Closed
Bug 230138
Opened 21 years ago
Closed 21 years ago
Crash when viewing a HTML page with certain display:tableXXX settings in CSS
Categories
(Core :: Layout: Tables, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz, Assigned: bernd_mozilla)
References
()
Details
(Keywords: crash)
Attachments
(2 files)
|
275 bytes,
text/html; charset=us-ascii
|
Details | |
|
951 bytes,
patch
|
dbaron
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208
While trying some stuff I encountered this crash. I tried to minimize the HTML
code so that it still crashes everytime. The problem seems to be related to the
display: settings in the CSS part.
The structure is something like
<div> [display:table-column]
<div> [display:table]
<div> [display:table-cell]
Reproducible: Always
Steps to Reproduce:
1. Create HTML file with following content:
<html>
<head>
<style type="text/css">
<!--
div.a1 { display:table; }
div.a2 { display:table-cell; }
div.left { display:table-column;}
-->
</style>
</head>
<body>
<div class="left">
<div class="a1"></div>
<div class="a2"></div>
</div>
</body>
</html>
2. View it with Mozilla
Actual Results:
Access violation when trying to view the page. Probably a null pointer dereference.
Expected Results:
There is probably no "correct" way to render this, because it does not make too
much sense, but at least Mozilla should not crash.
#5 <signal handler called>
#6 0x06e16c30 in ProcessPseudoFrame (aPresContext=0x9ac6288,
aPseudoData=@0xbfebd458, aParent=@0xbfebcec0)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1776
#7 0x06e1705f in ProcessPseudoFrames (aPresContext=0x9ac6288,
aPseudoFrames=@0xbfebd408, aHighestType=0x0, aHighestFrame=@0xbfebcec0)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1875
#8 0x06e17272 in ProcessPseudoFrames (aPresContext=0x9ac6288,
aPseudoFrames=@0xbfebd408, aItems=@0xbfebd018)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1921
#9 0x06e19e87 in nsCSSFrameConstructor::TableProcessChildren(nsIPresShell*,
nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*,
nsTableCreator&, nsFrameItems&, nsIFrame*&) (this=0x9adc120, aPresShell=0x9adc1d0,
aPresContext=0x9ac6288, aState=@0xbfebd3d0, aContent=0x9519fe0,
aParentFrame=0x9af38d0, aTableCreator=@0xbfebd1d0,
aChildItems=@0xbfebd018, aCaption=@0xbfebd020)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:3074
#10 0x06e1950e in nsCSSFrameConstructor::ConstructTableColFrame(nsIPresShell*,
nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*,
nsStyleContext*, nsTableCreator&, int, nsFrameItems&, nsIFrame*&, int&)
(this=0x9adc120,
aPresShell=0x9adc1d0, aPresContext=0x9ac6288, aState=@0xbfebd3d0,
aContent=0x9519fe0, aParentFrameIn=0x9af3188, aStyleContext=0x9af3414,
aTableCreator=@0xbfebd1d0, aIsPseudo=0, aChildItems=@0xbfebd4a0,
aNewFrame=@0xbfebd1f0, aIsPseudoParent=@0xbfebd1c8)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:2832
#11 0x06e21b76 in
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell*,
nsIPresContext*, nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*,
int, nsIAtom*, nsIFrame*, nsStyleContext*, nsFrameItems&) (this=0x9adc120,
aPresShell=0x9adc1d0, aPresContext=0x9ac6288, aState=@0xbfebd3d0,
aDisplay=0x9af3440, aContent=0x9519fe0, aNameSpaceID=3, aTag=0x93e2780,
aParentFrame=0x9af3188, aStyleContext=0x9af3414, aFrameItems=@0xbfebd4a0)
(gdb) frame 6
#6 0x06e16c30 in ProcessPseudoFrame (aPresContext=0x9ac6288,
aPseudoData=@0xbfebd458, aParent=@0xbfebcec0)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1776
1776 rv = aParent->SetInitialChildList(aPresContext, nsnull,
items->childList);
(gdb) p aParent
$1 = (class nsIFrame *&) @0xbfebcec0: 0x0
(gdb) up
#7 0x06e1705f in ProcessPseudoFrames (aPresContext=0x9ac6288,
aPseudoFrames=@0xbfebd408, aHighestType=0x0, aHighestFrame=@0xbfebcec0)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1875
1875 rv = ProcessPseudoFrame(aPresContext, aPseudoFrames.mRow,
aHighestFrame);
(gdb) p aHighestFrame
$2 = (class nsIFrame *&) @0xbfebcec0: 0x0
(gdb) up
#8 0x06e17272 in ProcessPseudoFrames (aPresContext=0x9ac6288,
aPseudoFrames=@0xbfebd408, aItems=@0xbfebd018)
at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:1921
1921 nsresult rv = ProcessPseudoFrames(aPresContext, aPseudoFrames, nsnull,
highestFrame);
(gdb) p aPseudoFrames
$5 = (nsPseudoFrames &) @0xbfebd408: {mTableOuter = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mTableInner = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mRowGroup = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mColGroup = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mRow = {mFrame = 0x0, mChildList = {
childList = 0x9afa044, lastChild = 0x9afa044}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mCellOuter = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mCellInner = {mFrame = 0x0,
mChildList = {childList = 0x0, lastChild = 0x0}, mChildList2 = {
childList = 0x0, lastChild = 0x0}}, mLowestType = 0x93e3110}
(gdb) up
(gdb) p aState.mPseudoFrames.mLowestType
$6 = (nsIAtom *) 0x93e3110
(gdb) x/wa $6
0x93e3110: 0x59dd68 <_ZTV19nsStaticAtomWrapper+8>
(gdb) p *(class nsStaticAtomWrapper*)$
$7 = {<nsIAtom> = {<nsISupports> = {
_vptr.nsISupports = 0x59dd68}, <No data fields>},
mStaticAtom = 0x73a8058}
(gdb) p $.mStaticAtom
$8 = (const nsStaticAtom *) 0x73a8058
(gdb) p *$
$9 = {mString = 0x734feef "TableRowFrame", mAtom = 0x73c0928}
|
||
Comment 3•21 years ago
|
||
confirmed with linux trunk 2004010508
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
|
||
Comment 4•21 years ago
|
||
Can you provide a URL for full web page that causes this problem? I'd like to test a possible fix... BTW, why is a brand new bug already assigned to nobody?
Confirmed Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20040102 Firebird/0.7+
David, do you have any idea what should happen here. Should the children of the col simply suppressed?
bernd Hixie: whats should happen to a child of a display: table-column element, can it be ignored (no frame construction for the child) Hixie sicking: "children", probably in DOM Hixie bernd: spec doesn't say, last i checked, but yes, just assume table-column's children are display:none
I don't claim that I understand well table frame construction. I am pretty sure that exactly the opposite is true, but I believe that col frames shouldnt have childs, and even if they would have they will not been reflown see http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableColFrame.cpp#154 so we should not create them.
Attachment #139221 -
Flags: superreview?(bz-vacation)
Attachment #139221 -
Flags: review+
taking so that I get this thing checked in
Assignee: nobody → bernd_mozilla
|
||
Comment 10•21 years ago
|
||
Comment on attachment 139221 [details] [diff] [review] patch sr=bzbarsky. Looks reasonable.
Attachment #139221 -
Flags: superreview?(bz-vacation) → superreview+
|
Assignee | |
Comment 11•21 years ago
|
||
fix checked in
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•