Closed Bug 514660 Opened 16 years ago Closed 16 years ago

Crash when View > Page Style > No.Style [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: alice0775, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Reduced test Case
301 bytes, text/html
Details
backtrace
9.43 KB, text/plain
Details
fix
6.20 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a2pre) Gecko/20090903 Firefox/3.5.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090903 Minefield/3.7a1pre ID:20090903063153 Minefield crashes with Crash Report When View > Page Style > No.Style on certain page. It does not crash unless you log in to the page. Reproducible: Always Steps to Reproduce: 1. Start Minefield with New Profile. 2. Login bugzilla.mozilla.org ( https://bugzilla.mozilla.org ) 3. Go URL https://bugzilla.mozilla.org/show_bug.cgi?id=514629 4. View > Page Style > No Style (You should log in to the bugzilla.mozilla.org) Actual Results: Minefield crashes with Crash Report. Expected Results: Should not crash. No Style should be applied. Crash Report of Minefield: http://crash-stats.mozilla.com/report/index/07a2fb58-5ba5-4fca-b60d-89b5f2090904?p=1 Namoroka 3.6a2pre crashes also. but the crash report is not same the above. Crash Report of Namoroka: http://crash-stats.mozilla.com/report/index/0cf3115c-2fd4-41f6-a053-d1a032090904?p=1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a2pre) Gecko/20090903 Namoroka/3.6a2pre ID:20090903051734
Version: unspecified → Trunk
Regression Window: Works: http://hg.mozilla.org/mozilla-central/rev/c575412d976a Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090623 Minefield/3.6a1pre ID:20090623050900 Crashes: http://hg.mozilla.org/mozilla-central/rev/5fe89f2c22f0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090624 Minefield/3.6a1pre ID:20090624042426 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c575412d976a&tochange=5fe89f2c22f0 PS: Shirotoko does not crashes. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4pre) Gecko/20090901 Shiretoko/3.5.4pre ID:20090901041619
Keywords: regression
Attached file Reduced test Case
View > Page Style > No Style Browser crashes.
Keywords: testcase
bp-0cf3115c-2fd4-41f6-a053-d1a032090904 0 xul.dll nsTextControlFrame::CalcIntrinsicSize layout/forms/nsTextControlFrame.cpp:1290 1 xul.dll nsTextControlFrame::GetPrefSize layout/forms/nsTextControlFrame.cpp:1770 2 xul.dll nsBoxFrame::GetPrefWidth layout/xul/base/src/nsBoxFrame.cpp:649 3 xul.dll nsLayoutUtils::IntrinsicForContainer layout/base/nsLayoutUtils.cpp:1887 4 xul.dll nsFrame::AddInlineMinWidth layout/generic/nsFrame.cpp:2929 5 xul.dll nsBlockFrame::GetMinWidth layout/generic/nsBlockFrame.cpp:701 6 xul.dll xul.dll@0xa8accb The symbols for bp-07a2fb58-5ba5-4fca-b60d-89b5f2090904 are missing...
Summary: Crash [@xul.dll@0x1dc7c ] when View > Page Style > No.Style → Crash when View > Page Style > No.Style [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]
Browser Crashes on Linux as follows: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dbd6f214769b Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a2pre) Gecko/20090904 Namoroka/3.6a2pre ID:20090904033851 http://crash-stats.mozilla.com/report/index/2a4cd7bd-124d-4fb3-839b-5b26d2090905 http://hg.mozilla.org/mozilla-central/rev/2600b11db971 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a1pre) Gecko/20090904 Minefield/3.7a1pre ID:20090904224446 http://crash-stats.mozilla.com/report/index/b62d191b-b250-41a5-aa92-5e2502090905?p=1
(In reply to comment #4) > Browser Crashes on Linux as follows: > > http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dbd6f214769b > Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a2pre) Gecko/20090904 > Namoroka/3.6a2pre ID:20090904033851 > http://crash-stats.mozilla.com/report/index/2a4cd7bd-124d-4fb3-839b-5b26d2090905 > 0 libxul.so nsTextControlFrame::CalcIntrinsicSize layout/forms/nsTextControlFrame.cpp:1320 That line was introduced Bug 425253. http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/tip/layout/forms/nsTextControlFrame.cpp#l1320 http://hg.mozilla.org/mozilla-central/rev/3d8dbcce108f
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Attached file backtrace
Backtrace of linux trunk build Also debug build says: WARNING: Someone passed native anonymous content directly into frame construction. Stop doing that!: file /mozilla/mozilla-central/layout/base/nsCSSFrameConstructor.cpp, line 6016 ###!!! ASSERTION: Child must be scrollable: 'scrollableFrame', file /mozilla/mozilla-central/layout/forms/nsTextControlFrame.cpp, line 1317
Attachment #398948 - Attachment mime type: text/x-log → text/plain
Keywords: crash
Seem to be getting crash reports for this on 1.9.2 also.
Flags: blocking1.9.2?
Looks like GetFirstChild(nsnull) is returning NULL.
Assignee: nobody → roc
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
What happens here is that choosing "No style" disables all author styles. This happens to include the "style" attribute set on the anonymous <div> of a text control. Disabling "style" means removing "white-space:pre" from the <div> which means (since bug 495385 was fixed) reconstruction of the <div>'s frame. And that fails because the <div> is native anonymous. We crash because no new child frame is created, but even if we didn't crash the text input would still be broken. And in fact pre-495385 I bet we'd still be broken because the style would be gone so the text input's white-space value would be "normal".
Attached patch fixSplinter Review
We need to not use the 'style' attribute here. This patch just uses classes instead.
Attachment #402316 - Flags: review?(bzbarsky)
Whiteboard: [needs review]
Comment on attachment 402316 [details] [diff] [review] fix r=bzbarsky
Attachment #402316 - Flags: review?(bzbarsky) → review+
Shouldn't we still be marking it native-anonymous?
nsCSSFrameConstructor::GetAnonymousContent marks it native-anonymous after nsTextControlFrame::CreateAnonymousContent returns. The only reason we needed to mark it native-anonymous early was to get correct handling of the 'style' attribute.
Whiteboard: [needs review] → [needs landing]
http://hg.mozilla.org/mozilla-central/rev/e5ff8bfef784
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 192 landing]
Crash Signature: [@nsTextControlFrame::CalcIntrinsicSize(nsIRenderingContext*, nsSize&) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: