Closed Bug 269648 Opened 20 years ago Closed 20 years ago

crash @[nsTableRowFrame::ReflowChildren]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bernd_mozilla, Assigned: bernd_mozilla)

References

(
URL
)

Details

(Keywords: crash, qawanted)

Attachments

(2 files, 2 obsolete files)

testcase
428 bytes, text/html
Details
rev2
10.52 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
load url

produce stacktrace 

nsTableRowFrame::ReflowChildren(nsTableRowFrame * const 0x0381147c,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, nsTableFrame & {...}, unsigned int & 0, int 0) line 891 + 25 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x0381147c, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1407 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x0381147c, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableRowGroupFrame::ReflowChildren(nsTableRowGroupFrame * const 0x038113a0,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState &
{...}, unsigned int & 0, nsTableRowFrame * 0x00000000, int 0, nsTableRowFrame *
* 0x00000000, int * 0x00129fb4) line 386 + 41 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x038113a0,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, unsigned int & 0) line 1239 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x038113a0, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableFrame::ReflowChildren(nsTableFrame * const 0x03811294, nsPresContext *
0x035e7648, nsTableReflowState & {...}, int 1, int 0, unsigned int & 0, nsIFrame
* & 0x00000000, nsRect & {...}, int * 0x00000000) line 3233 + 45 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x03811294, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1932
nsContainerFrame::ReflowChild(nsIFrame * 0x03811294, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 3, unsigned int & 0) line 958 + 26 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x03811188,
nsPresContext * 0x035e7648, nsIFrame * 0x03811294, const nsHTMLReflowState &
{...}, nsHTMLReflowMetrics & {...}, int 1073741824, nsSize & {...}, nsMargin &
{...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_Initial,
unsigned int & 0, int * 0x00000000) line 1328 + 41 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x03811188, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1995 + 69 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 526 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012b434) line 3212 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012b434, int 1) line 2464 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2120 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x035bdf1c, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 835 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x035bdf1c, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x035bdebc, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 866
nsContainerFrame::ReflowChild(nsIFrame * 0x035bdebc, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 2172, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableRowFrame::IR_TargetIsChild(nsTableRowFrame * const 0x0365eb58,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, nsTableFrame & {...}, unsigned int & 0, nsIFrame * 0x035bdebc) line
1234 + 41 bytes
nsTableRowFrame::IncrementalReflow(nsTableRowFrame * const 0x0365eb58,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, nsTableFrame & {...}, unsigned int & 0) line 1119 + 58 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x0365eb58, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1417 + 29 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x0365eb58, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableRowGroupFrame::IR_TargetIsChild(nsTableRowGroupFrame * const 0x03672d20,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState &
{...}, unsigned int & 0, nsIFrame * 0x0365eb58) line 1646 + 41 bytes
nsTableRowGroupFrame::IncrementalReflow(nsTableRowGroupFrame * const 0x03672d20,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState &
{...}, unsigned int & 0) line 1324 + 55 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x03672d20,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, unsigned int & 0) line 1230 + 27 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x03672d20, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
nsTableFrame::IR_TargetIsChild(nsTableFrame * const 0x03672b78, nsPresContext *
0x035e7648, nsTableReflowState & {...}, unsigned int & 0, nsIFrame * 0x03672d20)
line 2974 + 45 bytes
nsTableFrame::IncrementalReflow(nsTableFrame * const 0x03672b78, nsPresContext *
0x035e7648, const nsHTMLReflowState & {...}, unsigned int & 0) line 2683 + 53 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x03672b78, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1948 + 23 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x03672b78, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 3, unsigned int & 0) line 958 + 26 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x036729c8,
nsPresContext * 0x035e7648, nsIFrame * 0x03672b78, const nsHTMLReflowState &
{...}, nsHTMLReflowMetrics & {...}, int 14316, nsSize & {...}, nsMargin & {...},
nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_Incremental,
unsigned int & 0, int * 0x0012c9a0) line 1328 + 41 bytes
nsTableOuterFrame::IR_InnerTableReflow(nsTableOuterFrame * const 0x036729c8,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, unsigned int & 0) line 1688 + 71 bytes
nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsTableOuterFrame * const
0x036729c8, nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const
nsHTMLReflowState & {...}, unsigned int & 0) line 1441 + 26 bytes
nsTableOuterFrame::IR_TargetIsChild(nsTableOuterFrame * const 0x036729c8,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, unsigned int & 0, nsIFrame * 0x03672b78) line 1414 + 26 bytes
nsTableOuterFrame::IncrementalReflow(nsTableOuterFrame * const 0x036729c8,
nsPresContext * 0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState
& {...}, unsigned int & 0) line 1394 + 55 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x036729c8, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1953 + 26 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012d7cc) line 3212 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012d7cc, int 1) line 2464 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2120 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037c5024, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 835 + 15 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1,
nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...},
unsigned int & 0) line 543 + 51 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012e780) line 3212 + 67 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012e780, int 1) line 2464 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2120 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x037c4e10, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 835 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x037c4e10, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x035dcab0, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 551
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0,
int 0, int 0, int 14316, int 12156, int 1) line 5266
nsFrame::DoLayout(nsFrame * const 0x035dcab0, nsBoxLayoutState & {...}) line
5008 + 39 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x035dcd20, nsBoxLayoutState
& {...}) line 333
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x035dcd20, const
nsRect & {...}) line 2683 + 11 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame *
0x035dcd20, const nsRect & {...}) line 1670 + 14 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813
nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x035dcbe0,
nsBoxLayoutState & {...}) line 577 + 17 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 805
nsBoxFrame::Reflow(nsBoxFrame * const 0x035dcbe0, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 853
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x035dcbe0, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 506 + 20 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x035dcbe0, nsPresContext * 0x035e7648,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 958 + 26 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x035dc9a8, nsPresContext *
0x035e7648, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 40 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x035e7648, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 906
PresShell::ProcessReflowCommands(int 1) line 6296
ReflowEvent::HandleEvent() line 6125
HandlePLEvent(ReflowEvent * 0x03780168) line 6142
PL_HandleEvent(PLEvent * 0x03780168) line 692 + 9 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ed1ef0) line 627 + 8 bytes
_md_EventReceiverProc(HWND__ * 0x001c03a6, unsigned int 49383, unsigned int 0,
long 15539952) line 1433 + 8 bytes
USER32! 77d18709()
USER32! 77d187eb()
USER32! 77d189a5()
USER32! 77d189e8()
nsAppShell::Run(nsAppShell * const 0x00f9aa90) line 135
nsAppStartup::Run(nsAppStartup * const 0x00f9a810) line 221
main1(int 3, char * * 0x002a4260, nsISupports * 0x00eb2ce8) line 1321 + 31 bytes
main(int 3, char * * 0x002a4260) line 1799 + 34 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()


we crash at 

cellFrame->GetColIndex(cellColIndex);

GetColIndex is virtual and the nsITableCellLayout virtual function pointer is null
hmmm I even cant create a testcase from this page they are doing something
really fancy
Keywords: qawanted
Attached file testcase 
this does not crash but demonstrates a related problem
Attached patch patch (obsolete) — Splinter Review 
this patch moves the last real col group voodoo inside the table frame where it
is already correctly handled.
Boris, could you please have a short look at the patch whether it goes into the
right direction (thats not a review). The code at
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#2482
does IMHO the correct thing. With the attached patch I dont see any assert in
the url and the testcase. Neither does it crash. There is however still a reflow
problem in the testcase which might be splitted out of the bug, but it would be
cool if you could stop me if i am going completely in the wrong direction.
Assignee: nobody → bernd_mozilla
This makes sense, yes... Do we still want to be sticking col frames into the
colgroup list of their parent (presumably the colgroup)?
Attached patch more complete patch (obsolete) — Splinter Review 
The patch fixes also a couple of build warnings and the warnings found with
prefast.
Attachment #166354 - Attachment is obsolete: true
Attached patch rev2Splinter Review 
fix the else after a return too
Attachment #166606 - Attachment is obsolete: true
Attachment #166608 - Flags: superreview?(bzbarsky)
Attachment #166608 - Flags: review?(bzbarsky)
Comment on attachment 166608 [details] [diff] [review]
rev2

>Index: table/src/nsTableFrame.cpp
> void DumpTableFramesRecur(nsIFrame*       aFrame,

>+  aIndent = PR_MIN(aIndent, MAX_SIZE - MIN_INDENT);

You want PR_MAX, no?

With that, r+sr=bzbarsky
Attachment #166608 - Flags: superreview?(bzbarsky)
Attachment #166608 - Flags: superreview+
Attachment #166608 - Flags: review?(bzbarsky)
Attachment #166608 - Flags: review+
Nevemind the PR_MAX comment in comment 8.  The patch is good as-is.
fix checked in, if any of the clobbers goes red back me out please.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
This caused another crash bug -- bug 278385.
Blocks: 278385
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: