Closed Bug 576927 Opened 14 years ago Closed 9 years ago

"ABORT: negative lengths and percents should be rejected by parser" setting textZoom and huge font size together

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: assertion, testcase, Whiteboard: [aborts DEBUG build only][post-2.0])

Attachments

(2 files, 2 obsolete files)

1. Temporarily install 'DOM Fuzz Lite' from https://www.squarefree.com/extensions/domFuzzLite.xpi 2. Load the testcase. ###!!! ABORT: negative lengths and percents should be rejected by parser: 'aFontData.mSize.IsCalcUnit()', file /Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp, line 2999 #2 0x051138f9 in Abort (aMsg=Could not find the frame base for "Abort(char const*)". ) at /Users/jruderman/mozilla-central/xpcom/base/nsDebugImpl.cpp:379 #3 0x05113e4d in NS_DebugBreak_P (aSeverity=3, aStr=0x54246b4 "negative lengths and percents should be rejected by parser", aExpr=0x5424697 "aFontData.mSize.IsCalcUnit()", aFile=0x5422120 "/Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp", aLine=2999) at /Users/jruderman/mozilla-central/xpcom/base/nsDebugImpl.cpp:337 #4 0x040aebe4 in nsRuleNode::SetFontSize (aPresContext=0x84edc00, aFontData=@0xbfffc69c, aFont=0x84abf40, aParentFont=0x84abf40, aSize=0x84abf60, aSystemFont=@0xbfffc464, aParentSize=3840, aScriptLevelAdjustedParentSize=3840, aUsedStartStruct=0, aAtRoot=1, aCanStoreInRuleTree=@0xbfffc5bc) at /Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp:2997 #5 0x040af9c6 in nsRuleNode::SetFont (aPresContext=0x84edc00, aContext=0x84abba0, aMinFontSize=0, aGenericFontID=0 '\0', aFontData=@0xbfffc69c, aParentFont=0x84abf40, aFont=0x84abf40, aUsedStartStruct=0, aCanStoreInRuleTree=@0xbfffc5bc) at /Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp:3290 #6 0x040b024d in nsRuleNode::ComputeFontData (this=0x8506eb8, aStartStruct=0x0, aData=@0xbfffc69c, aContext=0x84abba0, aHighestNode=0x8506eb8, aRuleDetail=nsRuleNode::eRulePartialReset, aCanStoreInRuleTree=1) at /Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp:3504 #7 0x040a9882 in nsRuleNode::WalkRuleTree (this=0x8506eb8, aSID=eStyleStruct_Font, aContext=0x84abba0, aRuleData=0xbfffc6f8, aSpecificData=0xbfffc69c) at nsStyleStructList.h:73 #8 0x040add27 in nsRuleNode::GetFontData (this=0x8506eb8, aContext=0x84abba0) at /Users/jruderman/mozilla-central/layout/style/nsRuleNode.cpp:1946 #9 0x040ade23 in nsRuleNode::GetStyleFont (this=0x8506eb8, aContext=0x84abba0, aComputeData=1) at nsStyleStructList.h:73 #10 0x040c5675 in nsStyleContext::DoGetStyleFont (this=0x84abba0, aComputeData=1) at nsStyleStructList.h:73 #11 0x03feba49 in nsStyleContext::GetStyleFont (this=0x84abba0) at nsStyleStructList.h:73 #12 0x040d2fd9 in nsStyleContext::CalcStyleDifference (this=0x84ab770, aOther=0x84abba0) at /Users/jruderman/mozilla-central/layout/style/nsStyleContext.cpp:468 #13 0x03ed47d7 in CaptureChange (aOldContext=0x84ab770, aNewContext=0x84abba0, aFrame=0x84ab950, aContent=0x214057f0, aChangeList=0xbfffcbac, aMinChange=0, aChangeToAssume=0) at /Users/jruderman/mozilla-central/layout/base/nsFrameManager.cpp:978 #14 0x03ed52a7 in nsFrameManager::ReResolveStyleContext (this=0x202fb5cc, aPresContext=0x84edc00, aFrame=0x84ab950, aParentContent=0x0, aChangeList=0xbfffcbac, aMinChange=0, aRestyleHint=eRestyle_Self, aFireAccessibilityEvents=1, aRestyleTracker=@0x202fba44) at /Users/jruderman/mozilla-central/layout/base/nsFrameManager.cpp:1234 #15 0x03ed5ed9 in nsFrameManager::ComputeStyleChangeFor (this=0x202fb5cc, aFrame=0x84ab950, aChangeList=0xbfffcbac, aMinChange=0, aRestyleTracker=@0x202fba44, aRestyleDescendants=0) at /Users/jruderman/mozilla-central/layout/base/nsFrameManager.cpp:1548 #16 0x03e9281b in nsCSSFrameConstructor::RestyleElement (this=0x202fb9e0, aElement=0x214057f0, aPrimaryFrame=0x84ab950, aMinHint=0, aRestyleTracker=@0x202fba44, aRestyleDescendants=0) at /Users/jruderman/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:8121 #17 0x03e78206 in mozilla::css::RestyleTracker::ProcessOneRestyle (this=0x202fba44, aElement=0x214057f0, aRestyleHint=eRestyle_Self, aChangeHint=0) at /Users/jruderman/mozilla-central/layout/base/RestyleTracker.cpp:156 #18 0x03e76ed9 in mozilla::css::RestyleTracker::ProcessRestyles (this=0x202fba44) at /Users/jruderman/mozilla-central/layout/base/RestyleTracker.cpp:238 #19 0x03e925d7 in nsCSSFrameConstructor::ProcessPendingRestyles (this=0x202fb9e0) at /Users/jruderman/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:11687 #20 0x03f0eccc in PresShell::FlushPendingNotifications (this=0x202fb5b0, aType=Flush_Style) at /Users/jruderman/mozilla-central/layout/base/nsPresShell.cpp:4786 #21 0x03f183a2 in nsRefreshDriver::Notify (this=0x202f6d70) at /Users/jruderman/mozilla-central/layout/base/nsRefreshDriver.cpp:221 #22 0x0510a357 in nsTimerImpl::Fire (this=0x21419fe0) at /Users/jruderman/mozilla-central/xpcom/threads/nsTimerImpl.cpp:430 #23 0x0510a574 in nsTimerEvent::Run (this=0x21425750) at /Users/jruderman/mozilla-central/xpcom/threads/nsTimerImpl.cpp:519 #24 0x0510344e in nsThread::ProcessNextEvent (this=0xa16890, mayWait=0, result=0xbfffd884) at /Users/jruderman/mozilla-central/xpcom/threads/nsThread.cpp:547 #25 0x0508bc50 in NS_ProcessPendingEvents_P (thread=0xa16890, timeout=20) at nsThreadUtils.cpp:200 #26 0x04ea3377 in nsBaseAppShell::NativeEventCallback (this=0xa31d40) at /Users/jruderman/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:126 #27 0x04e549d1 in nsAppShell::ProcessGeckoEvents (aInfo=0xa31d40) at /Users/jruderman/mozilla-central/widget/src/cocoa/nsAppShell.mm:394 #28 0x936143c5 in CFRunLoopRunSpecific () #29 0x93614aa8 in CFRunLoopRunInMode () #30 0x94a9b2ac in RunCurrentEventLoopInMode () #31 0x94a9b0c5 in ReceiveNextEventCommon () #32 0x94a9af39 in BlockUntilNextEventMatchingListInMode () #33 0x95b786d5 in _DPSNextEvent () #34 0x95b77f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #35 0x95b70f9f in -[NSApplication run] () #36 0x04e53783 in nsAppShell::Run (this=0xa31d40) at /Users/jruderman/mozilla-central/widget/src/cocoa/nsAppShell.mm:747 #37 0x04bc28aa in nsAppStartup::Run (this=0xa7ba30) at /Users/jruderman/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:192 #38 0x03c2c94d in XRE_main (argc=4, argv=0xbfffedf0, aAppData=0xa0ed20) at /Users/jruderman/mozilla-central/toolkit/xre/nsAppRunner.cpp:3619 #39 0x0000281e in main (argc=4, argv=0xbfffedf0) at /Users/jruderman/mozilla-central/browser/app/nsBrowserApp.cpp:158
Severity: critical → normal
Component: Layout → Style System (CSS)
OS: Mac OS X → All
QA Contact: layout → style-system
Hardware: x86 → All
Whiteboard: [aborts DEBUG build only]
Attached patch fix + mochitest (obsolete) — Splinter Review
To my surprise I see that NSCoordSaturatingMultiply (and NSCoordSaturatingNonnegativeMultiply) can return negative values when both arguments are positive... for example NSCoordSaturatingMultiply(0, 1.0 / 0.0) gives product==-NaN which is capped to nscoord_MIN. (on Linux64 with gcc 4.4.5 in case it matters)
Assignee: nobody → matspal
Whiteboard: [aborts DEBUG build only] → [aborts DEBUG build only][post-2.0]
I see this also on http://mp3tons.ru/board/ringtony/1-1-2-0-0-2-2-0 I was able to reproduce it locally on 2.0.0, beta, aurora and nightly on winxp without any extension. Automation claims it is cross platform.
STR without the extension: 1. Load https://bugzilla.mozilla.org/attachment.cgi?id=313874 (from bug 427322) 2. View > Zoom > Zoom Text Only 3. Zoom in 6 times using ⌘+
Is this still relevant?
Flags: needinfo?(mats)
Yeah, I can still reproduce the STR in comment 4. The mochitest is obsolete though, since it uses: netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect")
Flags: needinfo?(mats)
Attached patch fix (obsolete) — Splinter Review
Attachment #490105 - Attachment is obsolete: true
Attachment #8687541 - Flags: review?(roc)
This was the offending patch. It appears we do get negative font sizes (aSize) in nsStyleFont::ZoomText for things like calc(-1px). It looks like we evaluate the terms using ZoomText and then the consumer of the calc expression will deal with a negative result later, e.g. in nsRuleNode::SetFontSize: #0 nsStyleFont::ZoomText (aPresContext=0x7fffc5173000, aSize=-60) #1 SetFontSizeCalcOps::ComputeLeafValue (this=0x7fffffff58e8, aValue=...) #2 mozilla::css::ComputeCalc<SetFontSizeCalcOps> (aValue=..., aOps=...) #3 mozilla::css::ComputeCalc<SetFontSizeCalcOps> (aValue=..., aOps=...) #4 nsRuleNode::SetFontSize http://hg.mozilla.org/mozilla-central/annotate/4294bf91174b/layout/style/nsRuleNode.cpp#l3266
Flags: needinfo?(mats)
Attached patch fix, v2Splinter Review
Dropped the offending MOZ_ASSERTs from the first patch and s/NSCoordSaturatingNonnegativeMultiply/NSCoordSaturatingMultiply/ and added some comments explaining the situation. Try run looks green so far.
Attachment #8687541 - Attachment is obsolete: true
Attachment #8688126 - Flags: review?(roc)
Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: