Closed Bug 466845 Opened 16 years ago Closed 16 years ago

Crash [@ nsViewManager::CreateView] with ::first-line position: absolute and -moz-transform

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

Details

(Keywords: crash, testcase, verified1.9.1)

Crash Data

Attachments

(3 files)

testcase
461 bytes, text/html
Details
gdb backtrace at crash, on Linux
8.11 KB, text/plain
Details
patch
2.86 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which usually crashes after a few reloads in current trunk build.

http://crash-stats.mozilla.com/report/index/6543a859-bb51-4997-9f8e-8f5412081126?p=1
0  	kernel32.dll  	RaiseException  	
1 	mozcrt19.dll 	_CxxThrowException 	throw.cpp:159
2 	mozcrt19.dll 	operator new 	obj-firefox/memory/jemalloc/src/new.cpp:57
3 	xul.dll 	nsViewManager::CreateView 	view/src/nsViewManager.cpp:289
4 	xul.dll 	nsHTMLContainerFrame::CreateViewForFrame 	layout/generic/nsHTMLContainerFrame.cpp:698
5 	xul.dll 	nsCSSFrameConstructor::CreateContinuingFrame 	layout/base/nsCSSFrameConstructor.cpp:10480
6 	xul.dll 	nsHTMLContainerFrame::CreateNextInFlow 	layout/generic/nsHTMLContainerFrame.cpp:495
7 	xul.dll 	nsBlockFrame::CreateContinuationFor 	layout/generic/nsBlockFrame.cpp:3753
8 	xul.dll 	xul.dll@0x2f7acb 	
9 	xul.dll 	nsBlockFrame::DoReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3409
10 	xul.dll 	nsBlockFrame::ReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3258
11 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2324
12 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1904
13 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:954
14 	xul.dll 	nsAbsoluteContainingBlock::ReflowAbsoluteFrame 	layout/generic/nsAbsoluteContainingBlock.cpp:436
15 	xul.dll 	xul.dll@0x2f74a5 	
16 	xul.dll 	xul.dll@0x2fb545 	
17 	xul.dll 	nsAbsoluteContainingBlock::ReflowAbsoluteFrame 	layout/generic/nsAbsoluteContainingBlock.cpp:436
18 	xul.dll 	xul.dll@0x2f74a5 	
19 	xul.dll 	xul.dll@0x2f90f2 	
20 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:793
21 	xul.dll 	nsHTMLScrollFrame::ReflowScrolledFrame 	layout/generic/nsGfxScrollFrame.cpp:528
22 	xul.dll 	nsHTMLScrollFrame::ReflowContents 	layout/generic/nsGfxScrollFrame.cpp:622
23 	xul.dll 	nsHTMLScrollFrame::Reflow 	layout/generic/nsGfxScrollFrame.cpp:823
24 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:793
25 	xul.dll 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:283
26 	xul.dll 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:6331
27 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:6437
28 	xul.dll 	PresShell::DoFlushPendingNotifications 	layout/base/nsPresShell.cpp:4573
29 	xul.dll 	PresShell::ReflowEvent::Run 	layout/base/nsPresShell.cpp:6194
30 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
31 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
32 	nspr4.dll 	PR_GetEnv 	
33 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
34 	firefox.exe 	firefox.exe@0x2197 	
35 	kernel32.dll 	BaseProcessStart
Flags: blocking1.9.1?
Testcase crashes on Linux, too. (on first load, after a few seconds)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081125 Minefield/3.1b2pre
OS: Windows XP → All
Hardware: PC → All
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
In nsCSSFrameConstructor, we probably should probably not be making *pseudo*-elements with -moz-transform be absolute containing blocks (which requires changing both when we call PushAbsoluteContainingBlock and the logic in GetAbsoluteContainingBlock).  Perhaps we shouldn't be letting them have transforms at all.  (We need to audit all the HasTransform calls in nsCSSFrameConstructor.cpp, including those added in bug 467460.)

I think there's also a followup bug somewhere about making -moz-transform not apply to things that aren't block/inline (which we only need to do because of the absolute containing behavior).  Or something like that...
I'm pushing this up to P1 because the correct fix for it may require substantive changes to what elements we support -moz-transform on, or how we do it.
Priority: P2 → P1
I'm A-OK with not letting pseudo-elements be transformed.
Assignee: nobody → dbaron
Attached patch patchSplinter Review 
This blocks the transform properties from first-letter and first-line pseudos.

The crashtest isn't great, since it only crashes some of the time, but it's better than nothing.
Attachment #352642 - Flags: superreview?(bzbarsky)
Attachment #352642 - Flags: review?(bzbarsky)
Attachment #352642 - Flags: superreview?(bzbarsky)
Attachment #352642 - Flags: superreview+
Attachment #352642 - Flags: review?(bzbarsky)
Attachment #352642 - Flags: review+
Fixed on mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/6a542abb36a8
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs 1.9.1 landing]
Target Milestone: --- → mozilla1.9.2a1
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081214 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Fixed on 1.9.1:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/83aa6b8f231d
Keywords: fixed1.9.1
Whiteboard: [needs 1.9.1 landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Flags: in-testsuite+
verified on Shiretoko: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090422 Shiretoko/3.5b4pre ID:20090422042031
Keywords: fixed1.9.1verified1.9.1
Crash Signature: [@ nsViewManager::CreateView]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: