Crash [@ nsTableColGroupFrame::GetStartColumnIndex]

VERIFIED FIXED

Status

()

Core
Layout: Tables
--
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Mats Palmgren (vacation - back in August), Assigned: Bernd)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
crash, qawanted, verified1.8.0.7, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.0.7 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 339315] freed memory, crash signature)

Attachments

(2 attachments)

Created attachment 223251 [details]
stack

I think this is <colgroup> specific so make sure you use StirTable v0.2

Comment 2

11 years ago
I think this is the same as bug 339315, because while reducing a testcase for this crash, I ended up with that crash.
Depends on: 339315

Comment 3

11 years ago
Or maybe not, since I got a testcase for this crash that doesn't involve crazy rowspans or colspans.

Comment 4

11 years ago
Created attachment 223515 [details]
testcase

Crashes Mac debug with:

0   nsTableColGroupFrame::GetStartColumnIndex() + 20 (nsTableColGroupFrame.h:284)
1   BCMapCellIterator::SetInfo(nsTableRowFrame*, int, CellData*, BCMapCellInfo&, nsCellMap*) + 1504 (nsTableFrame.cpp:4772)
2   BCMapCellIterator::First(BCMapCellInfo&) + 292 (nsTableFrame.cpp:4863)
3   nsTableFrame::CalcBCBorders() + 1056 (nsTableFrame.cpp:5749)
...

Crashes Mac nightly with:

0   BCMapCellIterator::SetInfo(nsTableRowFrame*, int, CellData*, BCMapCellInfo&, nsCellMap*) + 640
1   nsTableFrame::CalcBCBorders() + 560
...

Comment 5

11 years ago
"KERN_INVALID_ADDRESS (0x0001) at 0xddddde19" => [sg:critical]
OS: Linux → All
Hardware: PC → All
Whiteboard: [sg:critical]
(Assignee)

Comment 6

11 years ago
the patch in bug 339315 seems to fix this.
qawanted to verify that bug 339315 fixes this (comment 6)
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Keywords: qawanted
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical] freed memory

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+
Flags: blocking1.8.0.6? → blocking1.8.0.6+
Whiteboard: [sg:critical] freed memory → [sg:dupe 339315] freed memory
(Assignee)

Comment 8

11 years ago
reopening to take the bug
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 9

11 years ago
taking
Assignee: nobody → bernd_mozilla
Status: REOPENED → NEW
(Assignee)

Comment 10

11 years ago
closing it again

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED

Comment 11

11 years ago
Marking fixed 1.8.1 and clearing the the blocking flag
Flags: blocking1.8.1+
Keywords: fixed1.8.1
(Assignee)

Comment 12

11 years ago
this got fixed on branch by bug 339315
Keywords: fixed1.8.0.7
https://bugzilla.mozilla.org/attachment.cgi?id=223515&action=view should load without crashing

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre

verified 1.8.0.7

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/2006082203 BonEcho/2.0b2

verified 1.8.1b2
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7, fixed1.8.1 → verified1.8.0.7, verified1.8.1
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsTableColGroupFrame::GetStartColumnIndex]
You need to log in before you can comment on or make changes to this bug.