Closed Bug 330015 Opened 18 years ago Closed 18 years ago

Crash with display: table-column-group, table-row, table-column, etc

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 329900

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 329900] uses freed objects)

Attachments

(1 file)

testcase
517 bytes, text/html
Details 
See upcoming testcase, which crashes on load.

Backtrace from debug build:
Program received signal SIGSEGV, Segmentation fault.
0x05be4c4e in nsIFrame::GetStateBits() const (this=0xdddddddd)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:896
896       nsFrameState GetStateBits() const { return mState; }
Current language:  auto; currently c++
(gdb) bt
#0  0x05be4c4e in nsIFrame::GetStateBits() const (this=0xdddddddd)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:896
#1  0x055d51d9 in IncrementalReflow::AddCommand(nsPresContext*, nsHTMLReflowComm
and*) (this=0x22f8f8, aPresContext=0xe595330, aCommand=0xe5d8d20)
    at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:896
#2  0x055e6fc3 in PresShell::ProcessReflowCommands(int) (this=0xe5a97a0,
    aInterruptible=1) at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6498
#3  0x05b29544 in ReflowEvent::HandleEvent() (this=0xe5a9f10)
    at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6351
#4  0x055e66e7 in HandlePLEvent(PLEvent*) (aEvent=0xe5a9f10)
    at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6369
#5  0x6ff34906 in PL_HandleEvent (self=0xe5a9f10)
    at c:/mozilla/mozilla/xpcom/threads/plevent.c:688
#6  0x6ff34797 in PL_ProcessPendingEvents (self=0xe38e68)
    at c:/mozilla/mozilla/xpcom/threads/plevent.c:623
#7  0x6ff351f5 in _md_EventReceiverProc (hwnd=0x6430170, uMsg=49457,
    wParam=0, lParam=14913128)
    at c:/mozilla/mozilla/xpcom/threads/plevent.c:1408
#8  0x77d37b17 in USER32!SetWindowPlacement ()
   from /cygdrive/c/WINDOWS/system32/user32.dll
#9  0x06430170 in ?? ()
#10 0x0000c131 in ?? ()

Marking security sensitive, because the testcase looks rather similar (I think) to the one in bug 329900.

Also crashes Mozilla1.7.12, so no recent regression.
Attached file testcase 
Whiteboard: [sg:critical?] uses freed objects

    
    

    
  
Psuedo-frame fun....  We end up with a cell frame that's not in its parent's frame list, so when the parent dies bad things happen.

To test, comment out the JS in this testcase, and look at what the frame tree looks like -- all of the kids of <head> are missing...

It looks like creating a table row frame doesn't actually add it to aChildList if the parent is a pseudo.  Where is that supposed to be handled?  I bet it's causing issues here....
Flags: blocking1.9a1+

    
    

    
  
I think this bug is a dupe of bug 329900, the core issue is the not handling of colgroup pseudos inside ProcessPseudoFrames.
Depends on: 329900

    
    

    
  
Ok, doesn't crash anymore in 2006-03-28 build, so a duplicate of bug 329900.

*** This bug has been marked as a duplicate of 329900 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?] uses freed objects → [sg:dupe 329900] uses freed objects
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: