Closed Bug 504311 Opened 15 years ago Closed 15 years ago

Assignment of '-1' to 'wrapWidth' crashes the browser [@ nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]

Categories

(Core :: Layout: Form Controls, defect, P2)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: antonglv, Assigned: roc)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos][ss:b2])

Crash Data

Attachments

(3 files)

It's a file that contains the same code as in the bug description.
726 bytes, application/xml
Details
fix
2.58 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
better test
2.14 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090703 Minefield/3.6a1pre

Assignment of '-1' to 'wrapWidth' property of nsIPlainTextEditor component crashes the browser.

It was documented on xulplanet.com that assignment of '-1' to wrapWidth disables word wrapping. Exactly quotation is:

> PRInt32 wrapWidth
> Get and set the body wrap width.
> Special values: 0 = wrap to window width -1 = no wrap at all

Well, it worked on FF 1.5 / 2 / 3.0 / 3.5. But on FF 3.6a1pre the assignment, once it had been made, causes that the browser has crashed.



Reproducible: Always

Steps to Reproduce:
1. Make an .xul file and put next code in it:
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>

<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

	<script type="text/javascript">
		<![CDATA[
			function f ()
			{
				var tb = document. getElementById ("tb01");
				var inputField = tb. inputField;
				var editor = inputField. QueryInterface (Components. interfaces. nsIDOMNSEditableElement). editor;
				editor = editor. QueryInterface (Components. interfaces. nsIEditor);
				editor = editor. QueryInterface (Components. interfaces. nsIPlaintextEditor);
				editor. wrapWidth = -1;
			}
		]]>
	</script>
	
	<textbox id="tb01" multiline="true"/>
	<button onclick="f()"/>

</window>

2. Open the .xul with the chrome priveleges
3. Click button
Actual Results:  
Firefox crashes

Expected Results:  
Nothing should happen (no changes in UI)
http://crash-stats.mozilla.com/report/index/e583e6df-c377-4d4e-95fb-544012090715?p=1

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsTextControlFrame::CalcIntrinsicSize 	layout/forms/nsTextControlFrame.cpp:1320
1 	xul.dll 	nsTextControlFrame::GetPrefSize 	layout/forms/nsTextControlFrame.cpp:1770
2 	xul.dll 	nsSprocketLayout::GetPrefSize 	layout/xul/base/src/nsSprocketLayout.cpp:1337
3 	xul.dll 	nsBoxFrame::GetPrefSize 	layout/xul/base/src/nsBoxFrame.cpp:819
4 		@0x4e1cf7f
Status: UNCONFIRMED → NEW
Component: General → XUL
Ever confirmed: true
Keywords: crash, crashreportid
Product: Firefox → Core
QA Contact: general → xptoolkit.widgets
Summary: Assignment of '-1' to 'wrapWidth' crashes the browser → Assignment of '-1' to 'wrapWidth' crashes the browser [@ nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]
Version: unspecified → Trunk
14159:3d8dbcce108f (previous:14068) <roc+@cs.cmu.edu> 2008-04-09 21:39 -0700
Bug 425253. Propagate reflow-depth tracking through XUL box layout. r+sr=dbaron,a=damon

1319 nsMargin scrollbarSizes = 
1320 scrollableFrame->GetDesiredScrollbarSizes(PresContext(), aRenderingContext);
Assignee: nobody → roc
Component: XUL → Layout: Form Controls
Keywords: crashreportid
QA Contact: xptoolkit.widgets → layout.form-controls
Whiteboard: [ss:b2]
The setting of wrapWidth causes a style change to the anonymous content which reframes it (because we have to reframe on white-space changes now). The ContentRemoved destroys the anonymous child frames, but they're not recreated, so we crash here.

I can actually fix this quite easily by only reframing when we transition between { pre, pre-wrap } and { pre-line, normal, nowrap }.
Attached patch fixSplinter Review 

        Attachment #388855 -
        Flags: review?(bzbarsky)

        Attachment #388855 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
Comment on attachment 388855 [details] [diff] [review]
fix

Yeah, indeed.
Whiteboard: [ss:b2] → [sg:dos][ss:b2]
Whiteboard: [sg:dos][ss:b2] → [sg:dos][ss:b2][needs landing]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/8506b25206cf
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [sg:dos][ss:b2][needs landing] → [sg:dos][ss:b2]

    
    

    
  
Had to back this out as it was throwing up a prompt to enable privileges causing hangs on tinderbox.
http://hg.mozilla.org/mozilla-central/rev/6fa97a14dde1
http://hg.mozilla.org/mozilla-central/rev/48336ba0cea5
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2

    
    

    
  

      
      
      
      

        Attached patch
          
          
        better testSplinter Review
      

    


  
Rewrote the test as a chrometest. I'll check this in.
Whiteboard: [sg:dos][ss:b2] → [sg:dos][ss:b2][needs landing]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/c2ef8a0ce8ae
http://hg.mozilla.org/mozilla-central/rev/b8e7ba664fc9
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dos][ss:b2][needs landing] → [sg:dos][ss:b2]

    
    

    
  
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Crash Signature: [@ nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: