Crash when View > Page Style > No.Style [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]

RESOLVED FIXED

Status

()

P2
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: alice0775, Assigned: roc)

Tracking

({crash, regression, testcase})

Trunk
crash, regression, testcase
Points:
---
Bug Flags:
blocking1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a2pre) Gecko/20090903 Firefox/3.5.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090903 Minefield/3.7a1pre ID:20090903063153

Minefield crashes with Crash Report When View > Page Style > No.Style on certain page.
It does not crash unless you log in to the page.

Reproducible: Always

Steps to Reproduce:
1. Start Minefield with New Profile.
2. Login bugzilla.mozilla.org ( https://bugzilla.mozilla.org )
3. Go URL https://bugzilla.mozilla.org/show_bug.cgi?id=514629
4. View > Page Style > No Style

(You should log in to the bugzilla.mozilla.org)

Actual Results:  
Minefield crashes with Crash Report.

Expected Results:  
Should not crash. No Style should be applied.

Crash Report of Minefield:
http://crash-stats.mozilla.com/report/index/07a2fb58-5ba5-4fca-b60d-89b5f2090904?p=1

Namoroka 3.6a2pre crashes also. but the crash report is not same the above.
Crash Report of Namoroka:
http://crash-stats.mozilla.com/report/index/0cf3115c-2fd4-41f6-a053-d1a032090904?p=1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a2pre) Gecko/20090903 Namoroka/3.6a2pre ID:20090903051734
(Reporter)

Updated

9 years ago
Version: unspecified → Trunk
(Reporter)

Comment 1

9 years ago
Regression Window:

Works:
http://hg.mozilla.org/mozilla-central/rev/c575412d976a
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090623 Minefield/3.6a1pre ID:20090623050900

Crashes:
http://hg.mozilla.org/mozilla-central/rev/5fe89f2c22f0
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090624 Minefield/3.6a1pre ID:20090624042426

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c575412d976a&tochange=5fe89f2c22f0


PS: Shirotoko does not crashes.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4pre) Gecko/20090901 Shiretoko/3.5.4pre ID:20090901041619
Keywords: regression
(Reporter)

Comment 2

9 years ago
Created attachment 398661 [details]
Reduced test Case

View > Page Style > No Style
Browser crashes.
(Reporter)

Updated

9 years ago
Keywords: testcase
bp-0cf3115c-2fd4-41f6-a053-d1a032090904

0  	xul.dll  	nsTextControlFrame::CalcIntrinsicSize  	layout/forms/nsTextControlFrame.cpp:1290
1 	xul.dll 	nsTextControlFrame::GetPrefSize 	layout/forms/nsTextControlFrame.cpp:1770
2 	xul.dll 	nsBoxFrame::GetPrefWidth 	layout/xul/base/src/nsBoxFrame.cpp:649
3 	xul.dll 	nsLayoutUtils::IntrinsicForContainer 	layout/base/nsLayoutUtils.cpp:1887
4 	xul.dll 	nsFrame::AddInlineMinWidth 	layout/generic/nsFrame.cpp:2929
5 	xul.dll 	nsBlockFrame::GetMinWidth 	layout/generic/nsBlockFrame.cpp:701
6 	xul.dll 	xul.dll@0xa8accb

The symbols for bp-07a2fb58-5ba5-4fca-b60d-89b5f2090904 are missing...
Summary: Crash [@xul.dll@0x1dc7c ] when View > Page Style > No.Style → Crash when View > Page Style > No.Style [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]
(Reporter)

Comment 4

9 years ago
Browser Crashes on Linux as follows:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dbd6f214769b
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a2pre) Gecko/20090904 Namoroka/3.6a2pre ID:20090904033851
http://crash-stats.mozilla.com/report/index/2a4cd7bd-124d-4fb3-839b-5b26d2090905

http://hg.mozilla.org/mozilla-central/rev/2600b11db971
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a1pre) Gecko/20090904 Minefield/3.7a1pre ID:20090904224446
http://crash-stats.mozilla.com/report/index/b62d191b-b250-41a5-aa92-5e2502090905?p=1

Comment 5

9 years ago
(In reply to comment #4)
> Browser Crashes on Linux as follows:
> 
> http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dbd6f214769b
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a2pre) Gecko/20090904
> Namoroka/3.6a2pre ID:20090904033851
> http://crash-stats.mozilla.com/report/index/2a4cd7bd-124d-4fb3-839b-5b26d2090905


> 0  	libxul.so  	nsTextControlFrame::CalcIntrinsicSize  	 layout/forms/nsTextControlFrame.cpp:1320 

That line was introduced Bug 425253.
http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/tip/layout/forms/nsTextControlFrame.cpp#l1320

http://hg.mozilla.org/mozilla-central/rev/3d8dbcce108f
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All

Comment 6

9 years ago
Created attachment 398948 [details]
backtrace

Backtrace of linux trunk build

Also debug build says:

WARNING: Someone passed native anonymous content directly into frame construction.  Stop doing that!: file /mozilla/mozilla-central/layout/base/nsCSSFrameConstructor.cpp, line 6016
###!!! ASSERTION: Child must be scrollable: 'scrollableFrame', file /mozilla/mozilla-central/layout/forms/nsTextControlFrame.cpp, line 1317

Updated

9 years ago
Attachment #398948 - Attachment mime type: text/x-log → text/plain
Keywords: crash
Seem to be getting crash reports for this on 1.9.2 also.
Flags: blocking1.9.2?
Looks like GetFirstChild(nsnull) is returning NULL.
Assignee: nobody → roc
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
What happens here is that choosing "No style" disables all author styles. This happens to include the "style" attribute set on the anonymous <div> of a text control. Disabling "style" means removing "white-space:pre" from the <div> which means (since bug 495385 was fixed) reconstruction of the <div>'s frame. And that fails because the <div> is native anonymous. We crash because no new child frame is created, but even if we didn't crash the text input would still be broken. And in fact pre-495385 I bet we'd still be broken because the style would be gone so the text input's white-space value would be "normal".
Created attachment 402316 [details] [diff] [review]
fix

We need to not use the 'style' attribute here. This patch just uses classes instead.
Attachment #402316 - Flags: review?(bzbarsky)
Whiteboard: [needs review]
Comment on attachment 402316 [details] [diff] [review]
fix

r=bzbarsky
Attachment #402316 - Flags: review?(bzbarsky) → review+
Shouldn't we still be marking it native-anonymous?
nsCSSFrameConstructor::GetAnonymousContent marks it native-anonymous after nsTextControlFrame::CreateAnonymousContent returns. The only reason we needed to mark it native-anonymous early was to get correct handling of the 'style' attribute.
Whiteboard: [needs review] → [needs landing]
http://hg.mozilla.org/mozilla-central/rev/e5ff8bfef784
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 192 landing]
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/f07481284c5f
status1.9.2: --- → beta1-fixed
Whiteboard: [needs 192 landing]
Duplicate of this bug: 518514
Crash Signature: [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]
You need to log in before you can comment on or make changes to this bug.