Closed Bug 310919 Opened 19 years ago Closed 19 years ago

CSS in userContent.css crashes on XML (rss v2.0) display

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: englabenny, Assigned: bzbarsky)

References

(
URL
)

Details

(4 keywords)

Attachments

(1 file, 1 obsolete file)

Updated to dbaron's comments
4.40 KB, patch
dbaron
: review+
neil
: superreview+
asa
: approval1.8rc1-
dveditz
: approval1.8.0.1+
dveditz
: approval1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051001 Camino/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051001 Camino/1.0+

I found a reproducable bug that Quits Firefox (1.5b1) and Camino (trunk-Oct 1)
when displaying an XML document (RSS)

Reproducible: Always

Steps to Reproduce:
1. Put the following line in your userContent.css: 
rss * { display: block;}
2. Load the url above ( http://joi.ito.com/index.xml )


Actual Results:  
When the page is downloaded, just before display, the browser Quits and leaves
no trace (no console messages, no crashreporter, no Talkback (not even on
restartup))

Expected Results:  
The XML should be rendered with the css rule applied. Or at least the crash
should be detectable.
Since this crasher existed in 1.5b1, it's also on the branch. Marking as such
for more visible finding.

Also, changing severity to critical and adding crash keyword.
Severity: normal → critical
Keywords: crash
Version: Trunk → 1.8 Branch
Confirming with 2005092804 branch build of Camino.

TB10111047W
Status: UNCONFIRMED → NEW
Ever confirmed: true
First thread of crash stack below.

Thread 0 Crashed:
0   org.mozilla.camino       	0x0038fc0c nsFrame::BoxReflow(nsBoxLayoutState&,
nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&, int,
int, int, int, int) + 612
1   org.mozilla.camino       	0x0038f7e4 nsFrame::DoLayout(nsBoxLayoutState&) + 224
2   org.mozilla.camino       	0x00431e08 nsIFrame::Layout(nsBoxLayoutState&) + 52
3   org.mozilla.camino       	0x004daca8
nsBoxFrame::LayoutChildAt(nsBoxLayoutState&, nsIFrame*, nsRect const&) + 176
4   org.mozilla.camino       	0x0053f104
nsGfxScrollFrameInner::LayoutScrollbars(nsBoxLayoutState&, nsRect const&, nsRect
const&, nsRect const&) + 1072
5   org.mozilla.camino       	0x0053bde8
nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) + 1548
6   org.mozilla.camino       	0x00458e2c
nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, int, int, unsigned, unsigned&) + 148
7   org.mozilla.camino       	0x00536450 ViewportFrame::Reflow(nsPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 280
8   org.mozilla.camino       	0x002fae54 PresShell::InitialReflow(int, int) + 516
9   org.mozilla.camino       	0x004c4ad4 nsContentSink::StartLayout(int) + 208
10  org.mozilla.camino       	0x0047565c nsXMLContentSink::StartLayout() + 144
11  org.mozilla.camino       	0x00474248 nsXMLContentSink::DidBuildModel() + 456
12  org.mozilla.camino       	0x001c3c2c nsExpatDriver::DidBuildModel(unsigned,
int, nsIParser*, nsIContentSink*) + 56
13  org.mozilla.camino       	0x001a9618 nsParser::DidBuildModel(unsigned) + 120
14  org.mozilla.camino       	0x001aa8b0 nsParser::ResumeParse(int, int, int) + 592
15  org.mozilla.camino       	0x001abb00 nsParser::OnStopRequest(nsIRequest*,
nsISupports*, unsigned) + 192
16  org.mozilla.camino       	0x0020f420
nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 124
17  org.mozilla.camino       	0x000f0898
nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 680
18  org.mozilla.camino       	0x000cc8c0 nsInputStreamPump::OnStateStop() + 160
19  org.mozilla.camino       	0x000cc448
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 128
20  libxpcom_core.dylib      	0x00e87194
nsAStreamCopier::PostContinuationEvent_Locked() + 1240
21  libxpcom_core.dylib      	0x00e4aa20 PL_HandleEvent + 36
22  libxpcom_core.dylib      	0x00e4a944 PL_ProcessPendingEvents + 128
23  com.apple.CoreFoundation 	0x9074bc8c __CFRunLoopDoSources0 + 384
24  com.apple.CoreFoundation 	0x9074b1bc __CFRunLoopRun + 452
25  com.apple.CoreFoundation 	0x9074ac3c CFRunLoopRunSpecific + 268
26  com.apple.HIToolbox      	0x93129ac0 RunCurrentEventLoopInMode + 264
27  com.apple.HIToolbox      	0x931290cc ReceiveNextEventCommon + 244
28  com.apple.HIToolbox      	0x93128fc0 BlockUntilNextEventMatchingListInMode + 96
29  com.apple.AppKit         	0x93631e44 _DPSNextEvent + 384
30  com.apple.AppKit         	0x93631b08 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
31  com.apple.AppKit         	0x9362e06c -[NSApplication run] + 472
32  com.apple.AppKit         	0x9371e8bc NSApplicationMain + 452
33  org.mozilla.camino       	0x0000aa54 start + 432
34  org.mozilla.camino       	0x0000a8d4 start + 48
OS: MacOS X → All
Hardware: Macintosh → All
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051002
Firefox/1.4.1 ID:2005100221

TB10111082K
TB10111002G

Crashes on trunk and branch.
Regression since Gecko 1.7, does not occur in Firefox 1.0.7 - this should be on
someone's radar.
Flags: blocking1.8b5?
Keywords: regression
Version: 1.8 Branch → Trunk
Assignee: dbaron → nobody
Component: Style System (CSS) → Layout: Misc Code
QA Contact: ian → layout.misc-code
This doesn't look like a branch topcrasher. It's number 509 in firefox 1.5b1 and
there's only one nightly incident from the branch. There does seem to be a fair
number of recent _trunk_ nightly crashers here.

