Closed Bug 341227 Opened 19 years ago Closed 18 years ago

Crash called from [@ nsIFrame::GetStyleData] called from nsCSSRendering::PaintBackgroundWithSC

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase
451 bytes, application/xhtml+xml
Details
gdb output (mac debug)
7.54 KB, text/plain
Details 
This testcase crashes a debug build that has the patches for bug 339130, bug 339246, and bug 339315.

The stack traces are somewhat similar to those in bug 339246 and bug 339315.

Before the crash, I see:

2 * ###!!! ASSERTION: invalid number of columns: 'colX < GetColCount()', file /Users/admin/trunk/mozilla/layout/tables/nsTableFrame.cpp, line 1677

1 * ###!!! ASSERTION: prevent array boundary violation: 'colIndex < mNumCols', file /Users/admin/trunk/mozilla/layout/tables/nsTablePainter.cpp, line 416
Attached file testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        gdb output (mac debug)
      

    


  

    
    

    
  
> The stack traces are somewhat similar to those in bug 339246 and bug 339315.

And bug 339165.
Whiteboard: [sg:critical?]

    
    

    
  
the revised patch in bug 339246 fixes the crash but not the assertion, the assertion is a critical one as it indicates a severe mismatch between the frame structure and the cellmap.  This usually crashes with the first style reference either to noninitialzed memory or for a allready deleted cell position.

    
    

    
  
attchment 225587 from bug 339246 fixes this entirely, no assertion no crash.

    
  
Depends on: 339246

    
    

    
  
I think bug 341814 has the same stack signature.

    
    

    
  
marking fixed
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Yes, current trunk debug build doesn't crash (as normal trunk builds don't crash) on the testcase and I don't see any assertions.
So this is most likely fixed by bug 339246, as bernd said in comment 5.
Status: RESOLVED → VERIFIED

    
    

    
  
Just tested this on firefox 1.5.0.8 no crash with the testcase.
Keywords: fixed1.8.1, 
          
            verified1.8.0.8
Group: security
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsIFrame::GetStyleData]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: