Closed
Bug 344057
Opened 19 years ago
Closed 19 years ago
Crash [@ nsTableFrame::GetRowGroupFrame] on 1.8.1 branch
Categories
(Core :: Layout: Tables, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: bernd_mozilla)
References
Details
(4 keywords, Whiteboard: [sg:critical?] maybe fixed by bug 336291)
Crash Data
Attachments
(1 file)
|
475 bytes,
application/xhtml+xml
|
Details |
See upcoming testcase, which crashes current 1.8.1 branch on load.
It doesn't crash 1.8.0.4 or current trunk build.
I can reduce the testcase further if asked.
I'm using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060709 BonEcho/2.0b1
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
Version: Trunk → 1.8 Branch
|
|
Reporter | |
Comment 2•19 years ago
|
||
Talkback ID: TB20764795Z
nsTableFrame::GetRowGroupFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/tables/nsTableFrame.cpp, line 1226]
ProcessPseudoRowGroupFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 2500]
ProcessPseudoFrames [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 2716]
nsCSSFrameConstructor::TableProcessChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 4117]
nsCSSFrameConstructor::ConstructTableRowFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 3812]
nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6862]
nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7903]
nsCSSFrameConstructor::ConstructFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7715]
nsCSSFrameConstructor::ProcessChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12091]
nsCSSFrameConstructor::ConstructBlock [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13147]
nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6705]
nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7903]
nsCSSFrameConstructor::ConstructFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7715]
nsCSSFrameConstructor::ProcessInlineChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13389]
nsCSSFrameConstructor::ConstructInline [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13201]
nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6775]
nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7903]
nsCSSFrameConstructor::ConstructFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7715]
nsCSSFrameConstructor::ProcessChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12091]
nsCSSFrameConstructor::ConstructBlock [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13147]
nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6705]
nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7903]
nsCSSFrameConstructor::ConstructFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7715]
nsCSSFrameConstructor::ProcessChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12091]
nsCSSFrameConstructor::ConstructDocElementFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 4615]
nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9235]
PresShell::InitialReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 2834]
nsContentSink::StartLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsContentSink.cpp, line 924]
nsXMLContentSink::StartLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 875]
nsXMLContentSink::DidBuildModel [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 343]
nsExpatDriver::DidBuildModel [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsExpatDriver.cpp, line 1227]
|
|
Reporter | |
Comment 3•19 years ago
|
||
I just found also an example that crashes 1.8.0.5 branch builds with the same stacktrace.
|
|
Reporter | |
Comment 4•19 years ago
|
||
Probably fixed on trunk by bug 336291.
|
||
Comment 5•19 years ago
|
||
On 1.5.0.5 with this testcase I eventually crash on a null dereference, but the way the browser semi-hung (got unresponsive, wouldn't load anything although the menu items worked) makes me worry about memory corruption.
1.8.1 crashed right away at the same spot (null dereference). Less worried about that, so maybe my 1.5.0.5 is seeing one of the other table bugs Bernd has fixed recently that has gotten landed on the 1.8 branch. I don't see any that aren't also in 1.8.0.5 though.
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:critical?] maybe fixed by bug 336291
|
||
Updated•19 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.6? → blocking1.8.0.6+
Martijn, I checked in the fix for bug 336291 on 2006-07-29 into 1.8.1 does that fix this bug?
|
|
Reporter | |
Comment 7•19 years ago
|
||
Yes.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Keywords: fixed1.8.1
|
|
Reporter | |
Comment 8•19 years ago
|
||
Bug 336291 is now also fixed on the 1.8.0 branch.
Keywords: fixed1.8.0.7
|
||
Comment 9•19 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=228631&action=view
ff2b2 debug/nightly windows/linux no crash
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
|
||
Comment 10•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre
https://bugzilla.mozilla.org/attachment.cgi?id=228631&action=view should not crash browser
verified 1.8.0.7
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7 → verified1.8.0.7
|
|
||
Updated•18 years ago
|
Group: security
Flags: in-testsuite?
|
|
||
Comment 11•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/f7d7dabed4ee
sorry, ci comment referenced wrong bug. :-(
Flags: in-testsuite? → in-testsuite+
|
||
Comment 12•15 years ago
|
||
Changed the encoding:
http://hg.mozilla.org/mozilla-central/rev/b46704fdacc2
|
||
Updated•14 years ago
|
Crash Signature: [@ nsTableFrame::GetRowGroupFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•