Closed Bug 1679682 Opened 3 months ago Closed 3 months ago

Firefox Crashes When the File Input `Browse...` Button Is Hidden and There's an Overflow

Categories

(Core :: Layout: Form Controls, defect, P3)

Firefox 85
defect

Tracking

()

RESOLVED FIXED
85 Branch
Tracking Status
firefox-esr78 --- disabled
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- fixed

People

(Reporter: artemx100, Assigned: mats)

References

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(3 files)

Attached file upload.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

  1. Create a file input element with a fixed width
  2. Hide the Browse... button with ::file-selector-button{display: none;}
  3. Select a file with a long enough name to cause some overflow

Actual results:

The browser crashes

Expected results:

The browser should not crash

I can reproduce the crash on Nightly85.0a1 Windows10.

Crash report: https://crash-stats.mozilla.org/report/index/79be5f99-ccf4-4e58-a8e6-1d5eb0201129

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsFileControlFrame::Reflow layout/forms/nsFileControlFrame.cpp:171
1 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:875
2 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:4325
3 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1376
4 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3846
5 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1376
6 xul.dll nsContainerFrame::ReflowChild layout/generic/nsContainerFrame.cpp:1082
7 xul.dll nsCanvasFrame::Reflow layout/generic/nsCanvasFrame.cpp:789
8 xul.dll nsHTMLScrollFrame::ReflowScrolledFrame layout/generic/nsGfxScrollFrame.cpp:757
9 xul.dll nsHTMLScrollFrame::Reflow layout/generic/nsGfxScrollFrame.cpp:1279
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsFileControlFrame::Reflow]
Has STR: --- → yes
Ever confirmed: true
Keywords: crash, reproducible
Blocks: 1662478
Component: General → CSS Parsing and Computation
Assignee: nobody → mats
Status: NEW → ASSIGNED
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9fe7eb376ecd
Deal with the ::file-selector-button pseudo having no frame. r=emilio

By the way, you can also make it instantly crash as soon as you open it by adjusting the input width to 1px (or anything small enough) so that the default text is enough to overflow it. It might be useful for automated tests.

Ah, that's a good point... I'll add that as a crashtest, thanks!

Severity: -- → S3
Component: CSS Parsing and Computation → Layout: Form Controls
Keywords: testcase
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2bec807450ad
part 2 - Add a crashtest. r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/26671 for changes under testing/web-platform/tests
Flags: in-testsuite+
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:mats, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(mats)
Flags: needinfo?(mats)
You need to log in before you can comment on or make changes to this bug.