268231 - crash on RC2/1.8a5/1.7.5 with malformed html

Status: VERIFIED FIXED

(Core :: Layout: Tables, defect)

Description

[tstststst]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

firefox 1.0rc2 crashes on linux and win2000 with fresh profile when you load the
attached file.

Reproducible: Always
Steps to Reproduce:
1. download the attached file and open it

Actual Results:  
firefox crashes

Expected Results:  
firefox doesn't crash

Talkback ID TB1781279K

Comment 1

[tstststst]

Attachment: testcase

Comment 2

[Bernd]

I crash with cvs trunk from yesterday 
nsCellMap::GetCellInfoAt(nsTableCellMap & {...}, int 1, int 0, int * 0x00121280,
int * 0x00121284) line 2392 + 16 bytes
nsTableCellMap::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284)
line 762 + 23 bytes
nsTableFrame::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284)
line 4475
BasicTableLayoutStrategy::AssignNonPctColumnWidths(int 1073741824, const
nsHTMLReflowState & {...}) line 1034 + 28 bytes
BasicTableLayoutStrategy::Initialize(const nsHTMLReflowState & {...}) line 143 +
17 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x038974c4, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1928
nsContainerFrame::ReflowChild(nsIFrame * 0x038974c4, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 3, unsigned int & 0) line 958 + 26 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x038973b8,
nsPresContext * 0x037dd120, nsIFrame * 0x038974c4, const nsHTMLReflowState &
{...}, nsHTMLReflowMetrics & {...}, int 1073741824, nsSize & {...}, nsMargin &
{...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason
eReflowReason_StyleChange, unsigned int & 0, int * 0x00000000) line 1328 + 41 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x038973b8, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1995 + 69 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001222f4) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001222f4, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x03959170, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001232a8) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001232a8, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0395929c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012425c) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012425c, int 0) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x03959740, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00125210) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00125210, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0396659c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 1073741824, int 5748, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x0396659c, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsSprocketLayout::Layout(nsSprocketLayout * const 0x02cbe7d0, nsIFrame *
0x039664e0, nsBoxLayoutState & {...}) line 547
nsBoxFrame::DoLayout(nsBoxFrame * const 0x039664e0, nsBoxLayoutState & {...})
line 1097 + 83 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x039664e0, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsLineLayout::ReflowFrame(nsIFrame * 0x039664e0, unsigned int & 0,
nsHTMLReflowMetrics * 0x00000000, int & 0) line 1001 + 40 bytes
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineList_iterator {...}, nsIFrame * 0x039664e0, unsigned char *
0x001260d0) line 3702 + 21 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineList_iterator {...}, int * 0x001265fc, unsigned char * 0x001261d4,
int 0, int 1) line 3566 + 27 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x001265fc, int 1, int 0) line 3455 + 40 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x001265fc, int 1) line 2573 + 28 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b964, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 8892, int 6210, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x0390b964, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x03966228, nsBoxLayoutState
& {...}) line 333
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x03966228, const
nsRect & {...}) line 2683 + 11 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame *
0x03966228, const nsRect & {...}) line 1670 + 14 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813
nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x0390b9b8,
nsBoxLayoutState & {...}) line 577 + 17 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x0390b9b8, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x0390b9b8, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 506 + 20 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00127cc8) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00127cc8, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b838, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00128c7c) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00128c7c, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037ece0c, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x00129c30) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x00129c30, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037ef158, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012abe4) line 3203 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012abe4, int 1) line 2455 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037eefd4, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 826 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x037eefd4, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x037efd8c, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 551
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 9084, int 12060, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x037efd8c, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x037efffc, nsBoxLayoutState
& {...}) line 333
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x037efffc, const
nsRect & {...}) line 2683 + 11 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame *
0x037efffc, const nsRect & {...}) line 1670 + 14 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813
nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x037efebc,
nsBoxLayoutState & {...}) line 577 + 17 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x037efebc, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x037efebc, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 506 + 20 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x037efebc, nsPresContext * 0x037dd120,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x037efc84, nsPresContext *
0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 40 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x037dd120, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 906
PresShell::ProcessReflowCommands(int 0) line 6295
PresShell::FlushPendingNotifications(PresShell * const 0x03481428, mozFlushType
Flush_Layout) line 5013
nsDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 4056
nsHTMLDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 1261
nsGenericHTMLElement::GetOffsetRect(nsRect & {...}, nsIContent * * 0x0012c25c)
line 617
nsGenericHTMLElement::GetOffsetLeft(int * 0x0012c4f0) line 827 + 58 bytes
nsGenericHTMLElementTearoff::GetOffsetLeft(nsGenericHTMLElementTearoff * const
0x02def4b8, int * 0x0012c4f0) line 215 + 17 bytes
XPTC_InvokeByIndex(nsISupports * 0x02def4b8, unsigned int 4, unsigned int 1,
nsXPTCVariant * 0x0012c4f0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_GETTER) line 2034 + 31 bytes
XPC_WN_GetterSetter(JSContext * 0x035633b0, JSObject * 0x03a126e0, unsigned int
0, long * 0x03a660ec, long * 0x0012c7f4) line 1319 + 14 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 0, unsigned int 2) line 1286 + 19
bytes
js_InternalInvoke(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 60892992,
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012d790) line 1428
+ 17 bytes
js_InternalGetOrSet(JSContext * 0x035633b0, JSObject * 0x03a126e0, long
36430464, long 60892992, int 4, unsigned int 0, long * 0x00000000, long *
0x0012d790) line 1472 + 25 bytes
js_GetProperty(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 36430464,
long * 0x0012d790) line 2680 + 45 bytes
js_Interpret(JSContext * 0x035633b0, long * 0x0012d968) line 3303 + 1684 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 0) line 1306 + 12
bytes
js_Interpret(JSContext * 0x035633b0, long * 0x0012e8cc) line 3507 + 13 bytes
js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 2) line 1306 + 12
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x023441e8,
nsXPCWrappedJS * 0x0395c108, unsigned short 3, const nsXPTMethodInfo *
0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 1339 + 16 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x0395c108, unsigned short 3,
const nsXPTMethodInfo * 0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x0395c108, unsigned int 3, unsigned int *
0x0012ed98, unsigned int * 0x0012ed88) line 117 + 26 bytes
SharedStub() line 147
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0395a1a8,
nsIDOMEvent * 0x03a65b70, nsIDOMEventTarget * 0x0356311c, unsigned int 1,
unsigned int 7) line 1512 + 19 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x037aaa10,
nsPresContext * 0x037dd120, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f06c,
nsIDOMEventTarget * 0x0356311c, unsigned int 7, nsEventStatus * 0x0012f180) line
1606
GlobalWindowImpl::HandleDOMEvent(nsPresContext * 0x037dd120, nsEvent *
0x0012f158, nsIDOMEvent * * 0x0012f06c, unsigned int 7, nsEventStatus *
0x0012f180) line 908
DocumentViewerImpl::LoadComplete(DocumentViewerImpl * const 0x038cbae8, unsigned
int 0) line 890 + 41 bytes
nsDocShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0,
unsigned int 0) line 4311
nsWebShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0,
unsigned int 0) line 750
nsDocShell::OnStateChange(nsDocShell * const 0x03562c1c, nsIWebProgress *
0x03580384, nsIRequest * 0x036019c0, unsigned int 131088, unsigned int 0) line 4238
nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 0x03580384, nsIRequest *
0x036019c0, int 131088, unsigned int 0) line 1225
nsDocLoaderImpl::doStopDocumentLoad(nsIRequest * 0x036019c0, unsigned int 0)
line 832
nsDocLoaderImpl::DocLoaderIsEmpty() line 729
nsDocLoaderImpl::DocLoaderIsEmpty() line 732
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03a53674, nsIRequest *
0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 661
nsLoadGroup::RemoveRequest(nsLoadGroup * const 0x03a538a0, nsIRequest *
0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 695 + 76 bytes
nsInputStreamChannel::OnStopRequest(nsInputStreamChannel * const 0x03a53d6c,
nsIRequest * 0x03a53eb0, nsISupports * 0x00000000, unsigned int 0) line 371
nsInputStreamPump::OnStateStop() line 505
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03a53eb4,
nsIAsyncInputStream * 0x03a53fa0) line 341 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03a54214) line 119
PL_HandleEvent(PLEvent * 0x03a54214) line 692 + 9 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ed5098) line 627 + 8 bytes
_md_EventReceiverProc(HWND__ * 0x002e037e, unsigned int 49422, unsigned int 0,
long 15552664) line 1433 + 8 bytes
USER32! 77d18709()
USER32! 77d187eb()
USER32! 77d189a5()
USER32! 77d189e8()
nsAppShell::Run(nsAppShell * const 0x00f9ac00) line 135
nsAppStartup::Run(nsAppStartup * const 0x00f9a980) line 221
main1(int 3, char * * 0x002a4250, nsISupports * 0x00edaec8) line 1321 + 31 bytes
main(int 3, char * * 0x002a4250) line 1799 + 34 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

Comment 3

[Bernd]

Robert, could you help here with a much reduced testcase from the attached testcase?

Comment 4

[Ian Graham]

Doesn't crash on Mozilla 1.7.2 release:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803
I'll try some other builds, and see if I can narrow down when this got broke.

Comment 5

[Jacek Piskozub]

It does crash mozilla 1.7.5 nightly build 20041103 on WindowsME.

Talkback TB1785061G

Comment 6

[Jacek Piskozub]

Today trunk CVS build (20041107 for date challenged) went also kaput. The crash
looked the same but I cannot provide a talkback from the CVS build.

Comment 7

[Ian Graham]

Things broke sometime before 29 October [I can't get at nightlies older than 
that] -- here's some history of what does/does not crash

Doesn't Crash -- 
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 
Firefox/0.10.1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041029 
Firefox/0.9.1+

Crashes -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041107 -->  
TB1785295Q 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 
Firefox/1.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041029 
Firefox/1.0RC1 --> TB1785852K

So on the 29th the trunk worked, but Firefox 1.0RC1 doesn't ... 

Comment 8

[Bernd]

I have seen a crash with a 2004-09-22 build
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1786824G

Comment 9

[Hermann Schwab]

did some regression testing, used zip-builds, deleted components/compreg.dat to
get talkback working. Couldn´t crash with downloaded file, had to load from
bugzilla.

Mozilla 1.8:
2004090407 working
2004091016 crashing on close, reproducible
2004091306 crashing
2004091804 crashing

Mozilla 1.7
20041010   working (1.7.4 Release)
2004102108 working
2004110106 crashing

a trunk talkback containing symbols:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1788990

talkbacks containing bug number:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=comments&match=contains&searchfor=268231&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

Comment 10

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a4) Gecko/20040911
did sometimes crash on close like BuildID 2004091016, both in MORK.DLL

So I assume this is not related to this bug, and the regression time frame is
BuildID 2004091105 not crashing on testcase, BuildID 2004091306 crashing on
testcase.

http://archive.mozilla.org/pub/mozilla/nightly/ has a lot of empty directories,
all with newer than the original dates. Seems, from time to time somebody is
deleting stuff in the archives. Some folders have the original, nightly date,
other with newer date also contain some files, but often folders with newer date
are empty.

Comment 11

[Robert Strong (they/them - no direct email)]

Attachment: Testcase (causes crash)

I expect this can be reduced further. I am not obsoleting the original testcase
since the stack looked quite different even though this was reduced from the
original testcase.

Comment 12

[Robert Strong (they/them - no direct email)]

The original and reduced testcases would only crash for me when viewing them
locally after a refresh Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8a5) Gecko/20041106.

I suspect the reduced testcase is a duplicate of bug 268157 due to the talkbacks
and hence this bug may also be a duplicate.

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1793590Z
Stack Trace  	
0x00c40004
nsHTMLReflowState::ComputePadding 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp,
line 2327]

Comment 13

[Robert Strong (they/them - no direct email)]

I also get a crash with a different stack trace when when viewing the new
testcase remotely and performing a refresh.

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1794000Y
Stack Trace 
0x000003cf
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 948]
nsTableRowGroupFrame::IR_TargetIsChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1634]

Comment 14

[Hermann Schwab]

couldn´t crash 2nd testcase on BuildID 2004091306, oldest crashing build on
testcase 1. The original testcase wasn´t crashing when tested locally with a
relatively current nightly.

testcase 2 crashing only when reloading, BuildID 2004110606
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1794206

Regression timeframe for testcase1 is 2004091105 thru 2004091306, so testcase2
must be some other bug, maybe bug 268157, as seen in 2nd line of stack frame
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsHTMLReflowState%3A%3AComputePadding&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

Comment 15

[Robert Strong (they/them - no direct email)]

I was able to crash with testcase 1 using a debug build from today.

Comment 16

[Robert Strong (they/them - no direct email)]

I just verified that by taking out the following either testcase my debug build
from today no longer crashes when viewed locally. This is in the img tag towards
the end of both testcases.
border="9122426235884966334877847689486752756034152801619730234669552883524144378493472595827"

Comment 17

[Bernd]

Attachment: patch

Comment 18

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 165446 [details] [diff] [review]
patch

Why is this the right patch?  In particular, can't tables split in columns even
in non-paginated prescontexts?

Comment 19

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Currently, no. One day, hopefully yes. Although duplicating <thead> frames
across columns in dynamic prescontexts is likely to be a massive architectural
change to do right.

Comment 20

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 165446 [details] [diff] [review]
patch

r+sr=bzbarsky, in that case.... But we may want to add an assert here for cases
when this is triggered.  That way when we try to do this for columns, we'll
know this code needs fixing.

Comment 21

[Robert O'Callahan (:roc) (email my personal email if necessary)]

When we do table breaking in columns, I'll just search for IsPaginated
everywhere in layout/html/table.

Comment 22

[Hermann Schwab]

wfm with tinderbox build 2004111110 having the patch
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a5) Gecko/20041111
Tested both testcases, load/Reload/Shift-Reload multiple times, no crash.

Seen with first testcase:
While loading, there is a vertical scrollbar to the right.
Scrolling is possible using the keyboard, the arrow buttons or the slider of the
scrollbar.
When loading finishes and the marquees start shifting in, the the slider
vanishes, the arrow buttons are grayed out, scroll keys get inactive, scrolling
is impossible. 

check in:

2004-11-11 09:27	bmlk%gmx.de 	
mozilla/ layout/ html/ table/ src/ nsTableRowGroupFrame.cpp 	3.335 	10/3  	Split
row groups works only for paginated media bug 268231 r/sr=bzbarsky

Comment 23

[Bernd]

taking

Comment 24

[Bernd]

Comment on attachment 165446 [details] [diff] [review]
patch

this might be good for branch too

Comment 25

[Mike Kaply [:mkaply]]

Comment on attachment 165446 [details] [diff] [review]
patch

a=mkaply for 1.7.

Please put on the aviary branch as well.

Comment 26

[David Baron :dbaron:]

Comment on attachment 165446 [details] [diff] [review]
patch

Per drivers discussion, we really want to make 1.7.5 match FF 1.0, so changing
these back to requests.  (We might want it for 1.7.6 / FF 1.0.1 or something
like that, so changing to requests, rather than minuses, since we don't really
have flags yet.)

Comment 27

[Ben Fowler]

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20041201
Firefox/1.0+

The testcase in Comment 11 doesn't crash here.

Comment 28

[Boris Zbarsky [:bzbarsky]]

That's because the patch was checked in.....

Comment 29

[Ben Fowler]

If I am out of line in posting this low-content message to an
already fairly long bug, then I apologise, and make the suggestion
that each bug should as well as a link to (for example) the 'search
page' have also a link to either the 'bugzilla etiquette' or a
'bugzilla howto' page.

( http://bugzilla.mozilla.org/page.cgi?id=etiquette.html 1.1 ...
Additional "I see this too" or "It works for me" comments are
unnecessary ... )

I would guess that I have a double dose of the "just catch it" gene
(named for the anecdote in the CVS book) in that I take it
personally when a program crashes, and feel that it should be
possible (on an open system, intended and designed to work properly)
to identify the chain of causation of every crash and find a simple
and effective way of eliminating the crash.

It is also quite difficult to identify problems which are worth
fixing, simple enough for me to produce a patch, the patch is clear
enough to be submitted and worth the developers time, and not
important enough to aleady have a developer working on an maybe have
a fix for. I bet that most of these are crash problems (see Bug
203784 ).

Yes, I occasionally post at least potentially empty comments, and if
asked not to, I will pipe down or shut up entirely. Most (but not
all, see Bug 260388 ) of my comments relate to the Mac OS platform
running a build made here, using the standard methods from the
trunk, no more than a day or two old. Maybe I am wrong, but I would
have thought that nearly always this would produce new and probably
useful information

The reason for posting on this bug was that it was marked as NEW,
and I thought that further information was still required. Although
I could see that a patch was submitted, I could not see that it had
been applied to the trunk and was known to have fixed the problem.
Had the crash occurred then my paragraph 3 would have applied, and I
would have attempted to produce a patch. As there was no crash, I
reported this good news. Speaking for myself, if I were fixing bugs
on Mac OS I would love to hear from people on, say, linux, reporting
that that my work was OK; but this may not be relevant.

http://www.mozilla.org/contribute/ deals with how to help with bugs
in the UNCONFORMED state, but I cannot find guidance for helping
with bugs in the NEW state
http://www.mozilla.org/hacking/life-cycle.html sounds as though it
should, but doesn't.

Comment 30

[Bernd]

Ben: Sorry for the inconvience and the time that you spent but  no need for a
complete roman, here comes the short version:
Bernd sucks in his bug handling; a) mark bugs as assigned when you are working
on them, b) write clearly when you checkin. 
And hmm reading helps (comment 22 )

Comment 31

[Bernd]

fixed on the 1.7 branch

Comment 32

[Jay Patel [:jay]]

verified fixed.  testcase does not cause crash with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050310

Comment 33

[sairuh (rarely reading bugmail)]

mistakenly removed fixed1.7.6 --pardon the bugspam. set your filter/quicksearch
to "ZippidityDooDahHey" to catch these for easy removal/etc/

Comment 34

[Frank Wein [:mcsmurf]]

*** Bug 294053 has been marked as a duplicate of this bug. ***