Jay, can you dig into this a bit more? If it does look like a branch topcrasher,
please re-nominate (also, note that talkback is about 20K incidents behind so
that might be masking some branch incidents.)
Keywords: qawanted
Attached patch Fix (obsolete) β€” β€” Splinter Review 
The problem is that this is styling the scrollcorner to be a block, which
crashes when we try to call XUL layout methods on it in nsGfxScrollFrame. 
Scrollbars are not a problem because they create a special frame anyway,
instead of constructing by display.

I _think_ this is the safest patch I can do here, but it does prevent
style="display: none" from working on scrollcorners.  If that's not acceptable,
I'd have to change nsCSSFrameConstructor to always construct a box here based
on tagname...
Attachment #198336 - Flags: superreview?(dbaron)
Attachment #198336 - Flags: review?(neil.parkwaycc.co.uk)
boris, dbaron, neil, I'm not seeing this high on the branch crash list. Do you
guys think the branch code is equally effected and if so, and this needs to land
on the branch, what's the risk associated with this patch?
The branch code is affected, yes.  This will only bite users who either change
their user stylesheet in a silly way or install an extension that does it for
them (which is easy for extensions now with nsIStyleSheetService).

The risk associated with the patch is pretty minimal, in my opinion...
Seems like this will still crash if the scrollcorner has hidden="true", since
the page will override the 'display:none'.
(Which could be fixed by removing the :not() and adding a separate hidden="true"
rule following.)


And I agree this patch is low risk.
That said, the real problem here is bug 286895.

(Are scrollcorners hidden="true" when both scrollbars are hidden?  If so, then
that's a case we probably need to worry about if we actually want to fix this.)
Yeah, I could do a separate hidden="true" rule.

Not sure what you mean by the second part of comment 12, David.
Just trying to figure out when a scrollcorner has hidden="true".
Ah.  I don't really know whether it ever would, really; I was acting on the
assumption that it might sometimes and that we shouldn't break those cases.  So
I agree we should do a separate scrollcorner[hidden="true"] rule here.
sr=dbaron with the change in comment 11

  

  



        Attachment #198336 -
        Attachment is obsolete: true

    
  

        Attachment #198336 -
        Flags: superreview?(dbaron)

        Attachment #198336 -
        Flags: review?(neil.parkwaycc.co.uk)

    
  

        Attachment #198517 -
        Flags: superreview+

    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

This has r=dbaron, sr=neil.  It's a pretty safe crash fix.

If it's too late for 1.8b5, I'd say just take this for rc1 instead...

  

  



        Attachment #198517 -
        Flags: approval1.8b5?

    
  
Assignee: nobody → bzbarsky
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta5

    
    

    
  
Fixed on trunk.

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
we'll try to get this early in RC1.

  

  


Flags: blocking1.8rc1+
Flags: blocking1.8b5?
Flags: blocking1.8b5-

    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

moving request to 1.8rc1 since 1.8b5 has shipped.

  

  



        Attachment #198517 -
        Flags: approval1.8b5? → approval1.8rc1?

    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

We'll watch talkback and if this shows up as more of a problem, we'll
reconsider. Too late for taking _any_ risk for non-topcrashers at this poing.

  

  



        Attachment #198517 -
        Flags: approval1.8rc1? → approval1.8rc1-

    
  
Flags: blocking1.8rc1+ → blocking1.8rc1-

    
  
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1? → blocking1.8.0.1-

    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

This has been on the trunk for three months now and is considered low risk. While it's not a topcrasher, if there are any extensions that wish to change the style sheet in a weird way, they'll run into this.

Is there a good reason for *not* taking this on the branch?

Requesting approval for 1.8.0.1 and 1.8.0.2. If it's too late for 1.8.0.1 at least we can get it in the next security/stability release.

  

  



        Attachment #198517 -
        Flags: approval1.8.0.2?

        Attachment #198517 -
        Flags: approval1.8.0.1?

    
    

    
  
If this goes into 1.8.0.x, it should probably go into 1.8.x as well.

  

  



    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

Yes, forgot to request approval for 1.8.1.

  

  



        Attachment #198517 -
        Flags: approval1.8.1?

    
    

    
  
Comment on attachment 198517 [details] [diff] [review]
Updated to dbaron's comments

a=dveditz for drivers

  

  



        Attachment #198517 -
        Flags: approval1.8.1?

        Attachment #198517 -
        Flags: approval1.8.1+

        Attachment #198517 -
        Flags: approval1.8.0.2?

        Attachment #198517 -
        Flags: approval1.8.0.1?

        Attachment #198517 -
        Flags: approval1.8.0.1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1-
Flags: blocking1.8.0.1+

    
    

    
  
Fixed on both branches.

  

  


Keywords: fixed1.8.0.1, 
          
            fixed1.8.1

    
    

    
  
verified fixed on the branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1. I followed the steps reproduce and do not see any crash, and the XML renders fine. 

  

  


Keywords: fixed1.8.0.1verified1.8.0.1

    
    

    
  
verified with 2.0b2 builds from 20060821

  

  


Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1

    
  
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: