Closed
Bug 268231
Opened 20 years ago
Closed 20 years ago
crash on RC2/1.8a5/1.7.5 with malformed html
Categories
(Core :: Layout: Tables, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: titusstahl+bugzilla, Assigned: bernd_mozilla)
References
Details
(4 keywords)
Attachments
(3 files)
|
64.00 KB,
text/html
|
Details | |
|
338 bytes,
text/html
|
Details | |
|
1.84 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dbaron
:
approval1.7.5-
dbaron
:
approval1.7.6+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 firefox 1.0rc2 crashes on linux and win2000 with fresh profile when you load the attached file. Reproducible: Always Steps to Reproduce: 1. download the attached file and open it Actual Results: firefox crashes Expected Results: firefox doesn't crash Talkback ID TB1781279K
Keywords: crash,
talkbackid
I crash with cvs trunk from yesterday
nsCellMap::GetCellInfoAt(nsTableCellMap & {...}, int 1, int 0, int * 0x00121280,
int * 0x00121284) line 2392 + 16 bytes
nsTableCellMap::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284)
line 762 + 23 bytes
nsTableFrame::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284)
line 4475
BasicTableLayoutStrategy::AssignNonPctColumnWidths(int 1073741824, const
nsHTMLReflowState & {...}) line 1034 + 28 bytes
BasicTableLayoutStrategy::Initialize(const nsHTMLReflowState & {...}) line 143 +
17 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x038974c4, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1928
nsContainerFrame::ReflowChild(nsIFrame * 0x038974c4, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 3, unsigned int & 0) line 958 + 26 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x038973b8,
nsPresContext * 0x037dd120, nsIFrame * 0x038974c4, const nsHTMLReflowState &
{...}, nsHTMLReflowMetrics & {...}, int 1073741824, nsSize & {...}, nsMargin &
{...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason
eReflowReason_StyleChange, unsigned int & 0, int * 0x00000000) line 1328 + 41 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x038973b8, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1995 + 69 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001222f4) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001222f4, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x03959170, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001232a8) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001232a8, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0395929c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012425c) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012425c, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x03959740, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00125210) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00125210, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0396659c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 1073741824, int 5748, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x0396659c, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsSprocketLayout::Layout(nsSprocketLayout * const 0x02cbe7d0, nsIFrame *
0x039664e0, nsBoxLayoutState & {...}) line 547
nsBoxFrame::DoLayout(nsBoxFrame * const 0x039664e0, nsBoxLayoutState & {...})
line 1097 + 83 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x039664e0, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsLineLayout::ReflowFrame(nsIFrame * 0x039664e0, unsigned int & 0,
nsHTMLReflowMetrics * 0x00000000, int & 0) line 1001 + 40 bytes
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineList_iterator {...}, nsIFrame * 0x039664e0, unsigned char *
0x001260d0) line 3702 + 21 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineList_iterator {...}, int * 0x001265fc, unsigned char * 0x001261d4,
int 0, int 1) line 3566 + 27 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001265fc, int 1, int 0) line 3455 + 40 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001265fc, int 1) line 2573 + 28 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b964, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 8892, int 6210, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x0390b964, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x03966228, nsBoxLayoutState
& {...}) line 333
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x03966228, const
nsRect & {...}) line 2683 + 11 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame *
0x03966228, const nsRect & {...}) line 1670 + 14 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813
nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x0390b9b8,
nsBoxLayoutState & {...}) line 577 + 17 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x0390b9b8, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x0390b9b8, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 506 + 20 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00127cc8) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00127cc8, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b838, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00128c7c) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00128c7c, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037ece0c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00129c30) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00129c30, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037ef158, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012abe4) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012abe4, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037eefd4, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x037eefd4, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x037efd8c, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 551
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 9084, int 12060, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x037efd8c, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x037efffc, nsBoxLayoutState
& {...}) line 333
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x037efffc, const
nsRect & {...}) line 2683 + 11 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame *
0x037efffc, const nsRect & {...}) line 1670 + 14 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813
nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x037efebc,
nsBoxLayoutState & {...}) line 577 + 17 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x037efebc, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x037efebc, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 506 + 20 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x037efebc, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x037efc84, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 40 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x037dd120, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 906
PresShell::ProcessReflowCommands(int 0) line 6295
PresShell::FlushPendingNotifications(PresShell * const 0x03481428, mozFlushType
Flush_Layout) line 5013
nsDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 4056
nsHTMLDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 1261
nsGenericHTMLElement::GetOffsetRect(nsRect & {...}, nsIContent * * 0x0012c25c)
line 617
nsGenericHTMLElement::GetOffsetLeft(int * 0x0012c4f0) line 827 + 58 bytes
nsGenericHTMLElementTearoff::GetOffsetLeft(nsGenericHTMLElementTearoff * const
0x02def4b8, int * 0x0012c4f0) line 215 + 17 bytes
XPTC_InvokeByIndex(nsISupports * 0x02def4b8, unsigned int 4, unsigned int 1,
nsXPTCVariant * 0x0012c4f0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_GETTER) line 2034 + 31 bytes
XPC_WN_GetterSetter(JSContext * 0x035633b0, JSObject * 0x03a126e0, unsigned int
0, long * 0x03a660ec, long * 0x0012c7f4) line 1319 + 14 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 0, unsigned int 2) line 1286 + 19
bytes
js_InternalInvoke(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 60892992,
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012d790) line 1428
+ 17 bytes
js_InternalGetOrSet(JSContext * 0x035633b0, JSObject * 0x03a126e0, long
36430464, long 60892992, int 4, unsigned int 0, long * 0x00000000, long *
0x0012d790) line 1472 + 25 bytes
js_GetProperty(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 36430464,
long * 0x0012d790) line 2680 + 45 bytes
js_Interpret(JSContext * 0x035633b0, long * 0x0012d968) line 3303 + 1684 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 0) line 1306 + 12
bytes
js_Interpret(JSContext * 0x035633b0, long * 0x0012e8cc) line 3507 + 13 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 2) line 1306 + 12
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x023441e8,
nsXPCWrappedJS * 0x0395c108, unsigned short 3, const nsXPTMethodInfo *
0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 1339 + 16 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x0395c108, unsigned short 3,
const nsXPTMethodInfo * 0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x0395c108, unsigned int 3, unsigned int *
0x0012ed98, unsigned int * 0x0012ed88) line 117 + 26 bytes
SharedStub() line 147
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0395a1a8,
nsIDOMEvent * 0x03a65b70, nsIDOMEventTarget * 0x0356311c, unsigned int 1,
unsigned int 7) line 1512 + 19 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x037aaa10,
nsPresContext * 0x037dd120, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f06c,
nsIDOMEventTarget * 0x0356311c, unsigned int 7, nsEventStatus * 0x0012f180) line
1606
GlobalWindowImpl::HandleDOMEvent(nsPresContext * 0x037dd120, nsEvent *
0x0012f158, nsIDOMEvent * * 0x0012f06c, unsigned int 7, nsEventStatus *
0x0012f180) line 908
DocumentViewerImpl::LoadComplete(DocumentViewerImpl * const 0x038cbae8, unsigned
int 0) line 890 + 41 bytes
nsDocShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0,
unsigned int 0) line 4311
nsWebShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0,
unsigned int 0) line 750
nsDocShell::OnStateChange(nsDocShell * const 0x03562c1c, nsIWebProgress *
0x03580384, nsIRequest * 0x036019c0, unsigned int 131088, unsigned int 0) line 4238
nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 0x03580384, nsIRequest *
0x036019c0, int 131088, unsigned int 0) line 1225
nsDocLoaderImpl::doStopDocumentLoad(nsIRequest * 0x036019c0, unsigned int 0)
line 832
nsDocLoaderImpl::DocLoaderIsEmpty() line 729
nsDocLoaderImpl::DocLoaderIsEmpty() line 732
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03a53674, nsIRequest *
0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 661
nsLoadGroup::RemoveRequest(nsLoadGroup * const 0x03a538a0, nsIRequest *
0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 695 + 76 bytes
nsInputStreamChannel::OnStopRequest(nsInputStreamChannel * const 0x03a53d6c,
nsIRequest * 0x03a53eb0, nsISupports * 0x00000000, unsigned int 0) line 371
nsInputStreamPump::OnStateStop() line 505
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03a53eb4,
nsIAsyncInputStream * 0x03a53fa0) line 341 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03a54214) line 119
PL_HandleEvent(PLEvent * 0x03a54214) line 692 + 9 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ed5098) line 627 + 8 bytes
_md_EventReceiverProc(HWND__ * 0x002e037e, unsigned int 49422, unsigned int 0,
long 15552664) line 1433 + 8 bytes
USER32! 77d18709()
USER32! 77d187eb()
USER32! 77d189a5()
USER32! 77d189e8()
nsAppShell::Run(nsAppShell * const 0x00f9ac00) line 135
nsAppStartup::Run(nsAppStartup * const 0x00f9a980) line 221
main1(int 3, char * * 0x002a4250, nsISupports * 0x00edaec8) line 1321 + 31 bytes
main(int 3, char * * 0x002a4250) line 1799 + 34 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()Assignee: firefox → nobody
Status: UNCONFIRMED → NEW
Component: General → Layout: Tables
Ever confirmed: true
Product: Firefox → Browser
QA Contact: firefox.general → core.layout.tables
Version: unspecified → Trunk
Robert, could you help here with a much reduced testcase from the attached testcase?
Blocks: Zalewski
|
||
Comment 4•20 years ago
|
||
Doesn't crash on Mozilla 1.7.2 release: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 I'll try some other builds, and see if I can narrow down when this got broke.
|
||
Comment 5•20 years ago
|
||
It does crash mozilla 1.7.5 nightly build 20041103 on WindowsME. Talkback TB1785061G
|
|
||
Comment 6•20 years ago
|
||
Today trunk CVS build (20041107 for date challenged) went also kaput. The crash looked the same but I cannot provide a talkback from the CVS build.
Summary: crash on RC2 with malformed html → crash on RC2/1.8a5/1.7.5 with malformed html
|
|
||
Comment 7•20 years ago
|
||
Things broke sometime before 29 October [I can't get at nightlies older than that] -- here's some history of what does/does not crash Doesn't Crash -- Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041029 Firefox/0.9.1+ Crashes - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041107 --> TB1785295Q Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041029 Firefox/1.0RC1 --> TB1785852K So on the 29th the trunk worked, but Firefox 1.0RC1 doesn't ...
I have seen a crash with a 2004-09-22 build http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1786824G
|
||
Comment 9•20 years ago
|
||
did some regression testing, used zip-builds, deleted components/compreg.dat to get talkback working. Couldn´t crash with downloaded file, had to load from bugzilla. Mozilla 1.8: 2004090407 working 2004091016 crashing on close, reproducible 2004091306 crashing 2004091804 crashing Mozilla 1.7 20041010 working (1.7.4 Release) 2004102108 working 2004110106 crashing a trunk talkback containing symbols: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1788990 talkbacks containing bug number: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=comments&match=contains&searchfor=268231&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
|
|
||
Comment 10•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a4) Gecko/20040911 did sometimes crash on close like BuildID 2004091016, both in MORK.DLL So I assume this is not related to this bug, and the regression time frame is BuildID 2004091105 not crashing on testcase, BuildID 2004091306 crashing on testcase. http://archive.mozilla.org/pub/mozilla/nightly/ has a lot of empty directories, all with newer than the original dates. Seems, from time to time somebody is deleting stuff in the archives. Some folders have the original, nightly date, other with newer date also contain some files, but often folders with newer date are empty.
|
||
Comment 11•20 years ago
|
||
I expect this can be reduced further. I am not obsoleting the original testcase since the stack looked quite different even though this was reduced from the original testcase.
|
|
||
Comment 12•20 years ago
|
||
The original and reduced testcases would only crash for me when viewing them locally after a refresh Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041106. I suspect the reduced testcase is a duplicate of bug 268157 due to the talkbacks and hence this bug may also be a duplicate. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1793590Z Stack Trace 0x00c40004 nsHTMLReflowState::ComputePadding [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp, line 2327]
|
|
||
Comment 13•20 years ago
|
||
I also get a crash with a different stack trace when when viewing the new testcase remotely and performing a refresh. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1794000Y Stack Trace 0x000003cf nsContainerFrame::ReflowChild [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 948] nsTableRowGroupFrame::IR_TargetIsChild [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1634]
|
|
||
Comment 14•20 years ago
|
||
couldn´t crash 2nd testcase on BuildID 2004091306, oldest crashing build on testcase 1. The original testcase wasn´t crashing when tested locally with a relatively current nightly. testcase 2 crashing only when reloading, BuildID 2004110606 http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1794206 Regression timeframe for testcase1 is 2004091105 thru 2004091306, so testcase2 must be some other bug, maybe bug 268157, as seen in 2nd line of stack frame http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsHTMLReflowState%3A%3AComputePadding&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
|
|
||
Comment 15•20 years ago
|
||
I was able to crash with testcase 1 using a debug build from today.
|
|
||
Comment 16•20 years ago
|
||
I just verified that by taking out the following either testcase my debug build from today no longer crashes when viewed locally. This is in the img tag towards the end of both testcases. border="9122426235884966334877847689486752756034152801619730234669552883524144378493472595827"
|
Assignee | |
Comment 17•20 years ago
|
||
Attachment #165446 -
Flags: superreview?(bzbarsky)
Attachment #165446 -
Flags: review?(bzbarsky)
|
|
||
Comment 18•20 years ago
|
||
Comment on attachment 165446 [details] [diff] [review] patch Why is this the right patch? In particular, can't tables split in columns even in non-paginated prescontexts?
Currently, no. One day, hopefully yes. Although duplicating <thead> frames across columns in dynamic prescontexts is likely to be a massive architectural change to do right.
|
|
||
Comment 20•20 years ago
|
||
Comment on attachment 165446 [details] [diff] [review] patch r+sr=bzbarsky, in that case.... But we may want to add an assert here for cases when this is triggered. That way when we try to do this for columns, we'll know this code needs fixing.
Attachment #165446 -
Flags: superreview?(bzbarsky)
Attachment #165446 -
Flags: superreview+
Attachment #165446 -
Flags: review?(bzbarsky)
Attachment #165446 -
Flags: review+
When we do table breaking in columns, I'll just search for IsPaginated everywhere in layout/html/table.
|
|
||
Comment 22•20 years ago
|
||
wfm with tinderbox build 2004111110 having the patch Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a5) Gecko/20041111 Tested both testcases, load/Reload/Shift-Reload multiple times, no crash. Seen with first testcase: While loading, there is a vertical scrollbar to the right. Scrolling is possible using the keyboard, the arrow buttons or the slider of the scrollbar. When loading finishes and the marquees start shifting in, the the slider vanishes, the arrow buttons are grayed out, scroll keys get inactive, scrolling is impossible. check in: 2004-11-11 09:27 bmlk%gmx.de mozilla/ layout/ html/ table/ src/ nsTableRowGroupFrame.cpp 3.335 10/3 Split row groups works only for paginated media bug 268231 r/sr=bzbarsky
|
|
Assignee | |
Comment 24•20 years ago
|
||
Comment on attachment 165446 [details] [diff] [review] patch this might be good for branch too
Attachment #165446 -
Flags: approval1.7.x?
|
||
Comment 25•20 years ago
|
||
Comment on attachment 165446 [details] [diff] [review] patch a=mkaply for 1.7. Please put on the aviary branch as well.
Attachment #165446 -
Flags: approval1.7.x?
Attachment #165446 -
Flags: approval1.7.x+
Attachment #165446 -
Flags: approval-aviary+
Comment on attachment 165446 [details] [diff] [review] patch Per drivers discussion, we really want to make 1.7.5 match FF 1.0, so changing these back to requests. (We might want it for 1.7.6 / FF 1.0.1 or something like that, so changing to requests, rather than minuses, since we don't really have flags yet.)
Attachment #165446 -
Flags: approval1.7.x?
Attachment #165446 -
Flags: approval1.7.x+
Attachment #165446 -
Flags: approval-aviary?
Attachment #165446 -
Flags: approval-aviary+
Attachment #165446 -
Flags: approval1.7.6+
Attachment #165446 -
Flags: approval1.7.5?
Attachment #165446 -
Flags: approval1.7.5-
|
||
Comment 27•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20041201 Firefox/1.0+ The testcase in Comment 11 doesn't crash here.
|
|
||
Comment 28•20 years ago
|
||
That's because the patch was checked in.....
|
|
||
Comment 29•20 years ago
|
||
If I am out of line in posting this low-content message to an already fairly long bug, then I apologise, and make the suggestion that each bug should as well as a link to (for example) the 'search page' have also a link to either the 'bugzilla etiquette' or a 'bugzilla howto' page. ( http://bugzilla.mozilla.org/page.cgi?id=etiquette.html 1.1 ... Additional "I see this too" or "It works for me" comments are unnecessary ... ) I would guess that I have a double dose of the "just catch it" gene (named for the anecdote in the CVS book) in that I take it personally when a program crashes, and feel that it should be possible (on an open system, intended and designed to work properly) to identify the chain of causation of every crash and find a simple and effective way of eliminating the crash. It is also quite difficult to identify problems which are worth fixing, simple enough for me to produce a patch, the patch is clear enough to be submitted and worth the developers time, and not important enough to aleady have a developer working on an maybe have a fix for. I bet that most of these are crash problems (see Bug 203784 ). Yes, I occasionally post at least potentially empty comments, and if asked not to, I will pipe down or shut up entirely. Most (but not all, see Bug 260388 ) of my comments relate to the Mac OS platform running a build made here, using the standard methods from the trunk, no more than a day or two old. Maybe I am wrong, but I would have thought that nearly always this would produce new and probably useful information The reason for posting on this bug was that it was marked as NEW, and I thought that further information was still required. Although I could see that a patch was submitted, I could not see that it had been applied to the trunk and was known to have fixed the problem. Had the crash occurred then my paragraph 3 would have applied, and I would have attempted to produce a patch. As there was no crash, I reported this good news. Speaking for myself, if I were fixing bugs on Mac OS I would love to hear from people on, say, linux, reporting that that my work was OK; but this may not be relevant. http://www.mozilla.org/contribute/ deals with how to help with bugs in the UNCONFORMED state, but I cannot find guidance for helping with bugs in the NEW state http://www.mozilla.org/hacking/life-cycle.html sounds as though it should, but doesn't.
|
|
Assignee | |
Comment 30•20 years ago
|
||
Ben: Sorry for the inconvience and the time that you spent but no need for a complete roman, here comes the short version: Bernd sucks in his bug handling; a) mark bugs as assigned when you are working on them, b) write clearly when you checkin. And hmm reading helps (comment 22 )
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 31•20 years ago
|
||
fixed on the 1.7 branch
|
||
Updated•20 years ago
|
Keywords: fixed1.7 → fixed1.7.6
|
||
Comment 32•20 years ago
|
||
verified fixed. testcase does not cause crash with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050310
Status: RESOLVED → VERIFIED
|
||
Updated•20 years ago
|
Keywords: fixed1.7.6 → verified1.7.6
|
|
||
Comment 33•20 years ago
|
||
mistakenly removed fixed1.7.6 --pardon the bugspam. set your filter/quicksearch to "ZippidityDooDahHey" to catch these for easy removal/etc/
Keywords: fixed1.7.6
|
||
Updated•20 years ago
|
Attachment #165446 -
Flags: approval-aviary?
|
||
Comment 34•19 years ago
|
||
*** Bug 294053 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•