Closed Bug 230138 Opened 21 years ago Closed 21 years ago

Crash when viewing a HTML page with certain display:tableXXX settings in CSS

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz, Assigned: bernd_mozilla)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files)

testcase
275 bytes, text/html; charset=us-ascii
Details
patch
951 bytes, patch
dbaron
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208 While trying some stuff I encountered this crash. I tried to minimize the HTML code so that it still crashes everytime. The problem seems to be related to the display: settings in the CSS part. The structure is something like <div> [display:table-column] <div> [display:table] <div> [display:table-cell] Reproducible: Always Steps to Reproduce: 1. Create HTML file with following content: <html> <head> <style type="text/css"> <!-- div.a1 { display:table; } div.a2 { display:table-cell; } div.left { display:table-column;} --> </style> </head> <body> <div class="left"> <div class="a1"></div> <div class="a2"></div> </div> </body> </html> 2. View it with Mozilla Actual Results: Access violation when trying to view the page. Probably a null pointer dereference. Expected Results: There is probably no "correct" way to render this, because it does not make too much sense, but at least Mozilla should not crash.
#5 <signal handler called> #6 0x06e16c30 in ProcessPseudoFrame (aPresContext=0x9ac6288, aPseudoData=@0xbfebd458, aParent=@0xbfebcec0) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1776 #7 0x06e1705f in ProcessPseudoFrames (aPresContext=0x9ac6288, aPseudoFrames=@0xbfebd408, aHighestType=0x0, aHighestFrame=@0xbfebcec0) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1875 #8 0x06e17272 in ProcessPseudoFrames (aPresContext=0x9ac6288, aPseudoFrames=@0xbfebd408, aItems=@0xbfebd018) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1921 #9 0x06e19e87 in nsCSSFrameConstructor::TableProcessChildren(nsIPresShell*, nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*, nsTableCreator&, nsFrameItems&, nsIFrame*&) (this=0x9adc120, aPresShell=0x9adc1d0, aPresContext=0x9ac6288, aState=@0xbfebd3d0, aContent=0x9519fe0, aParentFrame=0x9af38d0, aTableCreator=@0xbfebd1d0, aChildItems=@0xbfebd018, aCaption=@0xbfebd020) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:3074 #10 0x06e1950e in nsCSSFrameConstructor::ConstructTableColFrame(nsIPresShell*, nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*, nsStyleContext*, nsTableCreator&, int, nsFrameItems&, nsIFrame*&, int&) (this=0x9adc120, aPresShell=0x9adc1d0, aPresContext=0x9ac6288, aState=@0xbfebd3d0, aContent=0x9519fe0, aParentFrameIn=0x9af3188, aStyleContext=0x9af3414, aTableCreator=@0xbfebd1d0, aIsPseudo=0, aChildItems=@0xbfebd4a0, aNewFrame=@0xbfebd1f0, aIsPseudoParent=@0xbfebd1c8) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:2832 #11 0x06e21b76 in nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell*, nsIPresContext*, nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*, int, nsIAtom*, nsIFrame*, nsStyleContext*, nsFrameItems&) (this=0x9adc120, aPresShell=0x9adc1d0, aPresContext=0x9ac6288, aState=@0xbfebd3d0, aDisplay=0x9af3440, aContent=0x9519fe0, aNameSpaceID=3, aTag=0x93e2780, aParentFrame=0x9af3188, aStyleContext=0x9af3414, aFrameItems=@0xbfebd4a0) (gdb) frame 6 #6 0x06e16c30 in ProcessPseudoFrame (aPresContext=0x9ac6288, aPseudoData=@0xbfebd458, aParent=@0xbfebcec0) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1776 1776 rv = aParent->SetInitialChildList(aPresContext, nsnull, items->childList); (gdb) p aParent $1 = (class nsIFrame *&) @0xbfebcec0: 0x0 (gdb) up #7 0x06e1705f in ProcessPseudoFrames (aPresContext=0x9ac6288, aPseudoFrames=@0xbfebd408, aHighestType=0x0, aHighestFrame=@0xbfebcec0) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1875 1875 rv = ProcessPseudoFrame(aPresContext, aPseudoFrames.mRow, aHighestFrame); (gdb) p aHighestFrame $2 = (class nsIFrame *&) @0xbfebcec0: 0x0 (gdb) up #8 0x06e17272 in ProcessPseudoFrames (aPresContext=0x9ac6288, aPseudoFrames=@0xbfebd408, aItems=@0xbfebd018) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1921 1921 nsresult rv = ProcessPseudoFrames(aPresContext, aPseudoFrames, nsnull, highestFrame); (gdb) p aPseudoFrames $5 = (nsPseudoFrames &) @0xbfebd408: {mTableOuter = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mTableInner = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mRowGroup = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mColGroup = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mRow = {mFrame = 0x0, mChildList = { childList = 0x9afa044, lastChild = 0x9afa044}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mCellOuter = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mCellInner = {mFrame = 0x0, mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = { childList = 0x0, lastChild = 0x0}}, mLowestType = 0x93e3110} (gdb) up (gdb) p aState.mPseudoFrames.mLowestType $6 = (nsIAtom *) 0x93e3110 (gdb) x/wa $6 0x93e3110: 0x59dd68 <_ZTV19nsStaticAtomWrapper+8> (gdb) p *(class nsStaticAtomWrapper*)$ $7 = {<nsIAtom> = {<nsISupports> = { _vptr.nsISupports = 0x59dd68}, <No data fields>}, mStaticAtom = 0x73a8058} (gdb) p $.mStaticAtom $8 = (const nsStaticAtom *) 0x73a8058 (gdb) p *$ $9 = {mString = 0x734feef "TableRowFrame", mAtom = 0x73c0928}
Severity: normal → critical
Keywords: crash
confirmed with linux trunk 2004010508
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Can you provide a URL for full web page that causes this problem? I'd like to test a possible fix... BTW, why is a brand new bug already assigned to nobody?
Confirmed Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20040102 Firebird/0.7+
David, do you have any idea what should happen here. Should the children of the col simply suppressed?
bernd Hixie: whats should happen to a child of a display: table-column element, can it be ignored (no frame construction for the child) Hixie sicking: "children", probably in DOM Hixie bernd: spec doesn't say, last i checked, but yes, just assume table-column's children are display:none
Attached patch patchSplinter Review
I don't claim that I understand well table frame construction. I am pretty sure that exactly the opposite is true, but I believe that col frames shouldnt have childs, and even if they would have they will not been reflown see http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableColFrame.cpp#154 so we should not create them.
Attachment #139221 - Flags: superreview?(bz-vacation)
Attachment #139221 - Flags: review+
taking so that I get this thing checked in
Assignee: nobody → bernd_mozilla
Comment on attachment 139221 [details] [diff] [review] patch sr=bzbarsky. Looks reasonable.
Attachment #139221 - Flags: superreview?(bz-vacation) → superreview+
fix checked in
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: