Closed Bug 1199131 Opened 10 years ago Closed 10 years ago

Crash when click on a SELECT wich has at least 1 OPTION with background-attachment:fixed and a background

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox40 + wontfix
firefox41 + wontfix
firefox42 + wontfix
firefox43 + fixed
firefox44 --- fixed
firefox-esr38 --- unaffected
b2g-v2.5 --- fixed

People

(Reporter: yves, Assigned: tnikkel)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

test.html
313 bytes, text/html
Details
patch for uplift
10.75 KB, patch
mstange
: review+
lizzard
: approval-mozilla-aurora+
lizzard
: approval-mozilla-beta+
Details | Diff | Splinter Review
patch for beta
10.71 KB, patch
Details | Diff | Splinter Review
Attached file test.html
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150812163655 Steps to reproduce: Clicked (on our intranet) on a SELECT who had 2 OPTION with background-attachment:fixed and a background. Never happened before the bug probably came with firefox 40. It crashed on Windows 7 Windows Xp Kunbuntu 14.4 It works on Yosemite 10.10.4 Small crash sample attached. Actual results: Firefox crashes Expected results: The select opens and I can choose an option (and the background image is displayed)
Confirmed! (not sure about Component) Win7_64bit, Nightly 43.0a1 32bit ID 20150826030211 Funny thing: in e10s mode it doesn't even crash the tab
Severity: normal → critical
Status: UNCONFIRMED → NEW
status-firefox40: --- → affected
status-firefox41: --- → affected
status-firefox42: --- → affected
status-firefox43: --- → affected
status-firefox-esr38: --- → unaffected
Component: Untriaged → CSS Parsing and Computation
Ever confirmed: true
Keywords: regression, regressionwindow-wanted
Product: Firefox → Core
(In reply to Yves Mich from comment #0) > It works on > Yosemite 10.10.4 Oops i didn't check FF version it was Firefox 39.0.
bp-8e8b598d-3665-4af6-bef4-5c6192150827
Crash Signature: [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)]
Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d6d69f0f499&tochange=d0fc7202b4cb Regressed by:Bug 1148855
Blocks: 1148855
Component: CSS Parsing and Computation → Layout
Flags: needinfo?(mstange)
Keywords: regressionwindow-wantedreproducible, testcase
[Tracking Requested - why for this release]:
tracking-firefox40: --- → ?
tracking-firefox41: --- → ?
tracking-firefox42: --- → ?
tracking-firefox43: --- → ?
Tracking since this is a regression. Too late for 40 though.
status-firefox40: affectedwontfix
tracking-firefox40: ?+
tracking-firefox41: ?+
tracking-firefox42: ?+
tracking-firefox43: ?+
Firefox 40.0.3 on OSX 10.9.5 is unaffected. (no crash and the background is displayed)
(In reply to arni2033 from comment #1) > Confirmed! (not sure about Component) Win7_64bit, Nightly 43.0a1 32bit ID 20150826030211 With HWA off everything works fine (I just checked).
It is getting too late to fix this in FF41 given that we don't have a patch ready. Let's try to get this fixed in 42. Also it works fine with hardware acceleration turned off, which is good and therefore not blocking 41 release.
status-firefox41: affectedwontfix
Also, it works fine with HWA on and OMTC off (layers.offmainthreadcomposition.enabled -> false).
Oh no! This bug completely slipped past me. Sorry!
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mstange)
Keywords: crash
Markus, any news on this bug? We shipped 2 release with this crash but there is still time to fix it in 42 (gtb of beta 6 next monday)
Flags: needinfo?(mstange)
Depends on: 1156238
Crash Signature: [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)] → [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot(nsIFrame const*, mozilla::gfx::IntRectTyped<T>*)] [@ mozilla::PaintedLayerDataTree::IsClippedWithRespectToParentAnimatedGeometryRoot]
Bug 1156238 will probably fix this. I don't know whether it will be ready for 42.
Flags: needinfo?(mstange)
OK, too late for 42 then.
status-firefox42: affectedwontfix
Attached patch patch for upliftSplinter Review
The patches for bug 1156238 got fairly involved with multiple rounds of try server failures and debugging. So I think it might be a good idea to go with a more limited patch for uplift in case I missed anything. This is basically my first patch for bug 1156238 but the should fix to viewport stuff is done much better.
Assignee: mstange → tnikkel
Attachment #8682437 - Flags: review?(mstange)
Attachment #8682437 - Flags: review?(mstange) → review+
Comment on attachment 8682437 [details] [diff] [review] patch for uplift Note that this patch did not, and will not land on m-c as it is a modified version of the patches for bug 1156238 (which did land on m-c) for uplift to be less invasive. Approval Request Comment [Feature/regressing bug #]: bug 1148855 [User impact if declined]: crash if a select dropdown uses a background-attachment: fixed background [Describe test coverage new/current, TreeHerder]: reftests generally cover any mistakes that would be made in changing this code [Risks and why]: this is a less invasive and less risky version of the patches for bug 1156238 [String/UUID change made/needed]: none
Attachment #8682437 - Flags: approval-mozilla-beta?
Attachment #8682437 - Flags: approval-mozilla-aurora?
Comment on attachment 8682437 [details] [diff] [review] patch for uplift Crash fix, more conservative approach sounds good for uplift. Approved for aurora and beta. If we see obvious regressions let's back this out please.
Attachment #8682437 - Flags: approval-mozilla-beta?
Attachment #8682437 - Flags: approval-mozilla-beta+
Attachment #8682437 - Flags: approval-mozilla-aurora?
Attachment #8682437 - Flags: approval-mozilla-aurora+
this cause problems for uplift on beta : grafting 313487:4c724629d939 "Bug 1199131 - Crash when click on a SELECT wich has at least 1 OPTION with background-attachment:fixed and a background. r=mstange, a=lizzard" (aurora tip) merging layout/base/FrameLayerBuilder.cpp warning: conflicts during merge. merging layout/base/FrameLayerBuilder.cpp incomplete! (edit conflicts, then use 'hg resolve --mark') could you take a look, thanks!
Flags: needinfo?(tnikkel)
Attached patch patch for betaSplinter Review
A few lines had changed nearby, but they have no effect on this patch. Here is a patch that applies to beta.
Flags: needinfo?(tnikkel) → needinfo?(cbook)
(In reply to Timothy Nikkel (:tn) from comment #21) > Created attachment 8684860 [details] [diff] [review] > patch for beta > > A few lines had changed nearby, but they have no effect on this patch. Here > is a patch that applies to beta. thanks, landed in beta as https://hg.mozilla.org/releases/mozilla-beta/rev/c6d927b2b229
status-firefox43: affectedfixed
Flags: needinfo?(cbook)
This should be fixed everywhere (well central, beta, aurora) now.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: