Created attachment 263822 [details]
Loading the testcase in a Mac trunk debug build causes:
Thread 0 Crashed:
0 <<00000000>> 0x10711001 0 + 275845121
1 libgklayout.dylib 0x19724602 PresShell::GetPrimaryFrameFor(nsIContent*) const + 42 (nsPresShell.cpp:4705)
2 libgklayout.dylib 0x196e39af nsCSSFrameConstructor::CharacterDataChanged(nsIContent*, int) + 301 (nsCSSFrameConstructor.cpp:9852)
3 libgklayout.dylib 0x19729455 PresShell::CharacterDataChanged(nsIDocument*, nsIContent*, CharacterDataChangeInfo*) + 233 (nsPresShell.cpp:4478)
4 libgklayout.dylib 0x19a88fca nsBindingManager::CharacterDataChanged(nsIDocument*, nsIContent*, CharacterDataChangeInfo*) + 88 (nsBindingManager.cpp:1160)
5 libgklayout.dylib 0x19945fa0 nsNodeUtils::CharacterDataChanged(nsIContent*, CharacterDataChangeInfo*) + 166 (nsNodeUtils.cpp:88)
6 libgklayout.dylib 0x1992bb95 nsGenericDOMDataNode::SetTextInternal(unsigned, unsigned, unsigned short const*, unsigned, int) + 1003 (nsGenericDOMDataNode.cpp:485)
7 libgklayout.dylib 0x1992c002 nsGenericDOMDataNode::SetData(nsAString_internal const&) + 84 (nsGenericDOMDataNode.cpp:323)
8 libgklayout.dylib 0x19dc8bd0 nsTextNode::SetData(nsAString_internal const&) + 24 (nsTextNode.cpp:69)
9 libgklayout.dylib 0x19700ad6 nsCounterList::RecalcAll() + 200 (nsCounterManager.cpp:186)
10 libgklayout.dylib 0x19700b33 RecalcDirtyLists(nsAString_internal const&, nsCounterList*, void*) + 37 (nsCounterManager.cpp:274)
11 libgklayout.dylib 0x19d54ea5 nsBaseHashtable<nsStringHashKey, nsAutoPtr<nsCounterList>, nsCounterList*>::s_EnumReadStub(PLDHashTable*, PLDHashEntryHdr*, unsigned, void*) + 81 (nsBaseHashtable.h:327)
12 libxpcom_core.dylib 0x012f5764 PL_DHashTableEnumerate + 191 (pldhash.c:724)
13 libgklayout.dylib 0x19d54b60 nsBaseHashtable<nsStringHashKey, nsAutoPtr<nsCounterList>, nsCounterList*>::EnumerateRead(PLDHashOperator (*)(nsAString_internal const&, nsCounterList*, void*), void*) const + 128 (nsBaseHashtable.h:188)
14 libgklayout.dylib 0x19700bf3 nsCounterManager::RecalcAll() + 41 (nsCounterManager.cpp:281)
15 libgklayout.dylib 0x196d66dc nsCSSFrameConstructor::RecalcQuotesAndCounters() + 80 (nsCSSFrameConstructor.cpp:10200)
16 libgklayout.dylib 0x196d6784 nsCSSFrameConstructor::EndUpdate() + 36 (nsCSSFrameConstructor.cpp:10181)
17 libgklayout.dylib 0x196ecfd2 nsCSSFrameConstructor::ProcessPendingRestyles() + 536 (nsCSSFrameConstructor.cpp:12973)
18 libgklayout.dylib 0x196ed0bc nsCSSFrameConstructor::RestyleEvent::Run() + 200 (nsCSSFrameConstructor.cpp:13032)
19 libxpcom_core.dylib 0x013557ea nsThread::ProcessNextEvent(int, int*) + 508 (nsThread.cpp:483)
So the frame for the <span> ends up as a child of the first-letter frame in this case...
Created attachment 263946 [details]
Testcase that shows rendering bug here
Created attachment 263947 [details]
Reference rendering for that testcase
Created attachment 263952 [details] [diff] [review]
The real issue is that we don't remove first-letter on restyles, really... but this fixes the problem by making sure to remove it on ContentInserted if it's around (though we readd it too, unfortunately).
I wonder whether this is a problem on branches... I bet it is.
Is there a bug filed on the "real issue" that comment 4 alludes to?
Though I suppose removing it in a performant way is easier than adding it... maybe.
Comment on attachment 263952 [details] [diff] [review]
I don't like the function names here, though. The two versions of HaveFirstLetterStyle are quite different. Perhaps you should rename:
HaveFirstLetterStyle(,) -> ShouldHaveFirstLetterStyle
HaveFirstLineStyle -> ShouldHaveFirstLineStyle
HaveSpecialBlockStyle -> ShouldHaveSpecialBlockStyle
HaveFirstLetterStyle() -> HasFirstLetterStyle
as a followup patch, if you agree. (No need to ask for further review.)
It would be nice to fix the underlying problem, though.
Fixed on trunk. Doesn't seem to be a problem on branches, so probably an effect of bug 372550.
Not adding tests yet, because those would give away the bug, I guess. :(
Created attachment 264029 [details] [diff] [review]
Renames as suggested
Good idea on this. Checked this in too.
bz: having trouble reconciling your branch-blocking requests with your comment 10 saying this isn't a problem on branches, which seem to be made at the same time. Do we want/need this on branches or not?
This bug is a regression from the fix for bug 362901 (see comments in bug 372550). The blocking flags were set to mirror those on bug 362901. This business of not adding deps to hidden bugs really sucks. :( Do we have any better way to track things?
Why are we not adding dependencies on hidden bugs? I can think of no better way to track things.
I was told at some point to not have dependencies between hidden and not-hidden bugs... Presumably because if a non-hidden bug blocks a hidden one people realize that it's a security-related fix?
In any case, if you're ok with me doing it I'd love to add said deps.
If something is a regression from a security fix then the security fix has already been checked in--that's got to be more revealing than a dependent bug. Please definitely do mark regressions as blocking "fixed" security bugs so we don't miss them when we're planning branch landings.
In other cases if merely hinting that there might be a security bug that will fix or be fixed by the public bug is enough to point someone at the problem then the public bug should possibly not be public. If this is the case and you really don't want to privatize the public bug then maybe don't mark dependencies, but in most cases it should be fine.
In cases where you withhold explicit dependencies please mention them in the status whiteboard of the hidden bug(s) so we can easily find them during triage and remember to mark them when the security bugs are eventually publicized.
Sounds like a plan. I updated the dependencies...
Fixed for 126.96.36.199 by checkin for bug 362901.
verified fixed 188.8.131.52 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:184.108.40.206pre) Gecko/2007083005 BonEcho/220.127.116.11pre - no crash on the 2 testcases from this bug - adding verified keyword
I checked in my testcase as a crashtest and bz's reftest pair as a reftest pair.