Closed Bug 1679682 Opened 4 years ago Closed 4 years ago

Firefox Crashes When the File Input `Browse...` Button Is Hidden and There's an Overflow

Categories

(Core :: Layout: Form Controls, defect, P3)

Product:
Core
Component:
Layout: Form Controls
Version:
Firefox 85
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- disabled
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- fixed

People

(Reporter: artemx100, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(3 files)

upload.html
92 bytes, text/html
Details
Bug 1679682 - Deal with the ::file-selector-button pseudo having no frame.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1679682 part 2 - Add a crashtest.
47 bytes, text/x-phabricator-request
Details | Review
Attached file upload.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

  1. Create a file input element with a fixed width
  2. Hide the Browse... button with ::file-selector-button{display: none;}
  3. Select a file with a long enough name to cause some overflow

Actual results:

The browser crashes

Expected results:

The browser should not crash

I can reproduce the crash on Nightly85.0a1 Windows10.

Crash report: https://crash-stats.mozilla.org/report/index/79be5f99-ccf4-4e58-a8e6-1d5eb0201129

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsFileControlFrame::Reflow layout/forms/nsFileControlFrame.cpp:171
1 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:875
2 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:4325
3 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1376
4 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3846
5 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1376
6 xul.dll nsContainerFrame::ReflowChild layout/generic/nsContainerFrame.cpp:1082
7 xul.dll nsCanvasFrame::Reflow layout/generic/nsCanvasFrame.cpp:789
8 xul.dll nsHTMLScrollFrame::ReflowScrolledFrame layout/generic/nsGfxScrollFrame.cpp:757
9 xul.dll nsHTMLScrollFrame::Reflow layout/generic/nsGfxScrollFrame.cpp:1279
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsFileControlFrame::Reflow]
Has STR: --- → yes
Ever confirmed: true
Keywords: crash, reproducible
Blocks: 1662478
status-firefox83: --- → affected
status-firefox84: --- → affected
status-firefox85: --- → affected
status-firefox-esr78: --- → disabled
Component: General → CSS Parsing and Computation
Assignee: nobody → mats
Status: NEW → ASSIGNED
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9fe7eb376ecd Deal with the ::file-selector-button pseudo having no frame. r=emilio

By the way, you can also make it instantly crash as soon as you open it by adjusting the input width to 1px (or anything small enough) so that the default text is enough to overflow it. It might be useful for automated tests.

Ah, that's a good point... I'll add that as a crashtest, thanks!

Severity: -- → S3
Component: CSS Parsing and Computation → Layout: Form Controls
Keywords: testcase
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All

https://hg.mozilla.org/mozilla-central/rev/9fe7eb376ecd

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox85: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/26671 for changes under testing/web-platform/tests
Flags: in-testsuite+
Upstream PR merged by moz-wptsync-bot

The patch landed in nightly and beta is affected.
:mats, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(mats)
status-firefox84: affectedwontfix
Flags: needinfo?(mats)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: