Closed
Bug 776393
Opened 12 years ago
Closed 12 years ago
Crash when resizing window and changing CSS width
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox17 | - | --- |
People
(Reporter: jruderman, Assigned: jwatt)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
testcase (must be a popup)
No description provided.
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
|
Reporter | |
Comment 3•12 years ago
|
||
bp-748d4597-38b1-494b-8a5c-9c37f2120722
Crash Signature: [@ DoApplyRenderingChangeToTree ]
|
||
Comment 4•12 years ago
|
||
Browser crashes with attachment 644785 [details] in Wndows7 bp-49dc6050-9490-4c37-8c2f-1a98f2120722 Regression window(m-c) Not crash: http://hg.mozilla.org/mozilla-central/rev/6dae57cd2f85 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720145842 Crash: http://hg.mozilla.org/mozilla-central/rev/045c11dd41a6 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720205642 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6dae57cd2f85&tochange=045c11dd41a6 Regression window(m-i) Not crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/a746aaa32b22 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720114508 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/62f19ed60528 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720115241 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a746aaa32b22&tochange=62f19ed60528
|
|
||
Comment 5•12 years ago
|
||
We crash because in the "if (aChange & nsChangeHint_ChildrenOnlyTransform)" block in DoApplyRenderingChangeToTree we have this code: nsIFrame *f = aFrame->GetContent()->GetPrimaryFrame(); but aFrame->GetContent() is null, because aFrame is the viewport. So we crash on the null-deref. If we didn't crash here, I bet we'd fail the following assert: 7737 NS_ABORT_IF_FALSE(f->IsFrameOfType(nsIFrame::eSVG | 7738 nsIFrame::eSVGContainer), 7739 "Children-only transforms only expected on SVG frames"); This looks like code added in bug 614732. The reason we have a viewport here is that we initially pass the nsSVGOuterSVGFrame to ApplyRenderingChangeToTree, but then the code in there does this: // If the frame's background is propagated to an ancestor, walk up to // that ancestor. and in this case this is a root <svg>, so its background _is_ propagated to an ancestor as far as that code is concerned (like for any root element) and we walk up to the viewport...
|
||
Comment 6•12 years ago
|
||
On Windows: bp-ed218940-156d-4a52-871d-03a8d2120723.
Crash Signature: [@ DoApplyRenderingChangeToTree ] → [@ DoApplyRenderingChangeToTree ]
[@ nsIContent::GetPrimaryFrame()]
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 17 Branch
|
||
Updated•12 years ago
|
Assignee: nobody → jwatt
|
|
Assignee | |
Comment 7•12 years ago
|
||
This crash appears to have gone between the following two Mac builds: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-24-03-05-51-mozilla-central/ https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-24-07-14-08-mozilla-central/ Which would give an anti-regression range of: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3613cbdc3481&tochange=a26e751bfb54
Target Milestone: --- → mozilla17
|
|
Assignee | |
Comment 8•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #5) > We crash because in the "if (aChange & nsChangeHint_ChildrenOnlyTransform)" > block in DoApplyRenderingChangeToTree we have [...] I don't see how the testcase can cause us to get into that block (it doesn't seem to in current tip builds), since it doesn't change any children-only transforms.
|
|
||
Comment 9•12 years ago
|
||
I cannot reproduce the crash with attachment 644785 [details]. Fixed window(m-c): Crash: http://hg.mozilla.org/mozilla-central/rev/3613cbdc3481 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723144443 Fixed: http://hg.mozilla.org/mozilla-central/rev/a26e751bfb54 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120724071408 Fixed range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3613cbdc3481&tochange=a26e751bfb54 Fixed window(m-i): Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/4c9ee7535383 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723085942 Fixed: http://hg.mozilla.org/integration/mozilla-inbound/rev/fd7d6cfafe09 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723091342 Fixed range: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4c9ee7535383&tochange=fd7d6cfafe09
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
||
Updated•12 years ago
|
|
|
Assignee | |
Updated•12 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•