Closed
Bug 330015
Opened 19 years ago
Closed 19 years ago
Crash with display: table-column-group, table-row, table-column, etc
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 329900
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 329900] uses freed objects)
Attachments
(1 file)
|
517 bytes,
text/html
|
Details |
See upcoming testcase, which crashes on load.
Backtrace from debug build:
Program received signal SIGSEGV, Segmentation fault.
0x05be4c4e in nsIFrame::GetStateBits() const (this=0xdddddddd)
at c:/mozilla/mozilla/layout/generic/nsIFrame.h:896
896 nsFrameState GetStateBits() const { return mState; }
Current language: auto; currently c++
(gdb) bt
#0 0x05be4c4e in nsIFrame::GetStateBits() const (this=0xdddddddd)
at c:/mozilla/mozilla/layout/generic/nsIFrame.h:896
#1 0x055d51d9 in IncrementalReflow::AddCommand(nsPresContext*, nsHTMLReflowComm
and*) (this=0x22f8f8, aPresContext=0xe595330, aCommand=0xe5d8d20)
at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:896
#2 0x055e6fc3 in PresShell::ProcessReflowCommands(int) (this=0xe5a97a0,
aInterruptible=1) at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6498
#3 0x05b29544 in ReflowEvent::HandleEvent() (this=0xe5a9f10)
at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6351
#4 0x055e66e7 in HandlePLEvent(PLEvent*) (aEvent=0xe5a9f10)
at c:/mozilla/mozilla/layout/base/nsPresShell.cpp:6369
#5 0x6ff34906 in PL_HandleEvent (self=0xe5a9f10)
at c:/mozilla/mozilla/xpcom/threads/plevent.c:688
#6 0x6ff34797 in PL_ProcessPendingEvents (self=0xe38e68)
at c:/mozilla/mozilla/xpcom/threads/plevent.c:623
#7 0x6ff351f5 in _md_EventReceiverProc (hwnd=0x6430170, uMsg=49457,
wParam=0, lParam=14913128)
at c:/mozilla/mozilla/xpcom/threads/plevent.c:1408
#8 0x77d37b17 in USER32!SetWindowPlacement ()
from /cygdrive/c/WINDOWS/system32/user32.dll
#9 0x06430170 in ?? ()
#10 0x0000c131 in ?? ()
Marking security sensitive, because the testcase looks rather similar (I think) to the one in bug 329900.
Also crashes Mozilla1.7.12, so no recent regression.
|
Reporter | |
Comment 1•19 years ago
|
||
|
||
Updated•19 years ago
|
Whiteboard: [sg:critical?] uses freed objects
|
||
Comment 2•19 years ago
|
||
Psuedo-frame fun.... We end up with a cell frame that's not in its parent's frame list, so when the parent dies bad things happen.
To test, comment out the JS in this testcase, and look at what the frame tree looks like -- all of the kids of <head> are missing...
It looks like creating a table row frame doesn't actually add it to aChildList if the parent is a pseudo. Where is that supposed to be handled? I bet it's causing issues here....
Flags: blocking1.9a1+
I think this bug is a dupe of bug 329900, the core issue is the not handling of colgroup pseudos inside ProcessPseudoFrames.
|
|
Reporter | |
Comment 4•19 years ago
|
||
Ok, doesn't crash anymore in 2006-03-28 build, so a duplicate of bug 329900.
*** This bug has been marked as a duplicate of 329900 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical?] uses freed objects → [sg:dupe 329900] uses freed objects
|
|
||
Updated•18 years ago
|
Group: security
|
||
Comment 5•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/7a14ffcb3696
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•