the crash is inevitable. This is the place in nsLineLayout::ReflowFrame(): 1209 if (!NS_INLINE_IS_BREAK_BEFORE(aReflowStatus)) { 1210 // If frame is complete and has a next-in-flow, we need to delete 1211 // them now. Do not do this when a break-before is signaled because 1212 // the frame is going to get reflowed again (and may end up wanting 1213 // a next-in-flow where it ends up). 1214 if (NS_FRAME_IS_COMPLETE(aReflowStatus)) { 1215 nsIFrame* kidNextInFlow; 1216 aFrame->GetNextInFlow(&kidNextInFlow); 1217 if (nsnull != kidNextInFlow) { 1218 // Remove all of the childs next-in-flows. Make sure that we ask 1219 // the right parent to do the removal (it's possible that the 1220 // parent is not this because we are executing pullup code) 1221 nsHTMLContainerFrame* parent = NS_STATIC_CAST(nsHTMLContainerFrame*, 1222 kidNextInFlow->GetParent()); here>>>> parent->DeleteNextInFlowChild(mPresContext, kidNextInFlow); 1224 } 1225 } http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsLineLayout.cpp#1209 I see that this is controlled is the FRAME_IS_COMPLETE bit and the crash indeed disappears when I set that bit at the end instead of at the beginning in nsComboboxControlFrame::Reflow() Patch coming up...
Attachment #135097 - Flags: superreview?(dbaron)
Attachment #135097 - Flags: review?(bz-vacation)
So the problem is that we're ending up with a next-in-flow for which frame? The button? Or the combobox itself? This fix looks like it's wallpapering over a deeper problem (like "there should never be any linebreaks inside the combobox frame", which is I think what's causing troubles here).
the crash still occurs with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040131 Firebird/0.8.0+ Are you sure you want to ship 0.8 leaving all the people out there without a chance of getting a job with DaimlerChrysler ;-) Seriously: potentially any web page could be built to easily crash Firebird; no good advertising approach!
still crashing with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040304 Firefox/0.8.0+
Comment on attachment 135097 [details] [diff] [review] Patch rev. 1 I don't think this is the right fix....
Attachment #135097 - Flags: superreview?(dbaron)
Attachment #135097 - Flags: review?(bzbarsky)
Attachment #135097 - Flags: review-
Comment on attachment 143208 [details] [diff] [review] Another way to solve this... Mats, what do you think?
Attachment #143208 - Flags: review?(mats.palmgren)
Whiteboard: TB24325887Y
@Boris: this seems to work nicely. Anyone willing to check this in?
Attachment #143208 - Flags: superreview+
Attachment #143208 - Flags: review?(mats.palmgren)
Attachment #143208 - Flags: review+
Comment on attachment 143208 [details] [diff] [review] Another way to solve this... Egbert, patches can't get checked in unless they have reviews. Could this please be approved for 1.7? This just keeps text inside <select>s from wrapping, which is never really desirable.
Attachment #143208 - Flags: approval1.7?
Oh, and I just checked this in on the 1.8a trunk.
Comment on attachment 143208 [details] [diff] [review] Another way to solve this... a=chofmann for 1.7
Attachment #143208 - Flags: approval1.7? → approval1.7+
Assignee: core.layout.form-controls → bzbarsky
Priority: -- → P3
Target Milestone: --- → mozilla1.7final
Fixed on branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Verified on Mozilla branch Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040701. no crashing for any of the attached test cases (changing the menu options).
Keywords: fixed1.7verified1.7
Crash Signature: [@ nsComboboxControlFrame::SetChildFrameSize]
See Also: → 1553930
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: