1323647 - stylo: dom/base/crashtests/387460-1.html crashes in table layout code

Status: RESOLVED FIXED

(Core :: CSS Parsing and Computation, defect, P3)

Description

[Cameron McCormack (:heycam)]

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::Length (this=0x0) at /z/stylo/hg-incubator/obj/dist/include/nsTArray.h:514
514	  size_type Length() const { return mHdr->mLength; }
(gdb) bt
#0  nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::Length (this=0x0) at /z/stylo/hg-incubator/obj/dist/include/nsTArray.h:514
#1  0x00007fffe7204f9b in nsTArray_Impl<nsTArray<CellData*>, nsTArrayInfallibleAllocator>::ElementAt (this=0x0, aIndex=0) at /z/stylo/hg-incubator/obj/dist/include/nsTArray.h:1169
#2  0x00007fffe71fc5fd in nsTArray_Impl<nsTArray<CellData*>, nsTArrayInfallibleAllocator>::operator[] (this=0x0, aIndex=0) at /z/stylo/hg-incubator/obj/dist/include/nsTArray.h:1199
#3  0x00007fffe71b8e07 in nsCellMapColumnIterator::GetNextFrame (this=0x7ffffffed0c8, aRow=0x7ffffffed0c4, aColSpan=0x7ffffffed0c0) at /z/stylo/hg-incubator/layout/tables/nsCellMap.cpp:2670
#4  0x00007fffe71b8764 in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes (this=0x7fffb6bb9d30, aRenderingContext=0x7fffffff2180) at /z/stylo/hg-incubator/layout/tables/BasicTableLayoutStrategy.cpp:311
#5  0x00007fffe71b8062 in BasicTableLayoutStrategy::ComputeIntrinsicISizes (this=0x7fffb6bb9d30, aRenderingContext=0x7fffffff2180) at /z/stylo/hg-incubator/layout/tables/BasicTableLayoutStrategy.cpp:429
#6  0x00007fffe71b800f in BasicTableLayoutStrategy::GetMinISize (this=0x7fffb6bb9d30, aRenderingContext=0x7fffffff2180) at /z/stylo/hg-incubator/layout/tables/BasicTableLayoutStrategy.cpp:48
#7  0x00007fffe71d21ef in nsTableFrame::GetMinISize (this=0x7fffb111de60, aRenderingContext=0x7fffffff2180) at /z/stylo/hg-incubator/layout/tables/nsTableFrame.cpp:1580
#8  0x00007fffe71d5460 in nsTableFrame::TableShrinkISizeToFit (this=0x7fffb111de60, aRenderingContext=0x7fffffff2180, aISizeInCB=17040) at /z/stylo/hg-incubator/layout/tables/nsTableFrame.cpp:1659
#9  0x00007fffe71d55ab in nsTableFrame::ComputeAutoSize (this=0x7fffb111de60, aRenderingContext=0x7fffffff2180, aWM=..., aCBSize=..., aAvailableISize=17040, aMargin=..., aBorder=..., aPadding=..., aFlags=nsIFrame::eShrinkWrap)
    at /z/stylo/hg-incubator/layout/tables/nsTableFrame.cpp:1695
#10 0x00007fffe7058967 in nsFrame::ComputeSize (this=0x7fffb111de60, aRenderingContext=0x7fffffff2180, aWM=..., aCBSize=..., aAvailableISize=17040, aMargin=..., aBorder=..., aPadding=..., aFlags=nsIFrame::eShrinkWrap)
    at /z/stylo/hg-incubator/layout/generic/nsFrame.cpp:4703
#11 0x00007fffe71d5285 in nsTableFrame::ComputeSize (this=0x7fffb111de60, aRenderingContext=0x7fffffff2180, aWM=..., aCBSize=..., aAvailableISize=17040, aMargin=..., aBorder=..., aPadding=..., aFlags=nsIFrame::eShrinkWrap)
    at /z/stylo/hg-incubator/layout/tables/nsTableFrame.cpp:1626
#12 0x00007fffe71f6172 in nsTableWrapperFrame::ChildShrinkWrapISize (this=0x7fffb111dde0, aRenderingContext=0x7fffffff2180, aChildFrame=0x7fffb111de60, aWM=..., aCBSize=..., aAvailableISize=17040, aMarginResult=0x0)
    at /z/stylo/hg-incubator/layout/tables/nsTableWrapperFrame.cpp:414
#13 0x00007fffe71f6404 in nsTableWrapperFrame::ComputeAutoSize (this=0x7fffb111dde0, aRenderingContext=0x7fffffff2180, aWM=..., aCBSize=..., aAvailableISize=17040, aMargin=..., aBorder=..., aPadding=..., aFlags=nsIFrame::eDefault)
    at /z/stylo/hg-incubator/layout/tables/nsTableWrapperFrame.cpp:447
#14 0x00007fffe7058967 in nsFrame::ComputeSize (this=0x7fffb111dde0, aRenderingContext=0x7fffffff2180, aWM=..., aCBSize=..., aAvailableISize=17040, aMargin=..., aBorder=..., aPadding=..., aFlags=nsIFrame::eDefault)
    at /z/stylo/hg-incubator/layout/generic/nsFrame.cpp:4703
#15 0x00007fffe700426c in mozilla::ReflowInput::InitConstraints (this=0x7ffffffeefe8, aPresContext=0x7fffce083000, aContainingBlockSize=..., aBorder=0x0, aPadding=0x0, aFrameType=0x7fffd356cb50)
    at /z/stylo/hg-incubator/layout/generic/ReflowInput.cpp:2446
#16 0x00007fffe6fffeb0 in mozilla::ReflowInput::Init (this=0x7ffffffeefe8, aPresContext=0x7fffce083000, aContainingBlockSize=0x0, aBorder=0x0, aPadding=0x0) at /z/stylo/hg-incubator/layout/generic/ReflowInput.cpp:399
#17 0x00007fffe70014ca in mozilla::ReflowInput::ReflowInput (this=0x7ffffffeefe8, aPresContext=0x7fffce083000, aParentReflowInput=..., aFrame=0x7fffb111dde0, aAvailableSpace=..., aContainingBlockSize=0x0, aFlags=0)
    at /z/stylo/hg-incubator/layout/generic/ReflowInput.cpp:258
#18 0x00007fffe7035b53 in nsBlockReflowContext::ComputeCollapsedBStartMargin (this=0x7ffffffefa78, aRI=..., aMargin=0x7fffffff07e8, aClearanceFrame=0x0, aMayNeedRetry=0x7ffffffefa23, aBlockIsEmpty=0x0)
    at /z/stylo/hg-incubator/layout/generic/nsBlockReflowContext.cpp:166
#19 0x00007fffe70323f8 in nsBlockFrame::ReflowBlockFrame (this=0x7fffb111cd30, aState=..., aLine=..., aKeepReflowGoing=0x7fffffff00bf) at /z/stylo/hg-incubator/layout/generic/nsBlockFrame.cpp:3267
#20 0x00007fffe70307e2 in nsBlockFrame::ReflowLine (this=0x7fffb111cd30, aState=..., aLine=..., aKeepReflowGoing=0x7fffffff00bf) at /z/stylo/hg-incubator/layout/generic/nsBlockFrame.cpp:2798
#21 0x00007fffe702bde4 in nsBlockFrame::ReflowDirtyLines (this=0x7fffb111cd30, aState=...) at /z/stylo/hg-incubator/layout/generic/nsBlockFrame.cpp:2337
#22 0x00007fffe70285b2 in nsBlockFrame::Reflow (this=0x7fffb111cd30, aPresContext=0x7fffce083000, aMetrics=..., aReflowInput=..., aStatus=@0x7fffffff1230: 0) at /z/stylo/hg-incubator/layout/generic/nsBlockFrame.cpp:1200
#23 0x00007fffe704ebb7 in nsContainerFrame::ReflowChild (this=0x7fffb111c408, aKidFrame=0x7fffb111cd30, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aWM=..., aPos=..., aContainerSize=..., aFlags=0, 
    aStatus=@0x7fffffff1230: 0, aTracker=0x0) at /z/stylo/hg-incubator/layout/generic/nsContainerFrame.cpp:1027
#24 0x00007fffe704e1c8 in nsCanvasFrame::Reflow (this=0x7fffb111c408, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aStatus=@0x7fffffff1230: 0) at /z/stylo/hg-incubator/layout/generic/nsCanvasFrame.cpp:677
#25 0x00007fffe704ebb7 in nsContainerFrame::ReflowChild (this=0x7fffb111c498, aKidFrame=0x7fffb111c408, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aWM=..., aPos=..., aContainerSize=..., aFlags=3, 
    aStatus=@0x7fffffff1230: 0, aTracker=0x0) at /z/stylo/hg-incubator/layout/generic/nsContainerFrame.cpp:1027
#26 0x00007fffe70b2780 in nsHTMLScrollFrame::ReflowScrolledFrame (this=0x7fffb111c498, aState=0x7fffffff1710, aAssumeHScroll=false, aAssumeVScroll=false, aMetrics=0x7fffffff1508, aFirstPass=true)
    at /z/stylo/hg-incubator/layout/generic/nsGfxScrollFrame.cpp:552
#27 0x00007fffe70b3018 in nsHTMLScrollFrame::ReflowContents (this=0x7fffb111c498, aState=0x7fffffff1710, aDesiredSize=...) at /z/stylo/hg-incubator/layout/generic/nsGfxScrollFrame.cpp:664
#28 0x00007fffe70b44b0 in nsHTMLScrollFrame::Reflow (this=0x7fffb111c498, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aStatus=@0x7fffffff1f54: 0) at /z/stylo/hg-incubator/layout/generic/nsGfxScrollFrame.cpp:1039
#29 0x00007fffe70557ff in nsContainerFrame::ReflowChild (this=0x7fffb111c148, aKidFrame=0x7fffb111c498, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aX=0, aY=0, aFlags=0, aStatus=@0x7fffffff1f54: 0, aTracker=0x0)
    at /z/stylo/hg-incubator/layout/generic/nsContainerFrame.cpp:1070
#30 0x00007fffe70147f3 in mozilla::ViewportFrame::Reflow (this=0x7fffb111c148, aPresContext=0x7fffce083000, aDesiredSize=..., aReflowInput=..., aStatus=@0x7fffffff1f54: 0) at /z/stylo/hg-incubator/layout/generic/ViewportFrame.cpp:316
#31 0x00007fffe6ef16e3 in mozilla::PresShell::DoReflow (this=0x7fffb860b000, target=0x7fffb111c148, aInterruptible=false) at /z/stylo/hg-incubator/layout/base/PresShell.cpp:9401
#32 0x00007fffe6ef9865 in mozilla::PresShell::ProcessReflowCommands (this=0x7fffb860b000, aInterruptible=false) at /z/stylo/hg-incubator/layout/base/PresShell.cpp:9574
#33 0x00007fffe6ef9435 in mozilla::PresShell::FlushPendingNotifications (this=0x7fffb860b000, aFlush=...) at /z/stylo/hg-incubator/layout/base/PresShell.cpp:4150
#34 0x00007fffe6ef8ca0 in mozilla::PresShell::FlushPendingNotifications (this=0x7fffb860b000, aType=Flush_Layout) at /z/stylo/hg-incubator/layout/base/PresShell.cpp:4007
#35 0x00007fffe48a6bf2 in nsDocument::FlushPendingNotifications (this=0x7fffcdc17000, aType=Flush_Layout) at /z/stylo/hg-incubator/dom/base/nsDocument.cpp:7756
#36 0x00007fffe48c39b9 in nsFocusManager::CheckIfFocusable (this=0x7fffdfe97120, aContent=0x7fffb5cc3ef0, aFlags=0) at /z/stylo/hg-incubator/dom/base/nsFocusManager.cpp:1550
#37 0x00007fffe48c2044 in nsFocusManager::SetFocusInner (this=0x7fffdfe97120, aNewContent=0x7fffb5cc3ef0, aFlags=0, aFocusChanged=true, aAdjustWidget=true) at /z/stylo/hg-incubator/dom/base/nsFocusManager.cpp:1180
#38 0x00007fffe48c3677 in nsFocusManager::SetFocus (this=0x7fffdfe97120, aElement=0x7fffb5cc3f78, aFlags=0) at /z/stylo/hg-incubator/dom/base/nsFocusManager.cpp:484
#39 0x00007fffe476532a in mozilla::dom::Element::Focus (this=0x7fffb5cc3ef0, aError=...) at /z/stylo/hg-incubator/dom/base/Element.cpp:315
#40 0x00007fffe569d576 in mozilla::dom::HTMLElementBinding::focus (cx=0x7fffdbbb7000, obj=..., self=0x7fffb5cc3ef0, args=...) at /z/stylo/hg-incubator/obj/dom/bindings/HTMLElementBinding.cpp:462
#41 0x00007fffe58aa6f2 in mozilla::dom::GenericBindingMethod (cx=0x7fffdbbb7000, argc=0, vp=0x7fffd353e118) at /z/stylo/hg-incubator/dom/bindings/BindingUtils.cpp:2886
#42 0x00007fffe96a761d in js::CallJSNative (cx=0x7fffdbbb7000, native=0x7fffe58aa490 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /z/stylo/hg-incubator/js/src/jscntxtinlines.h:239
#43 0x00007fffe968b470 in js::InternalCallOrConstruct (cx=0x7fffdbbb7000, args=..., construct=js::NO_CONSTRUCT) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:457
#44 0x00007fffe968b86f in InternalCall (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:502
#45 0x00007fffe968b66d in js::CallFromStack (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:508
#46 0x00007fffe967fe76 in Interpret (cx=0x7fffdbbb7000, state=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:2919
#47 0x00007fffe96752d0 in js::RunScript (cx=0x7fffdbbb7000, state=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:403
#48 0x00007fffe968b568 in js::InternalCallOrConstruct (cx=0x7fffdbbb7000, args=..., construct=js::NO_CONSTRUCT) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:475
#49 0x00007fffe968b86f in InternalCall (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:502
#50 0x00007fffe968b8e6 in js::Call (cx=0x7fffdbbb7000, fval=..., thisv=..., args=..., rval=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:521
#51 0x00007fffe937d1b0 in JS::Call (cx=0x7fffdbbb7000, thisv=..., fval=..., args=..., rval=...) at /z/stylo/hg-incubator/js/src/jsapi.cpp:2830
---Type <return> to continue, or q <return> to quit---
#52 0x00007fffe554500d in mozilla::dom::EventListener::HandleEvent (this=0x7fffb116d2c0, cx=0x7fffdbbb7000, aThisVal=..., event=..., aRv=...) at /z/stylo/hg-incubator/obj/dom/bindings/EventListenerBinding.cpp:47
#53 0x00007fffe5b800e6 in mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*> (this=0x7fffb116d2c0, thisVal=@0x7fffffff6a10: 0x7fffce072000, event=..., aRv=..., 
    aExecutionReason=0x7fffeacd9914 "EventListener.handleEvent", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aCompartment=0x0) at /z/stylo/hg-incubator/obj/dist/include/mozilla/dom/EventListenerBinding.h:64
#54 0x00007fffe5b60853 in mozilla::EventListenerManager::HandleEventSubType (this=0x7fffb5cb4d70, aListener=0x7fffb5cb4da0, aDOMEvent=0x7fffcd79b8c0, aCurrentTarget=0x7fffce072000)
    at /z/stylo/hg-incubator/dom/events/EventListenerManager.cpp:1130
#55 0x00007fffe5b60fbe in mozilla::EventListenerManager::HandleEventInternal (this=0x7fffb5cb4d70, aPresContext=0x7fffce083000, aEvent=0x7fffb67dee50, aDOMEvent=0x7fffffff6f80, aCurrentTarget=0x7fffce072000, aEventStatus=0x7fffffff6f88)
    at /z/stylo/hg-incubator/dom/events/EventListenerManager.cpp:1286
#56 0x00007fffe5b8af7d in mozilla::EventListenerManager::HandleEvent (this=0x7fffb5cb4d70, aPresContext=0x7fffce083000, aEvent=0x7fffb67dee50, aDOMEvent=0x7fffffff6f80, aCurrentTarget=0x7fffce072000, aEventStatus=0x7fffffff6f88)
    at /z/stylo/hg-incubator/obj/dist/include/mozilla/EventListenerManager.h:374
#57 0x00007fffe5b7dd38 in mozilla::EventTargetChainItem::HandleEvent (this=0x7fffbfe5d120, aVisitor=..., aCd=...) at /z/stylo/hg-incubator/dom/events/EventDispatcher.cpp:314
#58 0x00007fffe5b586e8 in mozilla::EventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /z/stylo/hg-incubator/dom/events/EventDispatcher.cpp:441
#59 0x00007fffe5b59ddf in mozilla::EventDispatcher::Dispatch (aTarget=0x7fffbef92d80, aPresContext=0x7fffce083000, aEvent=0x7fffb67dee50, aDOMEvent=0x7fffcd79b8c0, aEventStatus=0x7fffffff720c, aCallback=0x0, aTargets=0x0)
    at /z/stylo/hg-incubator/dom/events/EventDispatcher.cpp:820
#60 0x00007fffe5b5a359 in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=0x7fffbef92d80, aEvent=0x0, aDOMEvent=0x7fffcd79b8c0, aPresContext=0x7fffce083000, aEventStatus=0x7fffffff720c)
    at /z/stylo/hg-incubator/dom/events/EventDispatcher.cpp:886
#61 0x00007fffe4939285 in nsINode::DispatchEvent (this=0x7fffbef92d80, aEvent=0x7fffcd79b8c0, aRetVal=0x7fffffff72cf) at /z/stylo/hg-incubator/dom/base/nsINode.cpp:1298
#62 0x00007fffe5b20253 in mozilla::AsyncEventDispatcher::Run (this=0x7fffb6ba9a60) at /z/stylo/hg-incubator/dom/events/AsyncEventDispatcher.cpp:54
#63 0x00007fffe4649ab0 in nsContentUtils::RemoveScriptBlocker () at /z/stylo/hg-incubator/dom/base/nsContentUtils.cpp:5221
#64 0x00007fffe4039dd9 in nsAutoScriptBlocker::~nsAutoScriptBlocker (this=0x7fffffff73f8) at /z/stylo/hg-incubator/dom/base/nsContentUtils.h:2886
#65 0x00007fffe476cd98 in mozilla::dom::Element::SetAttr (this=0x7fffbef92d80, aNamespaceID=0, aName=0x7fffd355a970, aPrefix=0x0, aValue=..., aNotify=true) at /z/stylo/hg-incubator/dom/base/Element.cpp:2375
#66 0x00007fffe5dbb8e7 in nsGenericHTMLElement::SetAttr (this=0x7fffbef92d80, aNameSpaceID=0, aName=0x7fffd355a970, aPrefix=0x0, aValue=..., aNotify=true) at /z/stylo/hg-incubator/dom/html/nsGenericHTMLElement.cpp:825
#67 0x00007fffe4748c53 in mozilla::dom::Element::SetAttr (this=0x7fffbef92d80, aNameSpaceID=0, aName=0x7fffd355a970, aValue=..., aNotify=true) at /z/stylo/hg-incubator/obj/dist/include/mozilla/dom/Element.h:534
#68 0x00007fffe4768ff9 in mozilla::dom::Element::SetAttribute (this=0x7fffbef92d80, aName=..., aValue=..., aError=...) at /z/stylo/hg-incubator/dom/base/Element.cpp:1246
#69 0x00007fffe5593948 in mozilla::dom::ElementBinding::setAttribute (cx=0x7fffdbbb7000, obj=..., self=0x7fffbef92d80, args=...) at /z/stylo/hg-incubator/obj/dom/bindings/ElementBinding.cpp:725
#70 0x00007fffe58aa6f2 in mozilla::dom::GenericBindingMethod (cx=0x7fffdbbb7000, argc=2, vp=0x7fffd353e088) at /z/stylo/hg-incubator/dom/bindings/BindingUtils.cpp:2886
#71 0x00007fffe96a761d in js::CallJSNative (cx=0x7fffdbbb7000, native=0x7fffe58aa490 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /z/stylo/hg-incubator/js/src/jscntxtinlines.h:239
#72 0x00007fffe968b470 in js::InternalCallOrConstruct (cx=0x7fffdbbb7000, args=..., construct=js::NO_CONSTRUCT) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:457
#73 0x00007fffe968b86f in InternalCall (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:502
#74 0x00007fffe968b66d in js::CallFromStack (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:508
#75 0x00007fffe967fe76 in Interpret (cx=0x7fffdbbb7000, state=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:2919
#76 0x00007fffe96752d0 in js::RunScript (cx=0x7fffdbbb7000, state=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:403
#77 0x00007fffe968b568 in js::InternalCallOrConstruct (cx=0x7fffdbbb7000, args=..., construct=js::NO_CONSTRUCT) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:475
#78 0x00007fffe968b86f in InternalCall (cx=0x7fffdbbb7000, args=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:502
#79 0x00007fffe968b8e6 in js::Call (cx=0x7fffdbbb7000, fval=..., thisv=..., args=..., rval=...) at /z/stylo/hg-incubator/js/src/vm/Interpreter.cpp:521
#80 0x00007fffe937d1b0 in JS::Call (cx=0x7fffdbbb7000, thisv=..., fval=..., args=..., rval=...) at /z/stylo/hg-incubator/js/src/jsapi.cpp:2830
#81 0x00007fffe55f314d in mozilla::dom::Function::Call (this=0x7fffb37dce40, cx=0x7fffdbbb7000, aThisVal=..., arguments=..., aRetVal=..., aRv=...) at /z/stylo/hg-incubator/obj/dom/bindings/FunctionBinding.cpp:36
#82 0x00007fffe46f5cad in mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > (this=0x7fffb37dce40, thisVal=..., arguments=..., aRetVal=..., aRv=..., aExecutionReason=0x7fffeabb68bb "setTimeout handler", 
    aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aCompartment=0x0) at /z/stylo/hg-incubator/obj/dist/include/mozilla/dom/FunctionBinding.h:70
#83 0x00007fffe46dd53c in nsGlobalWindow::RunTimeoutHandler (this=0x7fffce072000, aTimeout=0x7fffb6b96b00, aScx=0x7fffb37dc300) at /z/stylo/hg-incubator/dom/base/nsGlobalWindow.cpp:12931
#84 0x00007fffe46ddef0 in nsGlobalWindow::RunTimeout (this=0x7fffce072000, aTimeout=0x7fffb6b96b00) at /z/stylo/hg-incubator/dom/base/nsGlobalWindow.cpp:13194
#85 0x00007fffe47fb8ce in mozilla::dom::(anonymous namespace)::TimerCallback (aClosure=0x7fffb6b96b00) at /z/stylo/hg-incubator/dom/base/Timeout.cpp:63
#86 0x00007fffe2afc00c in nsTimerImpl::Fire (this=0x7fffb6ba9220) at /z/stylo/hg-incubator/xpcom/threads/nsTimerImpl.cpp:475
#87 0x00007fffe2ac927b in nsTimerEvent::Run (this=0x7fffd1727020) at /z/stylo/hg-incubator/xpcom/threads/TimerThread.cpp:301
#88 0x00007fffe2aea6cb in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable (this=0x7fffb13ed9d0) at /z/stylo/hg-incubator/xpcom/threads/ThrottledEventQueue.cpp:161
#89 0x00007fffe2aea371 in mozilla::ThrottledEventQueue::Inner::Executor::Run (this=0x7fffd17283d0) at /z/stylo/hg-incubator/xpcom/threads/ThrottledEventQueue.cpp:74
#90 0x00007fffe2ad0ca8 in nsThread::ProcessNextEvent (this=0x7fffdfe3d300, aMayWait=false, aResult=0x7fffffffbd4e) at /z/stylo/hg-incubator/xpcom/threads/nsThread.cpp:1213
#91 0x00007fffe2b505fc in NS_ProcessNextEvent (aThread=0x7fffdfe3d300, aMayWait=false) at /z/stylo/hg-incubator/xpcom/glue/nsThreadUtils.cpp:381
#92 0x00007fffe33cb0e9 in mozilla::ipc::MessagePump::Run (this=0x7fffdfe98a80, aDelegate=0x7ffff6bb2410) at /z/stylo/hg-incubator/ipc/glue/MessagePump.cpp:96
#93 0x00007fffe33296c5 in MessageLoop::RunInternal (this=0x7ffff6bb2410) at /z/stylo/hg-incubator/ipc/chromium/src/base/message_loop.cc:232
#94 0x00007fffe3329645 in MessageLoop::RunHandler (this=0x7ffff6bb2410) at /z/stylo/hg-incubator/ipc/chromium/src/base/message_loop.cc:225
#95 0x00007fffe332961d in MessageLoop::Run (this=0x7ffff6bb2410) at /z/stylo/hg-incubator/ipc/chromium/src/base/message_loop.cc:205
#96 0x00007fffe6ad4003 in nsBaseAppShell::Run (this=0x7fffd35e7970) at /z/stylo/hg-incubator/widget/nsBaseAppShell.cpp:156
#97 0x00007fffe7cab192 in nsAppStartup::Run (this=0x7fffd35ef880) at /z/stylo/hg-incubator/toolkit/components/startup/nsAppStartup.cpp:283
#98 0x00007fffe7da48ac in XREMain::XRE_mainRun (this=0x7fffffffc728) at /z/stylo/hg-incubator/toolkit/xre/nsAppRunner.cpp:4485
#99 0x00007fffe7da5396 in XREMain::XRE_main (this=0x7fffffffc728, argc=4, argv=0x7fffffffdc08, aAppData=0x7fffffffc9e8) at /z/stylo/hg-incubator/toolkit/xre/nsAppRunner.cpp:4618
#100 0x00007fffe7da5b6f in XRE_main (argc=4, argv=0x7fffffffdc08, aAppData=0x7fffffffc9e8, aFlags=0) at /z/stylo/hg-incubator/toolkit/xre/nsAppRunner.cpp:4709
#101 0x000000000040633f in do_main (argc=4, argv=0x7fffffffdc08, envp=0x7fffffffdc30, xreDirectory=0x7ffff6b5eb40) at /z/stylo/hg-incubator/browser/app/nsBrowserApp.cpp:328
#102 0x0000000000405a62 in main (argc=4, argv=0x7fffffffdc08, envp=0x7fffffffdc30) at /z/stylo/hg-incubator/browser/app/nsBrowserApp.cpp:461

Comment 2

[Boris Zbarsky [:bzbarsky]]

We're ending up in nsCellMapColumnIterator::GetNextFrame in this code:

  while (1) {
    NS_ASSERTION(mCurMapRow < mCurMapRelevantRowCount, "Bogus mOrigCells?");
    // Safe to just get the row (which is faster than calling GetDataAt(), but
    // there may not be that many cells in it, so have to use SafeElementAt for
    // the mCol.
    const nsCellMap::CellDataArray& row = mCurMap->mRows[mCurMapRow];
    CellData* cellData = row.SafeElementAt(mCol);

The NS_ASSERTION fails: both values are 0.  Then the next bit crashes, because mCurMap is null, which is a fine thing for it to be if there is no next row.

mOrigCells is 2.  mFoundCells is 1.  Our cellmap thinks there are two cells originating in column 0, which is wrong, afaict: with that rowspan there should be only one cell originating there.

Why _stylo_ is involved and in what capacity I can't tell yet.

Comment 3

[Cameron McCormack (:heycam)]

Looks like this no longer crashes: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5da21a5beb83dd760bf8601e8366d767b42b5d6a

Comment 4

[Pulsebot]

Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ad5856c55a94
Re-enable crashtest. r=me

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/ad5856c55a94