Closed
Bug 1401840
Opened 6 years ago
Closed 6 years ago
Crash in nsFrameManager::CaptureFrameStateFor when opening Presenter View in Google Slides
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox55 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | + | fixed |
| firefox58 | --- | fixed |
People
(Reporter: timdream, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, Whiteboard: [clouseau])
Crash Data
Attachments
(2 files)
|
180 bytes,
text/html
|
Details | |
|
3.32 KB,
patch
|
dholbert
:
review+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-2a898450-ac50-4b21-8849-69e640170921. ============================================================= STR: 1. Go to a Google Slides 2. Hit the little arrow besides the [Present] button on the top right. 3. Hit [Presenter view] Expected: 1. Two popups opened and they work. Actual: 1. Two popups opened and they all crash.
|
Reporter | |
Comment 1•6 years ago
|
||
For some reasons it only happens on my MBP ... how do I debug further?
|
||
Comment 2•6 years ago
|
||
I was able to reproduce this issue too. All the tabs related to the presentation crash. Tested with: Browser / Version: Firefox Mobile Nightly 57.0a1 (2017-09-20) Operating System: Windows 10 Pro
|
||
Comment 3•6 years ago
|
||
There are 48 crashes in nightly 57 starting with buildid 20170919220202. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1400599. :bz, could you investigate please ? [1] https://hg.mozilla.org/mozilla-central/rev?node=13f651129c38f79e0b7efa67892dcb296e41fe1a
status-firefox55:
--- → unaffected
status-firefox56:
--- → unaffected
status-firefox57:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(bzbarsky)
Keywords: regression
Whiteboard: [clouseau]
|
|
||
Updated•6 years ago
|
Component: General → DOM
Product: Firefox → Core
Target Milestone: --- → mozilla57
Version: unspecified → 57 Branch
|
||
Updated•6 years ago
|
tracking-firefox57:
--- → +
|
||
Comment 4•6 years ago
|
||
(In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment #1) > For some reasons it only happens on my MBP ... how do I debug further? You are not alone.. I hit this crash quite often in these two days.
|
Assignee | |
Comment 5•6 years ago
|
||
The testcase is:
<style>
html { display: table; }
body { overflow: scroll; }
</style>
<script>
onload = function() {
document.body.style.display = 'inline';
}
</script>
What happens is that we go to reframe the <body>. That calls ContentRemoved on the body, which calls MaybeRecreateContainerForFrameRemoval. That detects that the body has a table pseudo parent and goes to recreate the <html>. That computes the "new" scrollbar override element, which is just the <body> (because it's not gone from the DOM or anything). Since the thing being removed is not the <body> itself, we RecreateFramesForContent(newOverrideElement) and now we're doing infinite recursion and eventually we run out of stack.
Fix coming up. This is definitely a regression from bug 1400599.Flags: needinfo?(bzbarsky)
|
|
Assignee | |
Comment 6•6 years ago
|
||
MozReview-Commit-ID: EJiO8Nq5Frb
Attachment #8911385 -
Flags: review?(dholbert)
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 7•6 years ago
|
||
Calixte, thanks for pinning down the problem!
|
|
Assignee | |
Comment 8•6 years ago
|
||
Comment on attachment 8911385 [details] [diff] [review] Make sure to not end up with infinite recursion when reframing a <body> that has a table pseudo parent coming from the root <html> Approval Request Comment [Feature/Bug causing the regression]: Bug 1400599 [User impact if declined]: Crashes on trying to present Google slides. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Locally, yes... [Needs manual test from QE? If yes, steps to reproduce]: Probably not, but the steps are in comment 0 anyway. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: I think at this point we've caught all the edge cases in this stuff... [String changes made/needed]: None.
Attachment #8911385 -
Flags: approval-mozilla-beta?
|
||
Comment 9•6 years ago
|
||
Comment on attachment 8911385 [details] [diff] [review] Make sure to not end up with infinite recursion when reframing a <body> that has a table pseudo parent coming from the root <html> Review of attachment 8911385 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #8911385 -
Flags: review?(dholbert) → review+
|
||
Comment 10•6 years ago
|
||
Pushed by bzbarsky@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d26a0adf4c2e Make sure to not end up with infinite recursion when reframing a <body> that has a table pseudo parent coming from the root <html>. r=dholbert
|
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d26a0adf4c2e
|
||
Comment 12•6 years ago
|
||
Comment on attachment 8911385 [details] [diff] [review] Make sure to not end up with infinite recursion when reframing a <body> that has a table pseudo parent coming from the root <html> Fix a crash, taking it. Should be in 57b3
Attachment #8911385 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 13•6 years ago
|
||
| bugherderuplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/ca9795c9066e
Flags: in-testsuite+
|
||
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•