Closed Bug 302118 Opened 19 years ago Closed 19 years ago

issues with extensive HTML tables in combination with CSS [@ ntdll.dll]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: age.bosma, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, testcase, verified1.8)

Crash Data

Attachments

(6 files, 1 obsolete file)

Table rendering test case
192.15 KB, text/html
Details
Table render 1
298.62 KB, image/jpeg
Details
Table render 2
282.37 KB, image/jpeg
Details
Table rendering testcase (valid HTML)
192.40 KB, text/html
Details
Testcase
519 bytes, text/html
Details
Patch updated to my comments
3.34 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

When having a huge HTML table with many rows and columns Firefox starts having
rendering issues as soon as you start using CSS to style the table. The issues
appear to be random:
- Somtimes it displays the table correctly.
- Sometimes it only renders the table incorrectly with e.g. the vertical borders
being almost collapsed all the way to the left.
- Sometimes it even manages to crash Firefox completely.

Reproducible: Sometimes

Steps to Reproduce:
1. Open the provided attachment in Firefox
2. When it renders the tables correctly at first, try to refresh the page a
couple of times.



The problems appear to occur more often when colgroups are being used with a
<col width="" /> for each column.

    
    

    
  
This bug might be related to bug 282747

    
    

    
  

      
      
      
      

        Attached image
          
        Table render 1
      

    


  
When colgroup's and col's are included this is what usually happens (if it
doesn't crash the browser)

    
    

    
  

      
      
      
      

        Attached image
          
        Table render 2
      

    


  
When colgroup's and col's are not included this is what usually happens.

    
    

    
  
Crash confirmed on 'Table rendering test case' (text/html) using Mozilla/5.0
(Windows; U; Windows NT 5.1; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 

Machine runs Windows XP SP2

Note that this page is not validating XHTML1.1, still this should not make
firefox crash (which happened here). 


    
    

    
  
Crashed with attachment 190484 [details]

TB7814273M

    
    

    
  


  
Here's a HTML valid testcase. Firefox appears to alter the HTML source when
saving a HTML file by stripping it from trailing slashes :-S

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050726
Firefox/1.0+ ID:2005072610
I also crashed on 'Table rendering test case' attachment.
TB7830011Y
Severity: major → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, 
          
            testcase
Summary: Redering issues of extensive HTML tables in combination with CSS → issues with extensive HTML tables in combination with CSS

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050726
Firefox/1.0+ ID:2005072610

No crash and renders fine/perfect .. 
Summary: issues with extensive HTML tables in combination with CSS → issues with extensive HTML tables in combination with CSS [@ ntdll.dll]

    
    

    
  
(In reply to comment #9)
> Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050726
> Firefox/1.0+ ID:2005072610
> 
> No crash and renders fine/perfect .. 

Try refreshing the page a couple of times more, the problems do occur.

    
    

    
  
(In reply to comment #10)
> Try refreshing the page a couple of times more, the problems do occur.

I tried 
F5 10 times
ctrl+F5 10 times
reload button 10 times

no crash, no rendering problems



    
    

    
  
> [@ ntdll.dll]

I have another talkback id (caused by
attachment 190531 [details] )

TB7814961M

Now I can reproduce this crash via
wheel scroll during loading.

    
    

    
  
(In reply to comment #12)
> > [@ ntdll.dll]
> 
> I have another talkback id (caused by
> attachment 190531 [details] [edit] )
> 
> TB7814961M
> 
> Now I can reproduce this crash via
> wheel scroll during loading.

Scrolling doesn't crash me either.
This may well be fixed on Trunk.
Can anyone else verify with a latest nightly ?



    
    

    
  
(In reply to comment #13)
> 
> Scrolling doesn't crash me either.
> This may well be fixed on Trunk.
> Can anyone else verify with a latest nightly ?
> 

Have it your way ;-)

I can verify that this bug DOES occur in the latest nightly:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050726
Firefox/1.0+

I installed the nightly downloaded on 2005/07/27 00:41:00 GMT. It only required
one page refresh to crash the browser.

    
    

    
  
Any news on this bug? Shouldn't this bug be blocking the Firefox 1.5 release
since it's simply crashing the browser?

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050829
Firefox/1.0+

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050828
Firefox/1.6a1

Works for me.

    
    

    
  
Crashed test case on Branch Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O;
en-US; rv:1.8b4) Gecko/20050829 Firefox/1.0+ with OS X 10.4.2 on second reload.
Talkback submitted.

    
    

    
  
I get a 100% reproducable crash, when I visit the testcase and let the "clone
slowly" bookmarklet loose on it:
http://www.squarefree.com/bookmarklets/testbrowsers.html#clone_slowly
(at the bottom)

Talkback ID's: TB8844634Z TB8844623H TB8844610Z

Using a nightly trunk build. Will try tomorrow to get a minimal testcase.
Component: General → Layout: Tables
Product: Firefox → Core
Version: unspecified → Trunk
QA Contact: general → layout.tables

    
    

    
  
nsStyleBorder::~nsStyleBorder() line 333 + 3 bytes
nsStyleBorder::Destroy(nsPresContext * 0x04c23650) line 465 + 8 bytes
TableBackgroundPainter::TableBackgroundData::Destroy(nsPresContext * 0x04c23650)
line 149
TableBackgroundPainter::~TableBackgroundPainter() line 263
nsTableFrame::Paint(nsTableFrame * const 0x04c373bc, nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 1) line 1416
nsContainerFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c373bc, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 283
nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x04c3720c, nsPresContext *
0x04c23650, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 335
nsContainerFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c3720c, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 283
nsBlockFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c3720c, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 287
PaintLine(const nsRect & {...}, const nsRect & {...}, nsLineList_iterator &
{...}, int 0, int & 1238536, nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, nsFramePaintLayer eFramePaintLayer_Underlay, nsBlockFrame * 0x04c4bf18)
line 6352
nsBlockFrame::PaintChildren(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay,
unsigned int 0) line 6420 + 38 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, int 1, unsigned int 0) line 138
nsBlockFrame::Paint(nsBlockFrame * const 0x04c4bf18, nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 6247
nsContainerFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c4bf18, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 283
nsBlockFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c4bf18, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 287
PaintLine(const nsRect & {...}, const nsRect & {...}, nsLineList_iterator &
{...}, int 0, int & 1239576, nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, nsFramePaintLayer eFramePaintLayer_Underlay, nsBlockFrame * 0x04c4bd94)
line 6352
nsBlockFrame::PaintChildren(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay,
unsigned int 0) line 6420 + 38 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, int 1, unsigned int 0) line 138
nsBlockFrame::Paint(nsBlockFrame * const 0x04c4bd94, nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 6247
nsContainerFrame::PaintChild(nsPresContext * 0x04c23650, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x04c4bd94, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 283
nsContainerFrame::PaintChildren(nsPresContext * 0x04c23650, nsIRenderingContext
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay,
unsigned int 0) line 228
nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x04c3922c,
nsPresContext * 0x04c23650, nsIRenderingContext & {...}, const nsRect & {...},
nsFramePaintLayer eFramePaintLayer_Underlay, unsigned int 0) line 84
CanvasFrame::Paint(CanvasFrame * const 0x04c3922c, nsPresContext * 0x04c23650,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay, unsigned int 0) line 369 + 22 bytes
PresShell::Paint(PresShell * const 0x04c383a8, nsIView * 0x04c4cca8,
nsIRenderingContext & {...}, const nsRect & {...}) line 5652 + 27 bytes
nsView::Paint(nsView * const 0x04c4cca8, nsIRenderingContext & {...}, const
nsRect & {...}, unsigned int 0, int & 0) line 316
nsViewManager::RenderDisplayListElement(DisplayListElement2 * 0x04e20858,
nsIRenderingContext * 0x04e20c48) line 1468
nsViewManager::RenderViews(nsView * 0x04c48ad0, nsIRenderingContext & {...},
const nsRegion & {...}, nsIDrawingSurface * 0x04e11f50, const nsVoidArray &
{...}) line 1380
nsViewManager::Refresh(nsView * 0x04c48ad0, nsIRenderingContext * 0x04e20c48,
nsIRegion * 0x04e1b628, unsigned int 1) line 930
nsViewManager::DispatchEvent(nsViewManager * const 0x04c249d8, nsGUIEvent *
0x0012f434, nsEventStatus * 0x0012f2f8) line 2055
HandleEvent(nsGUIEvent * 0x0012f434) line 174
nsWindow::DispatchEvent(nsWindow * const 0x04c4cae4, nsGUIEvent * 0x0012f434,
nsEventStatus & nsEventStatus_eIgnore) line 1061 + 9 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f434, nsEventStatus &
nsEventStatus_eIgnore) line 1087
nsWindow::OnPaint(HDC__ * 0x00000000) line 5560 + 28 bytes
nsWindow::ProcessMessage(unsigned int 15, unsigned int 0, long 0, long *
0x0012f9ac) line 4169 + 19 bytes
nsWindow::WindowProc(HWND__ * 0x00020376, unsigned int 15, unsigned int 0, long
0) line 1243 + 24 bytes
USER32! 77d18734()
USER32! 77d18816()
USER32! 77d1b4c0()
USER32! 77d1b50c()
NTDLL! 7c91eae3()
USER32! 77d18a10()
nsAppShell::Run(nsAppShell * const 0x00fc85a8) line 135
nsAppStartup::Run(nsAppStartup * const 0x00fc8508) line 145 + 77 bytes
XRE_main(int 3, char * * 0x003c6eb8, const nsXREAppData * 0x00422020 kAppData)
line 2322 + 34 bytes
main(int 3, char * * 0x003c6eb8) line 61 + 16 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7

    
    

    
  
this is 0xdddddddd

    
    

    
  
Martijn, it might be hard to create a nice minimized crash testcase but a
testcase that triggers  ASSERTION: colgroup data should not be null - bug
237421: would help definetely.

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  
This is the most minimal testcase that I could come up with that still crashes.

It crashes when you try to select the text in the table.
It probably gives an assertion too (don't know yet).

    
    

    
  
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050830 Firefox/1.6a1
ID:2005083010

Slightly different crash on Linux with Martijn's testcase. This does give the
assersion mentioned above.

Incident ID: 8870271
Stack Signature	firefox-bin + 0x402 (0x00ba8402) 29c88386
Product ID	FirefoxTrunk
Build ID	2005082205
Trigger Time	2005-08-30 11:24:13.0
Platform	LinuxIntel
Operating System	Linux 2.6.12-1.1398_FC4
Module	firefox-bin + (00000402)
URL visited	
User Comments	
Since Last Crash	0 sec
Total Uptime	33 sec
Trigger Reason	SIGIOT: Abort or IOT Instruction: (signal 6)
Source File, Line No.	N/A
Stack Trace 	
firefox-bin + 0x402 (0x00ba8402)
libc.so.6 + 0x29fc8 (0x00eb1fc8)
libc.so.6 + 0x5d96a (0x00ee596a)
libc.so.6 + 0x63864 (0x00eeb864)
libc.so.6 + 0x63d9f (0x00eebd9f)
libstdc++.so.5 + 0x912b3 (0x007c12b3)
TableBackgroundPainter::PaintTable() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/tables/nsTablePainter.cpp,
line 453]
ProcessRowInserted() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/tables/nsTableFrame.cpp,
line 1636]
SyncFrameViewGeometryDependentProperties() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 497]
nsTableOuterFrame::GetCaptionAvailWidth() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/tables/nsTableOuterFrame.cpp,
line 51]
SyncFrameViewGeometryDependentProperties() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 497]
nsBlockFrame::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 1390]
CanvasFrame::QueryInterface() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 198]
nsBlockFrame::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 6603]
SyncFrameViewGeometryDependentProperties() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 497]
nsBlockFrame::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 1390]
CanvasFrame::QueryInterface() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 198]
nsBlockFrame::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 6603]
SyncFrameViewGeometryDependentProperties() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 497]
HasNonZeroBorderRadius() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 463]
NS_NewCanvasFrame() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 175]
nsHTMLReflowState::nsHTMLReflowState() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 121]
PresShell::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/base/nsPresShell.cpp,
line 202]
nsIView::CreateWidget() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsView.cpp,
line 235]
nsViewManager::UpdateWidgetArea() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsViewManager.cpp,
line 55]
nsViewManager::CreateBlendingBuffers() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsViewManager.cpp,
line 1554]
SortByZOrder() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsViewManager.cpp,
line 61]
nsViewManager::DispatchEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsViewManager.cpp,
line 56]
nsView::ResetWidgetBounds() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/view/src/nsView.cpp,
line 60]
nsBaseWidget::GetRenderingContext() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/xpwidgets/nsBaseWidget.cpp,
line 1396]
nsWindow::OnScrollEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp,
line 1836]
nsWindow::IMEComposeText() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp,
line 4440]
libgtk-x11-2.0.so.0 + 0x10b352 (0x0021f352)
libgobject-2.0.so.0 + 0x8bc8 (0x00a32bc8)
libgobject-2.0.so.0 + 0x185be (0x00a425be)
libgobject-2.0.so.0 + 0x19c55 (0x00a43c55)
libgobject-2.0.so.0 + 0x1a249 (0x00a44249)
libgtk-x11-2.0.so.0 + 0x1e6ac3 (0x002faac3)
libgtk-x11-2.0.so.0 + 0x109fa5 (0x0021dfa5)
libgdk-x11-2.0.so.0 + 0x295ad (0x004335ad)
libgdk-x11-2.0.so.0 + 0x29680 (0x00433680)
libgdk-x11-2.0.so.0 + 0x29701 (0x00433701)
libglib-2.0.so.0 + 0x272ee (0x0099e2ee)
libglib-2.0.so.0 + 0x2507e (0x0099c07e)
libglib-2.0.so.0 + 0x28096 (0x0099f096)
libglib-2.0.so.0 + 0x28383 (0x0099f383)
libgtk-x11-2.0.so.0 + 0x1091b5 (0x0021d1b5)
GdkKeyCodeToDOMKeyCode() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsGtkKeyUtils.cpp,
line 174]
nsDownloadManager::Observe() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/components/downloads/src/nsDownloadManager.cpp,
line 503]
XRE_main() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 2249]
CheckArg() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 331]
libc.so.6 + 0x1549f (0x00e9d49f)

From a debug build: 
###!!! ASSERTION: colgroup data should not be null - bug 237421:
'mCols[i].mColGroup', file
/home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 340
Break: at file /home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 340
###!!! ASSERTION: colgroup data should not be null - bug 237421:
'mCols[i].mColGroup', file
/home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 340
Break: at file /home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 340
###!!! ASSERTION: colgroup data should not be null - bug 237421:
'mCols[i].mColGroup', file
/home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 259
Break: at file /home/aguthrie/moz/mozilla/layout/tables/nsTablePainter.cpp, line 259
*** glibc detected *** ./firefox-bin: double free or corruption (fasttop):
0x0a0ad4c0 ***
...

    
    

    
  
the testcase demonstrates that the issues in bug 281241 not only lead to wrong
layout but to crashes. This is no surprise as wrong frame structures are nearly
a guarantee for crash bugs.
Blocks: 281241

    
    

    
  

      
      
      
      

        Attached patch
          
          
        crash fix (obsolete)
        — Splinter Review
      

    


  
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 194667 [details] [diff] [review]
crash fix

Boris this is the thing that we talked on IRC last week. The usual suspects,
the table background painter relies on correct column information. Nobody did
that so strict before, so we need to fix the old  column bugs. But I think we
are pretty stable already now.

        Attachment #194667 -
        Flags: superreview?(bzbarsky)

        Attachment #194667 -
        Flags: review?(bzbarsky)

    
    

    
  
I won't be able to look at this until Tuesday.

    
    

    
  
np, I will change my flat, so I won't have time before friday to check it in.

    
    

    
  
Comment on attachment 194667 [details] [diff] [review]
crash fix

>Index: nsTableColGroupFrame.cpp
> nsTableColGroupFrame::AppendFrames(nsIAtom*        aListName,
>+  nsTableColFrame* col = GetFirstColumn();
>+  nsTableColFrame* nextCol;
>+  while (col && col->GetColType() == eColAnonymousColGroup) {
>+	// this colgroup  spans one ore more columns but now that there is 
>+	// real column below, so  spanned anonymous columns should be removed

I'm not sure I follow what's going on here...  What does it mean for the type
of a col to be eColAnonymousColGroup?  That it's been created because the
colgroup didn't have enough child cols and had a span, I guess?

>+    nextCol = col->GetNextCol();
>+    RemoveFrame(nsnull, col);

So we're just removing all such synthetic col frames that we inserted?	Would
those always be at the front of the frame list?

>+	col = nextCol;

Fix indent, please.  Same in a few other places.

Could you document the various functions that take col indices in
nsTableColGroupFrame.h with a brief explanation of what the indices there
should be?

    
    

    
  
>That it's been created because the
>colgroup didn't have enough child cols and had a span, I guess?

Not exactly take a single <colgroup> tag this will create one anonymous col below.
A <colgroup span="5"> will the create 5 anonymous cols below.
<colgroup span="5"><col></colgroup> will create 1!! content based col below and
ignore the span="5".
so what happens here is that we toggle from

<colgroup span="1"/>

to

<colgroup>
 <col>
</colgroup>

A colgroup can have only anonymous cols below or content based cols, it should
never mix those two types.

If there are content based cols then one can have span on these cols too. so one
would get eColAnonymousCol as a type for the spanned cols.

The last but most fancy type are the eColAnonymousCell type columns. Each table
even if no cols are specified creates col frames to cover all columns in the
table. You can have more columns than one would derive from the cellmap but
*never* less. If there are less columns then this last type is created. If it is
created a special anonymous colgroup is also created which harbors these
anonymous cell based columns.

    
    

    
  
or do you mean the valid range of the arguments?

    
    

    
  
Comment on attachment 194667 [details] [diff] [review]
crash fix

I don't know how I missed those comments... :(

>Index: nsTableColGroupFrame.cpp

> nsTableColGroupFrame::AppendFrames(nsIAtom*        aListName,
>+  while (col && col->GetColType() == eColAnonymousColGroup) {
>+	// this colgroup  spans one ore more columns but now that there is 
>+	// real column below, so  spanned anonymous columns should be removed

Fix indent.  And "colgroup spans one or more" (not "ore", and remove extra
space after "colgroup".  Also, remove the "so " after the comma.

>+    RemoveFrame(nsnull, col);
>+	col = nextCol;

Fix indent.

> nsTableColGroupFrame::InsertFrames(nsIAtom*        aListName,

Same comments here.

>@@ -625,12 +645,21 @@ void nsTableColGroupFrame::Dump(PRInt32 
>+  NS_ASSERTION((j- GetStartColumnIndex()) == GetColCount(), 

Space after |j|, please.

r+sr=bzbarsky

        Attachment #194667 -
        Flags: superreview?(bzbarsky)

        Attachment #194667 -
        Flags: superreview+

        Attachment #194667 -
        Flags: review?(bzbarsky)

        Attachment #194667 -
        Flags: review+

    
    

    
  


  

        Attachment #194667 -
        Attachment is obsolete: true

    
    

    
  
Is this bug fix already included in the nightly's? I would like to test if it
fixes the crash and redering problems.

    
    

    
  
Fix checked in on trunk.  Should be in tomorrow's nightlies.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
thanks Boris, you da man. Did I mention how dialin sucks?

    
    

    
  
Brilliant! It works like a charm, no more crashes, no more rendering issues.
Thank you very much!

    
    

    
  
Verified. Maybe this is something for the branch? Fixes a crash.
Status: RESOLVED → VERIFIED
Flags: blocking1.8b5?

    
    

    
  
Comment on attachment 194667 [details] [diff] [review]
crash fix

please do land this on the branch if it's safe.

        Attachment #194667 -
        Flags: approval1.8b5+

    
  
Flags: blocking1.8b5? → blocking1.8b5+

    
    

    
  
Fixed on branch
Keywords: fixed1.8

    
    

    
  
v.fixed on branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5)
Gecko/20050928 Firefox/1.4, no crashes and rendering is correct.
Keywords: fixed1.8verified1.8
Crash Signature: [@ ntdll.dll]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: