Closed
Bug 776393
Opened 13 years ago
Closed 13 years ago
Crash when resizing window and changing CSS width
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox17 | - | --- |
People
(Reporter: jruderman, Assigned: jwatt)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
testcase (must be a popup)
No description provided.
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Comment 2•13 years ago
|
||
|
|
Reporter | |
Comment 3•13 years ago
|
||
Crash Signature: [@ DoApplyRenderingChangeToTree ]
|
||
Comment 4•13 years ago
|
||
Browser crashes with attachment 644785 [details] in Wndows7
bp-49dc6050-9490-4c37-8c2f-1a98f2120722
Regression window(m-c)
Not crash:
http://hg.mozilla.org/mozilla-central/rev/6dae57cd2f85
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720145842
Crash:
http://hg.mozilla.org/mozilla-central/rev/045c11dd41a6
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720205642
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6dae57cd2f85&tochange=045c11dd41a6
Regression window(m-i)
Not crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/a746aaa32b22
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720114508
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/62f19ed60528
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120720115241
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a746aaa32b22&tochange=62f19ed60528
|
|
||
Comment 5•13 years ago
|
||
We crash because in the "if (aChange & nsChangeHint_ChildrenOnlyTransform)" block in DoApplyRenderingChangeToTree we have this code:
nsIFrame *f = aFrame->GetContent()->GetPrimaryFrame();
but aFrame->GetContent() is null, because aFrame is the viewport. So we crash on the null-deref.
If we didn't crash here, I bet we'd fail the following assert:
7737 NS_ABORT_IF_FALSE(f->IsFrameOfType(nsIFrame::eSVG |
7738 nsIFrame::eSVGContainer),
7739 "Children-only transforms only expected on SVG frames");
This looks like code added in bug 614732.
The reason we have a viewport here is that we initially pass the nsSVGOuterSVGFrame to ApplyRenderingChangeToTree, but then the code in there does this:
// If the frame's background is propagated to an ancestor, walk up to
// that ancestor.
and in this case this is a root <svg>, so its background _is_ propagated to an ancestor as far as that code is concerned (like for any root element) and we walk up to the viewport...
|
|
||
Comment 6•13 years ago
|
||
On Windows: bp-ed218940-156d-4a52-871d-03a8d2120723.
Crash Signature: [@ DoApplyRenderingChangeToTree ] → [@ DoApplyRenderingChangeToTree ]
[@ nsIContent::GetPrimaryFrame()]
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 17 Branch
|
||
Updated•13 years ago
|
Assignee: nobody → jwatt
|
|
Assignee | |
Comment 7•13 years ago
|
||
This crash appears to have gone between the following two Mac builds:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-24-03-05-51-mozilla-central/
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-24-07-14-08-mozilla-central/
Which would give an anti-regression range of:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3613cbdc3481&tochange=a26e751bfb54
Target Milestone: --- → mozilla17
|
|
Assignee | |
Comment 8•13 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #5)
> We crash because in the "if (aChange & nsChangeHint_ChildrenOnlyTransform)"
> block in DoApplyRenderingChangeToTree we have [...]
I don't see how the testcase can cause us to get into that block (it doesn't seem to in current tip builds), since it doesn't change any children-only transforms.
|
|
||
Comment 9•13 years ago
|
||
I cannot reproduce the crash with attachment 644785 [details].
Fixed window(m-c):
Crash:
http://hg.mozilla.org/mozilla-central/rev/3613cbdc3481
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723144443
Fixed:
http://hg.mozilla.org/mozilla-central/rev/a26e751bfb54
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120724071408
Fixed range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3613cbdc3481&tochange=a26e751bfb54
Fixed window(m-i):
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4c9ee7535383
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723085942
Fixed:
http://hg.mozilla.org/integration/mozilla-inbound/rev/fd7d6cfafe09
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120723091342
Fixed range:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4c9ee7535383&tochange=fd7d6cfafe09
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•13 years ago
|
|
|
Assignee | |
Updated•13 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•