Closed
Bug 368166
Opened 18 years ago
Closed 18 years ago
[FIX]Crash [@ nsCellMapColumnIterator::GetNextFrame] removing cell with rowspan
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
324 bytes,
application/xhtml+xml
|
Details | |
|
8.92 KB,
patch
|
bernd_mozilla
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
Loading the testcase makes Firefox (Mac debug) assert and crash. ###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 327 Crash [@ nsCellMapColumnIterator::GetNextFrame]
|
Reporter | |
Comment 1•18 years ago
|
||
I'm guessing this is a regression from bug 352461 or bug 367749.
|
Assignee | |
Comment 2•18 years ago
|
||
On the one hand, this is a regression from bug 352461 -- the crash wasn't there before. But the underlying bug (an nsCellMap whose mRows.Count() is less than its mContentRowCount) was there ever since bug 344000 got fixed. The patch just backs out one part of bug 344000, basically. Not sure how one could trigger a crash with this setup before bug 352461 landed, though. Bernd might know. I checked, and this should not be an issue on branches.
|
|
Assignee | |
Comment 3•18 years ago
|
||
Attachment #252788 -
Flags: superreview?(roc)
Attachment #252788 -
Flags: review?(bernd_mozilla)
|
|
Assignee | |
Updated•18 years ago
|
Assignee: nobody → bzbarsky
Flags: in-testsuite?
Summary: Crash [@ nsCellMapColumnIterator::GetNextFrame] removing cell with rowspan → [FIX]Crash [@ nsCellMapColumnIterator::GetNextFrame] removing cell with rowspan
Target Milestone: --- → mozilla1.9alpha
I am not confident that the patch is correct, so it will take more time than usual to r- it. Did your cellmap iterator made assumptions about the relationship between mContentRowCount and mRows.Length like mContentRowCount <= mRows.Length tThere is no such invariant in the cellmap
|
|
Assignee | |
Comment 5•18 years ago
|
||
Comment on attachment 252788 [details] [diff] [review] The comments should describe what the issue is... Yeah, I'm making that assumption. OK, let me undo that. ;)
Attachment #252788 -
Flags: superreview?(roc)
Attachment #252788 -
Flags: superreview-
Attachment #252788 -
Flags: review?(bernd_mozilla)
Attachment #252788 -
Flags: review-
|
|
Assignee | |
Comment 6•18 years ago
|
||
Attachment #252788 -
Attachment is obsolete: true
Attachment #252828 -
Flags: superreview?(roc)
Attachment #252828 -
Flags: review?(bernd_mozilla)
Comment on attachment 252828 [details] [diff] [review] Better fix + // The number of "relevant" rows in mCurMap. That is, the number of rows + // which might have an originating cell in them. This comment is wrong. mRows.Length is not the number of rows with originating cells but the number of rows with cellmap entries. If you have dead rowspan, then the entries for the rowspanned cells will be in rows that contribute to mRows.Length
Attachment #252828 -
Flags: review?(bernd_mozilla) → review+
|
|
Assignee | |
Comment 8•18 years ago
|
||
> mRows.Length is not the number of rows with originating cells
Right. Which is why the member in question is PR_MIN(mRows.Length(), mContentRowCount).
So I think I stand by the comment...
Attachment #252828 -
Flags: superreview?(roc) → superreview+
I was talking about PR_MIN(mRows.Length(), mContentRowCount), but "relevant" in this context means relevant to the iterator and not to the cellmap, so your comment is correct, I didn't grasp it on first read.
|
|
Assignee | |
Comment 10•18 years ago
|
||
Fixed this morning.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ nsCellMapColumnIterator::GetNextFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•