Closed Bug 13859 Opened 25 years ago Closed 25 years ago

[DOGFOOD] crash with unconstrained table inside box

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: waterson, Assigned: waterson)

References

(
URL
)

Details

(Whiteboard: [PDT-])

Attachments

(1 file)

test case, sans JavaScript
15.68 KB, text/xul
Details 
karnaze: the above test crashes somewhere in cellmap code. maybe dbaron can
provide a simpler test case. My guess is that this has to do with an
unconstrained table inside a box. cc'ing all the usual suspects.

At line 483 in nsCellMap.cpp, the cellFrame local points to a deleted frame.
Stack trace below.



nsCellMap::GetCellInfoAt(int 1, int 0, int * 0x0012bdbc, int * 0x0012bdc0) line
483 + 16 bytes
nsTableFrame::GetCellInfoAt(int 1, int 0, int * 0x0012bdbc, int * 0x0012bdc0)
line 5222
BasicTableLayoutStrategy::AssignPercentageColumnWidths(int 2535, int 0) line
765 + 30 bytes
BasicTableLayoutStrategy::BalanceColumnWidths(nsIStyleContext * 0x02b7a5d0,
const nsHTMLReflowState & {...}, int 2625) line 181 + 37 bytes
nsTableFrame::BalanceColumnWidths(nsIPresContext & {...}, const
nsHTMLReflowState & {...}, const nsSize & {width=2625 height=1073741824},
nsSize * 0x00000000 {width=??? height=???}) line 3841
nsTableFrame::Reflow(nsTableFrame * const 0x02b7bb44, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 2257
nsContainerFrame::ReflowChild(nsIFrame * 0x02b7bb40, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 439 + 28 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x02b7d464, nsIPresContext
& {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 906 + 37 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02b7d460, const nsRect & {x=0
y=315 width=2625 height=1073741824}, int 1, int 0, int 0, nsMargin & {top=0
right=0 bottom=0 left=0}, unsigned int & 0) line 229 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x02c06fb0, int * 0x0012c724) line 2863 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x02c06fb0,
int * 0x0012c724, int 0) line 2303 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2097 + 24 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02b71064, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 1343 + 18 bytes
nsBoxFrame::FlowChildAt(nsIFrame * 0x02b71060, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
nsCalculatedBoxInfo & {...}, int & 0, nsString & {"initial"}) line 1051
nsBoxFrame::FlowChildren(nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
const nsHTMLReflowState & {...}, unsigned int & 0, nsRect & {x=0 y=0 width=2625
height=7455}) line 682
nsBoxFrame::Reflow(nsBoxFrame * const 0x01e4cef4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 517
nsBoxFrame::FlowChildAt(nsIFrame * 0x01e4cef0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
nsCalculatedBoxInfo & {...}, int & 0, nsString & {"initial"}) line 1051
nsBoxFrame::FlowChildren(nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
const nsHTMLReflowState & {...}, unsigned int & 0, nsRect & {x=0 y=0 width=9751
height=7800}) line 682
nsBoxFrame::Reflow(nsBoxFrame * const 0x01e45d04, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 517
nsBoxFrame::FlowChildAt(nsIFrame * 0x01e45d00, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
nsCalculatedBoxInfo & {...}, int & 0, nsString & {"initial"}) line 1051
nsBoxFrame::FlowChildren(nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
const nsHTMLReflowState & {...}, unsigned int & 0, nsRect & {x=0 y=0 width=9751
height=7800}) line 682
nsBoxFrame::Reflow(nsBoxFrame * const 0x01e2fd8c, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 517
nsContainerFrame::ReflowChild(nsIFrame * 0x01e2fd88, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 439 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x02afecd4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 330
nsContainerFrame::ReflowChild(nsIFrame * 0x02afecd0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 439 + 28 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x02af4524, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 516
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x02c07950,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {width=9720
height=7800}, nsIRenderingContext & {...}) line 141
PresShell::ProcessReflowCommands(PresShell * const 0x02c82d90) line 1249
PresShell::ExitReflowLock(PresShell * const 0x02c82d90) line 600
PresShell::ContentAppended(PresShell * const 0x02c82d98, nsIDocument *
0x02ccddd0, nsIContent * 0x02ac5d10, int 0) line 1676
XULDocumentImpl::ContentAppended(XULDocumentImpl * const 0x02ccddd0, nsIContent
* 0x02ac5d10, int 0) line 2230
nsGenericHTMLContainerElement::AppendChildTo(nsIContent * 0x02c0718c, int 1)
line 2828
nsGenericHTMLContainerElement::InsertBefore(nsIDOMNode * 0x02c07180, nsIDOMNode
* 0x00000000, nsIDOMNode * * 0x0012dc70) line 2481 + 14 bytes
nsGenericHTMLContainerElement::AppendChild(nsIDOMNode * 0x02c07180, nsIDOMNode
* * 0x0012dc70) line 2668
nsHTMLTableCellElement::AppendChild(nsHTMLTableCellElement * const 0x02ac5d04,
nsIDOMNode * 0x02c07180, nsIDOMNode * * 0x0012dc70) line 61 + 22 bytes
NodeAppendChild(JSContext * 0x023835f0, JSObject * 0x01f71d48, unsigned int 1,
long * 0x02d6a350, long * 0x0012dd2c) line 617 + 25 bytes
js_Invoke(JSContext * 0x023835f0, unsigned int 1, unsigned int 0) line 654 + 26
bytes
js_Interpret(JSContext * 0x023835f0, long * 0x0012e55c) line 2228 + 15 bytes
js_Invoke(JSContext * 0x023835f0, unsigned int 0, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x023835f0, long * 0x0012ed48) line 2228 + 15 bytes
js_Invoke(JSContext * 0x023835f0, unsigned int 1, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x023835f0, long * 0x0012f534) line 2228 + 15 bytes
js_Invoke(JSContext * 0x023835f0, unsigned int 0, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x023835f0, long * 0x0012fdc8) line 2228 + 15 bytes
js_Execute(JSContext * 0x023835f0, JSObject * 0x01dd1b80, JSScript *
0x02ba6e50, JSFunction * 0x00000000, JSStackFrame * 0x00000000, int 0, long *
0x0012fdc8) line 827 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x023835f0, JSObject * 0x01dd1b80,
JSPrincipals * 0x0295979c, const unsigned short * 0x0297da00, unsigned int 7,
const char * 0x00000000, unsigned int 0, long * 0x0012fdc8) line 2615 + 27
bytes
GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x0298fad0) line 1719 + 79 bytes
nsGlobalWindow_RunTimeout(nsITimer * 0x0298e2d0, void * 0x0298fad0) line 1621 +
15 bytes
TimerImpl::Fire(unsigned long 43560737) line 308 + 17 bytes
TimerImpl::ProcessTimeouts(unsigned long 43560737) line 187
FireTimeout(HWND__ * 0x00000000, unsigned int 275, unsigned int 29128, unsigned
long 43560737) line 101 + 9 bytes
USER32! 77e712a4()
nsAppShellService::Run(nsAppShellService * const 0x00aa2220) line 454
main1(int 1, char * * 0x00a31ba0) line 555 + 12 bytes
main(int 1, char * * 0x00a31ba0) line 578 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1ba3c()
*** Bug 11112 has been marked as a duplicate of this bug. ***
I'm not seeing this stack on my build and will have to pull in a while. Nothing
in the table code has changed to cause this, so I'm wondering if the box code is
to blame.
Assignee: karnaze → waterson
I ran this in Viewer and got the simpler stack below. Back to you ChrisW, since
RDF is in there.

8bfc4d89()
nsCOMPtr<nsINameSpaceManager>::assign_with_AddRef(nsISupports * 0x0029e85c const
nsString::`vftable') line 631
nsCOMPtr<nsINameSpaceManager>::operator=(const
nsDontQueryInterface<nsINameSpaceManager> & {...}) line 566
RDFContentSinkImpl::Init(RDFContentSinkImpl * const 0x0284eb60, nsIURI *
0x0012fce0, nsINameSpaceManager * 0x0029e85c const  nsString::`vftable') line
756
CViewSourceHTML::WillBuildModel(CViewSourceHTML * const 0x02868220, nsString &
{"http://www.fas.harvard.edu/~dbaron/nstmp/M9-2/when-com.rdf"}, int 1, nsString
& {"text/plain"}, nsIContentSink * 0x0284eb60) line 360
nsParser::WillBuildModel(nsString &
{"http://www.fas.harvard.edu/~dbaron/nstmp/M9-2/when-com.rdf"}, nsIDTD *
0x00000000) line 514
nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 888 + 27 bytes
nsParser::OnDataAvailable(nsParser * const 0x0284e1a4, nsIChannel * 0x0284fb30,
nsISupports * 0x00000000, nsIInputStream * 0x02868e28, unsigned int 0, unsigned
int 2632) line 1294 + 19 bytes
nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const
0x02868ea0, nsIChannel * 0x0284f760, nsISupports * 0x0284fb30, nsIInputStream *
0x02868e28, unsigned int 0, unsigned int 2632) line 186 + 47 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x02868dc0)
line 345
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x02868dc4) line 144 + 12 bytes
PL_HandleEvent(PLEvent * 0x02868dc4) line 509 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f78650) line 470 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00010558, unsigned int 49327, unsigned int 0,
long 16221776) line 938 + 9 bytes
USER32! DispatchMessageWorker@8 + 135 bytes
USER32! DispatchMessageA@4 + 11 bytes
nsNativeViewerApp::Run() line 71
main(int 2, char * * 0x00f30030) line 133 + 11 bytes
mainCRTStartup() line 338 + 17 bytes

    
    

    
  
karnaze: i do not see this. you've got an up-to-date tree, etc.?

    
    

    
  
I pulled around noon today.

    
  
Status: NEW → ASSIGNED

    
  
Summary: crash with unconstrained table inside box → [DOGFOOD] crash with unconstrained table inside box
Target Milestone: M12

    
    

    
  
Can you give us exact steps to reproduce?  How frequent would someone hit this
problem outside of this testcase?

    
    

    
  
This bug deals with mixed XUL and HTML, so, on the web, never.  But it still
shouldn't happen.  (However, I'm not currently seeing the crash, but that could
be because JS security prevents it from running...)

    
  
Whiteboard: [PDT-]

    
    

    
  
Will fix for Beta, but not needed for dogfoof.  Marking PDT-

    
  
Severity: normal → major

    
  
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED

    
    

    
  
karnaze: you must've fixed this. it works like a champ now.

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
With the Nov 19th build (Mac, Linux, and Linux), this problem has been fixed.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: