1324500 - Assertion failure: value >= minimum && value <= maximum (Unsanitized value)

Status: RESOLVED FIXED

(Core :: Layout: Form Controls, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Assertion failure: value >= minimum && value <= maximum (Unsanitized value), at /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:510

==5155==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f66bd8898d5 bp 0x7fff2fb14670 sp 0x7fff2fb14440 T0)
    #0 0x7f66bd8898d4 in nsRangeFrame::GetValueAsFractionOfRange() /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:496:3
    #1 0x7f66bd889078 in nsRangeFrame::DoUpdateRangeProgressFrame(nsIFrame*, nsSize const&) /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:707:21
    #2 0x7f66bd88ae18 in nsRangeFrame::UpdateForValueChange() /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:615:5
    #3 0x7f66bd88b16b in nsRangeFrame::AttributeChanged(int, nsIAtom*, int) /home/worker/workspace/build/src/layout/forms/nsRangeFrame.cpp:755:9
    #4 0x7f66bd4d10c0 in mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:362:5
    #5 0x7f66bd4a70db in mozilla::PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4297:5
    #6 0x7f66ba2bfec8 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:145:3
    #7 0x7f66ba067ec1 in mozilla::dom::Element::UnsetAttr(int, nsIAtom*, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2754:5
...
See log.txt

Comment 1

[Tyson Smith [:tsmith]]

Attachment: log.txt

Comment 2

[Ryan VanderMeulen [:RyanVM]]

INFO: First good revision: 126828c05e0838795debf813cac591bf0ea5ecd5
INFO: Last bad revision: 38ecd019ecebe7533852db0253393d2708527437
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=38ecd019ecebe7533852db0253393d2708527437&tochange=126828c05e0838795debf813cac591bf0ea5ecd5

Fixed by something in Boris' push, which at looks plausible. NI myself to land a crashtest.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Yeah, that does look plausible, and in fact certain.  ;)  The changes for bug 656197 changed the oredr of AfterSetAttr and the AttributeChanged notification: before that change we did AttributeChanged _before_ calling AfterSetAttr, but now we call it _after_.

The stack above is running under AttributeChanged and asserting that the value it got from the input is in the (min, max) range.  Now when it does GetMaximum(), since it's running _after_ the max attr has been removed, it gets back the default max value, which is 100.  But the value it gets from GetValueAsDecimal() is 383, because range inputs default the value to (min+max)/2 and the max in this case is 765, while the min defaults to 0. HTMLInputElement::AfterSetAttr is what updates the value to fit in the new (0, 100) range when the "max" attr is removed.  But that used to happen after AttributeChanged, so we hit the assert.

In the new world, we finish updating all our internal state before telling people that it changed (the whole point of bug 656197), so everything is much better.  ;)

Comment 4

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e15b68fb8e34
Add crashtest. r=me

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/e15b68fb8e34