Closed Bug 32794 Opened 24 years ago Closed 23 years ago

UMR: nsContainerFrame::ReflowChild()

Categories

(Core :: Layout: Tables, defect, P3)

Product:
Core
Component:
Layout: Tables
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9

People

(Reporter: bruce, Assigned: karnaze)

Details

Attachments

(1 file)

patch to set aStatus in nsTableRowGroupFrame.cpp
924 bytes, patch
Details | Diff | Splinter Review 
Today's build.  Loading sample #4 in viewer.  I did some scrolling and selection
and stuff as well.

      UMR: Uninitialized memory read
      This is occurring while in:
           
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,int,int,unsigned int,unsigned int&)
[nsContainerFrame.cpp:669]
               
                 // If the reflow was successful and the child frame is
complete, delete any
                 // next-in-flows
            =>   if (NS_SUCCEEDED(result) && NS_FRAME_IS_COMPLETE(aStatus)) {
                   nsIFrame* kidNextInFlow;
                   aKidFrame->GetNextInFlow(&kidNextInFlow);
                   if (nsnull != kidNextInFlow) {
           
nsTableRowFrame::ResizeReflow(nsIPresContext*,nsHTMLReflowMetrics&,RowReflowState&,unsigned
int&,int) [nsTableRowFrame.cpp:895]
                                                        nsSize(0,0),
eReflowReason_Resize);
                       nsHTMLReflowMetrics desiredSize(nsnull);
                       nsReflowStatus  status;
            =>         ReflowChild(kidFrame, aPresContext, desiredSize,
kidReflowState, 0, 0, 0, status);
                       kidFrame->DidReflow(aPresContext,
NS_FRAME_REFLOW_FINISHED);
                     }
                   }
           
nsTableRowFrame::IR_TargetIsMe(nsIPresContext*,nsHTMLReflowMetrics&,RowReflowState&,unsigned
int&) [nsTableRowFrame.cpp:1155]
           
nsTableRowFrame::IncrementalReflow(nsIPresContext*,nsHTMLReflowMetrics&,RowReflowState&,unsigned
int&) [nsTableRowFrame.cpp:1120]
            nsTableRowFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowFrame.cpp:1378]
           
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,int,int,unsigned int,unsigned int&)
[nsContainerFrame.cpp:646]
           
nsTableRowGroupFrame::IR_TargetIsChild(nsIPresContext*,nsHTMLReflowMetrics&,RowGroupReflowState&,unsigned
int&,nsIFrame*) [nsTableRowGroupFrame.cpp:1525]
           
nsTableRowGroupFrame::IncrementalReflow(nsIPresContext*,nsHTMLReflowMetrics&,RowGroupReflowState&,unsigned
int&) [nsTableRowGroupFrame.cpp:1173]
           
nsTableRowGroupFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableRowGroupFrame.cpp:1074]
           
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,int,int,unsigned int,unsigned int&)
[nsContainerFrame.cpp:646]
           
nsTableFrame::IR_TargetIsChild(nsIPresContext*,nsHTMLReflowMetrics&,InnerTableReflowState&,unsigned
int&,nsIFrame*) [nsTableFrame.cpp:2697]
           
nsTableFrame::IncrementalReflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableFrame.cpp:2490]
            nsTableFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableFrame.cpp:1531]
           
nsContainerFrame::ReflowChild(nsIFrame*,nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,int,int,unsigned int,unsigned int&)
[nsContainerFrame.cpp:646]
           
nsTableOuterFrame::IR_InnerTableReflow(nsIPresContext*,nsHTMLReflowMetrics&,OuterTableReflowState&,unsigned
int&) [nsTableOuterFrame.cpp:724]
           
nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsIPresContext*,nsHTMLReflowMetrics&,OuterTableReflowState&,unsigned
int&) [nsTableOuterFrame.cpp:498]
           
nsTableOuterFrame::IR_TargetIsChild(nsIPresContext*,nsHTMLReflowMetrics&,OuterTableReflowState&,unsigned
int&,nsIFrame*) [nsTableOuterFrame.cpp:465]
           
nsTableOuterFrame::IncrementalReflow(nsIPresContext*,nsHTMLReflowMetrics&,OuterTableReflowState&,unsigned
int&) [nsTableOuterFrame.cpp:445]
            nsTableOuterFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsTableOuterFrame.cpp:957]
            nsBlockReflowContext::ReflowBlock(nsIFrame*,const
nsRect&,int,int,int,nsMargin&,unsigned int&) [nsBlockReflowContext.cpp:449]
            nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&,nsLineBox*,int*)
[nsBlockFrame.cpp:3538]
            nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*,int)
[nsBlockFrame.cpp:2851]
            nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
[nsBlockFrame.cpp:2658]
            nsBlockFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:1577]
            nsBlockReflowContext::ReflowBlock(nsIFrame*,const
nsRect&,int,int,int,nsMargin&,unsigned int&) [nsBlockReflowContext.cpp:449]
            nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&,nsLineBox*,int*)
[nsBlockFrame.cpp:3538]
            nsBlockFrame::ReflowLine(nsBlockReflowState&,nsLineBox*,int*,int)
[nsBlockFrame.cpp:2851]
            nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
[nsBlockFrame.cpp:2658]
            nsBlockFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsBlockFrame.cpp:1577]
            nsAreaFrame::Reflow(nsIPresContext*,nsHTMLReflowMetrics&,const
nsHTMLReflowState&,unsigned int&) [nsAreaFrame.cpp:272]
      Reading 4 bytes from 0xefffab00 on the stack.
      Address 0xefffab00 is 344 bytes below frame pointer in function
nsTableRowFrame::ResizeReflow(nsIPresContext*,nsHTMLReflowMetrics&,RowReflowState&,unsigned
int&,int).
Status: NEW → ASSIGNED
Target Milestone: --- → M16
Moving to M17.
Target Milestone: M16 → M17
I think bruce's arrows are misleading.  When nsContainerFrame::ReflowChild gets
to the point where it hits the UMR, it has already called

result = aKidFrame->Reflow(aPresContext, aDesiredSize, aReflowState,
                           aStatus);

nsIFrame.h says Reflow should set the aStatus out param.  So the bug here is
probably that some child reflow method didn't set aStatus.

Since the parent reflow method was nsTableRowFrame, I'd have to guess the bug
might be in nsTableCellFrame...
Keywords: mozilla0.9
(Just for the record, those arrows are from Purify .. not me.)
Keywords: donttest
Target Milestone: M17 → ---
moving to m0.9.1
Target Milestone: --- → mozilla0.9.1
QA contact update
QA Contact: chrisd → amar
Moving to m0.9
Target Milestone: mozilla0.9.1 → mozilla0.9
Keywords: patch
sr=attinasi
The patch is in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
 Marking verifed
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: