Crash when click on a SELECT wich has at least 1 OPTION with background-attachment:fixed and a background

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: yves, Assigned: tnikkel)

Tracking

(4 keywords)

40 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40+ wontfix, firefox41+ wontfix, firefox42+ wontfix, firefox43+ fixed, firefox44 fixed, firefox-esr38 unaffected, b2g-v2.5 fixed)

Details

(crash signature)

Attachments

(3 attachments)

Posted file test.html
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150812163655

Steps to reproduce:

Clicked (on our intranet) on a SELECT who had 2 OPTION with background-attachment:fixed and a background.

Never happened before the bug probably came with firefox 40.
It crashed on
Windows 7
Windows Xp
Kunbuntu 14.4

It works on
Yosemite 10.10.4

Small crash sample attached.


Actual results:

Firefox crashes


Expected results:

The select opens and I can choose an option (and the background image is displayed)
Confirmed! (not sure about Component)   Win7_64bit, Nightly 43.0a1 32bit   ID 20150826030211

Funny thing:  in e10s mode it doesn't even crash the tab
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Untriaged → CSS Parsing and Computation
Ever confirmed: true
Product: Firefox → Core
(In reply to Yves Mich from comment #0)

> It works on
> Yosemite 10.10.4

Oops i didn't check FF version it was Firefox 39.0.
bp-8e8b598d-3665-4af6-bef4-5c6192150827
Crash Signature: [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)]
Pushlog:

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d6d69f0f499&tochange=d0fc7202b4cb

Regressed by:Bug 1148855
Blocks: 1148855
Component: CSS Parsing and Computation → Layout
Flags: needinfo?(mstange)
[Tracking Requested - why for this release]:
Tracking since this is a regression. Too late for 40 though.
Firefox 40.0.3 on OSX 10.9.5 is unaffected.
(no crash and the background is displayed)
(In reply to arni2033 from comment #1)
> Confirmed! (not sure about Component)   Win7_64bit, Nightly 43.0a1 32bit ID 20150826030211
With HWA off everything works fine (I just checked).
It is getting too late to fix this in FF41 given that we don't have a patch ready. Let's try to get this fixed in 42. Also it works fine with hardware acceleration turned off, which is good and therefore not blocking 41 release.
Also, it works fine with HWA on and OMTC off (layers.offmainthreadcomposition.enabled -> false).
Oh no! This bug completely slipped past me. Sorry!
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mstange)
Keywords: crash
Markus, any news on this bug? We shipped 2 release with this crash but there is still time to fix it in 42 (gtb of beta 6 next monday)
Flags: needinfo?(mstange)
Depends on: 1156238
Crash Signature: [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)] → [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)] [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot]
Bug 1156238 will probably fix this. I don't know whether it will be ready for 42.
Flags: needinfo?(mstange)
The patches for bug 1156238 got fairly involved with multiple rounds of try server failures and debugging. So I think it might be a good idea to go with a more limited patch for uplift in case I missed anything.

This is basically my first patch for bug 1156238 but the should fix to viewport stuff is done much better.
Assignee: mstange → tnikkel
Attachment #8682437 - Flags: review?(mstange)
Attachment #8682437 - Flags: review?(mstange) → review+
Comment on attachment 8682437 [details] [diff] [review]
patch for uplift

Note that this patch did not, and will not land on m-c as it is a modified version of the patches for bug 1156238 (which did land on m-c) for uplift to be less invasive.

Approval Request Comment
[Feature/regressing bug #]: bug 1148855
[User impact if declined]: crash if a select dropdown uses a background-attachment: fixed background
[Describe test coverage new/current, TreeHerder]: reftests generally cover any mistakes that would be made in changing this code
[Risks and why]: this is a less invasive and less risky version of the patches for bug 1156238
[String/UUID change made/needed]: none
Attachment #8682437 - Flags: approval-mozilla-beta?
Attachment #8682437 - Flags: approval-mozilla-aurora?
Comment on attachment 8682437 [details] [diff] [review]
patch for uplift

Crash fix, more conservative approach sounds good for uplift. 
Approved for aurora and beta.  If we see obvious regressions let's back this out please.
Attachment #8682437 - Flags: approval-mozilla-beta?
Attachment #8682437 - Flags: approval-mozilla-beta+
Attachment #8682437 - Flags: approval-mozilla-aurora?
Attachment #8682437 - Flags: approval-mozilla-aurora+
this cause problems for uplift on beta :

grafting 313487:4c724629d939 "Bug 1199131 - Crash when click on a SELECT wich has at least 1 OPTION with background-attachment:fixed and a background. r=mstange, a=lizzard" (aurora tip)
merging layout/base/FrameLayerBuilder.cpp
warning: conflicts during merge.
merging layout/base/FrameLayerBuilder.cpp incomplete! (edit conflicts, then use 'hg resolve --mark')

could you take a look, thanks!
Flags: needinfo?(tnikkel)
A few lines had changed nearby, but they have no effect on this patch. Here is a patch that applies to beta.
Flags: needinfo?(tnikkel) → needinfo?(cbook)
(In reply to Timothy Nikkel (:tn) from comment #21)
> Created attachment 8684860 [details] [diff] [review]
> patch for beta
> 
> A few lines had changed nearby, but they have no effect on this patch. Here
> is a patch that applies to beta.

thanks, landed in beta as https://hg.mozilla.org/releases/mozilla-beta/rev/c6d927b2b229
Flags: needinfo?(cbook)
This should be fixed everywhere (well central, beta, aurora) now.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.