Closed Bug 404118 Opened 17 years ago Closed 17 years ago

Crash [@ nsPropertyTable::PropertyList::Equals] with <input type=file>, position: fixed

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: kinetik)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded or closed)
120 bytes, text/html
Details 
The testcase makes Firefox (Mac trunk debug) crash 
[@ nsPropertyTable::PropertyList::Equals] dereferencing 0xddddde09.

Sometimes the crash is when loading the page, and sometimes the crash is when closing the page.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Before the crash, I see:

###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 6165


See also bug 399994.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
OS: Mac OS X → All
With the testcase attached, the button child frame of the file control ends up on the overflow list when we perform the second nsAreaFrame::Reflow in nsFileControlFrame::Reflow.  This causes a reflow status of NS_FRAME_NOT_COMPLETE|NS_FRAME_REFLOW_NEXTINFLOW to propagate up to PresShell::DoReflow, where the assertion fires.  The second reflow is being performed to deal with sizing the text frame in the case where the file control has been styled with a size.

The button only ends up on the overflow list with the style white-space:normal in the test case--without this, the default white-space style for the form control is nowrap (set in layout/style/forms.css).

The patch proposed in bug #363696 avoids this crash by removing the second nsAreaFrame::Reflow call from nsFielControlFrame::Reflow, meaning the button never ends up on the overflow list.
Status: NEW → ASSIGNED
Flags: blocking1.9+ → blocking1.9?
OS: All → Mac OS X
Priority: P2 → --
Be careful about clearing other flags when you commit changes to a bug page.  (Unless you intended to make those changes -- it didn't sound like it from your comment, so I'm assuming it was accidental)

I am:
 --> Resetting priority to P2
 --> Clearing 'assigned' flag (bug is currently 'assigned' to nobody@mozilla.org.  You can reassign it to your own email address if you want to take the bug)

Can someone more powerful than I set the blocking1.9+ flag again?  (was cleared from blocking1.9+ to blocking1.9?)
Status: ASSIGNED → NEW
Priority: -- → P2
Also:
 --> restoring OS to 'All'.
OS: Mac OS X → All
Flags: blocking1.9? → blocking1.9+
Except for assigning it to myself, touching the other flags was very much
accidental.  Sorry about that--I'll be more careful in future.

Setting assignee back to myself.
Status: NEW → ASSIGNED
Trying to set assignee to myself again.
Assignee: nobody → kinetik
Status: ASSIGNED → NEW
The testcase no longer crashes for me.  I guess Matthew's patch in bug 363696 fixed it.

Matthew, were there other issues here?  I can't tell from comment 3, probably because I don't know layout code at all ;)
Status: NEW → RESOLVED
Closed: 17 years ago
Depends on: 363696
Resolution: --- → FIXED
Flags: in-testsuite?
The patch from bug 363696 fixes the problem by changing the behaviour such that the button frame doesn't end up on the overflow list after reflow.  If there are other ways to get into the same state that we used to with this testcase, we can still crash.

I'm not sure if these other ways exist yet.  I've been looking at this off and on trying to work it out, but haven't made much useful progress yet.
Sorry I should have looked closer at this before.

The code that we removed in bug 363696 had this:

-        nsSize txtAvailSize(aReflowState.availableWidth, aDesiredSize.height);
-        nsHTMLReflowState   txtKidReflowState(aPresContext,
-                                              *aReflowState.parentReflowState,
-                                              this, txtAvailSize);

In particular it was setting available height to aDesiredSize.height. That was really bogus, the available height should only be set in column or paginated situations where we can break vertically and move content to a new column or page. Setting a height constraint here was leading to the button being placed on the overflow list. Now that this bogus code has been removed, that can't happen anymore and this bug can't happen.
verified fixed using the testcase and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020601 Firefox/3.0b4pre - no crash on testcase

-> Verified fixed
Status: RESOLVED → VERIFIED
No crash (or even assertions) on the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in on trunk.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsPropertyTable::PropertyList::Equals]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: