Closed Bug 18637 Opened 25 years ago Closed 24 years ago

[INC CONTEN SINK] JS row.rowIndex= crashes in nsCellMap::GetCellInfoAt

Categories

(Core :: Layout: Tables, defect, P1)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: selmer, Assigned: karnaze)

Details

(Keywords: crash)

Attachments

(1 file)

Testcase to move rows around within a table
1.18 KB, text/html
Details 
I've created a new testcase that exercises moving rows within a table.  The test
works fine unless I call it as the onload handler and then it crashes.  If I use
setTimeout to delay its execution, it will consistently crash at 1 second,
crashes half the time at 2 seconds, seems to always work at 3 seconds and above.

The arrays referenced underneath GetCellInfoAt are returning valid looking
pointers to bad objects (__vfptr=0xdddddddd.)  I'm going to try to dig into
this, but I need some help.  Here's the stack trace:

nsCellMap::GetCellInfoAt(int 0, int 0, int * 0x0012c014, int * 0x0012c018) line
515 + 16 bytes
nsTableFrame::GetCellInfoAt(int 0, int 0, int * 0x0012c014, int * 0x0012c018)
line 4085
BasicTableLayoutStrategy::AssignPreliminaryColumnWidths(int 10935) line 742 + 30
bytes
BasicTableLayoutStrategy::Initialize(nsSize * 0x00000000, int 1, int 10935) line
112
nsTableFrame::BalanceColumnWidths(nsIPresContext & {...}, const
nsHTMLReflowState & {...}, const nsSize & {...}, nsSize * 0x00000000) line 2885
nsTableFrame::Reflow(nsTableFrame * const 0x02428640, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 1294
nsContainerFrame::ReflowChild(nsIFrame * 0x02428640, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 405 + 31 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x024286d0, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 900 + 34 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x024286d0, const nsRect & {...},
int 0, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 251 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x0242ebf0, int * 0x0012c970) line 3226 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0242ebf0, int
* 0x0012c970, int 1) line 2614 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2425 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02422430, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 1489 + 15 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02422430, const nsRect & {...},
int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 251 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x02422340, int * 0x0012d20c) line 3226 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x02422340, int
* 0x0012d20c, int 1) line 2614 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2425 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x024214c0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 1489 + 15 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x024214c0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 289 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x024214c0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 405 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x02313460, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 332
nsContainerFrame::ReflowChild(nsIFrame * 0x02313460, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 405 + 31 bytes
nsScrollFrame::Reflow(nsScrollFrame * const 0x02420b80, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 621
nsContainerFrame::ReflowChild(nsIFrame * 0x02420b80, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 405 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x02344ee0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 514
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x0242eb40,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...},
nsIRenderingContext & {...}) line 140
PresShell::ProcessReflowCommands(PresShell * const 0x022e8d40) line 1617
PresShell::ExitReflowLock(PresShell * const 0x022e8d40, int 1, int 1) line 711
PresShell::ContentRemoved(PresShell * const 0x022e8d48, nsIDocument *
0x02319ac0, nsIContent * 0x02423b0c, nsIContent * 0x024238ec, int 0) line 2109
nsDocument::ContentRemoved(nsDocument * const 0x02319ac0, nsIContent *
0x02423b0c, nsIContent * 0x024238ec, int 0) line 1577
nsHTMLDocument::ContentRemoved(nsHTMLDocument * const 0x02319ac0, nsIContent *
0x02423b0c, nsIContent * 0x024238ec, int 0) line 1051
nsGenericHTMLContainerElement::RemoveChildAt(int 0, int 1) line 2974
nsGenericHTMLContainerElement::RemoveChild(nsIDOMNode * 0x024238e0, nsIDOMNode *
* 0x0012ddcc) line 2777 + 14 bytes
nsHTMLTableSectionElement::RemoveChild(nsHTMLTableSectionElement * const
0x02423b00, nsIDOMNode * 0x024238e0, nsIDOMNode * * 0x0012ddcc) line 55 + 22
bytes
nsHTMLTableElement::DeleteRow(nsHTMLTableElement * const 0x02423b80, int 0) line
815
nsHTMLTableRowElement::SetRowIndex(nsHTMLTableRowElement * const 0x024238e0, int
5) line 410
SetHTMLTableRowElementProperty(JSContext * 0x02292da0, JSObject * 0x00ed7440,
long -1, long * 0x0012e958) line 282
js_SetProperty(JSContext * 0x02292da0, JSObject * 0x00ed7440, long 37508240,
long * 0x0012e958) line 2056 + 137 bytes
js_Interpret(JSContext * 0x02292da0, long * 0x0012eae4) line 2214 + 955 bytes
js_Invoke(JSContext * 0x02292da0, unsigned int 2, unsigned int 0) line 688 + 13
bytes
js_Interpret(JSContext * 0x02292da0, long * 0x0012f318) line 2247 + 15 bytes
js_Invoke(JSContext * 0x02292da0, unsigned int 0, unsigned int 0) line 688 + 13
bytes
js_Interpret(JSContext * 0x02292da0, long * 0x0012fbb0) line 2247 + 15 bytes
js_Execute(JSContext * 0x02292da0, JSObject * 0x01f836e0, JSScript * 0x02431220,
JSFunction * 0x00000000, JSStackFrame * 0x00000000, int 0, long * 0x0012fbb0)
line 845 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x02292da0, JSObject * 0x01f836e0,
JSPrincipals * 0x023bddcc, const unsigned short * 0x0012fc30, unsigned int 10,
const char * 0x024317f0, unsigned int 34, long * 0x0012fbb0) line 2692 + 27
bytes
nsJSContext::EvaluateString(nsJSContext * const 0x02292f10, const nsString &
{...}, void * 0x01f836e0, nsIPrincipal * 0x023bddc0, const char * 0x024317f0,
unsigned int 34, const char * 0x00324468, nsString & {...}, int * 0x0012fc14)
line 226 + 53 bytes
GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x024318a0) line 1807 + 83 bytes
nsGlobalWindow_RunTimeout(nsITimer * 0x024317a0, void * 0x024318a0) line 1722 +
15 bytes
TimerImpl::Fire(unsigned long 191374241) line 312 + 17 bytes
TimerImpl::ProcessTimeouts(unsigned long 191374241) line 191
FireTimeout(HWND__ * 0x00000000, unsigned int 275, unsigned int 24224, unsigned
long 191374241) line 105 + 9 bytes
USER32! 77e7185c()
nsAppShellService::Run(nsAppShellService * const 0x00c512c0) line 484
main1(int 1, char * * 0x00be4420) line 580 + 12 bytes
main(int 1, char * * 0x00be4420) line 670 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1
Assignee: troy → karnaze
Component: Layout → HTMLTables
This bug is likely due to the new incremental content sink. I know how to fix
the crash, but it causes other problems. Right now, I am lobbying to put the
incremental content sink back to a state where this bug would not occur until I
can fix the underlying problems.
Status: NEW → ASSIGNED
Priority: P3 → P1
Summary: CRASH: JS row.rowIndex= crashes in nsCellMap::GetCellInfoAt → [INC CONTEN SINK] JS row.rowIndex= crashes in nsCellMap::GetCellInfoAt
This is temporarily fixed because I reverted nsPresShell.cpp back before the
delayed processing of reflow commands. Please leave this bug open, because
delayed reflow commands will be turned back on. Removing CRASH from summary and
added INC CONTENT SINK.
Target Milestone: M13
Target Milestone: M13 → M14
mass move to m14.
Adding "crash" keyword to all known open crasher bugs.
Keywords: crash
Severity: normal → critical
Removing keyword "crash" and moving to M15.
Keywords: crash
Target Milestone: M14 → M15
mass move to m16
Target Milestone: M15 → M16
Adding crash keyword.
Keywords: crash
This is no longer crashing.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Verified works for me in the July 11th build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: