Closed Bug 368651 Opened 18 years ago Closed 17 years ago

[FIX]Crash [@ nsCellMapColumnIterator::GetNextFrame] with zero rowspan

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(6 files, 2 obsolete files)

Testcase with text so you can see layout
432 bytes, application/xhtml+xml
Details
Same but without the JS -- just static page
201 bytes, application/xhtml+xml
Details
HTML version of crashing testcase
510 bytes, text/html
Details
HTML version of static testcase
226 bytes, text/html
Details
Pathch
3.61 KB, patch
bernd_mozilla
: review-
Details | Diff | Splinter Review
patch based on mContentRowCount
2.76 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Attached file testcase (obsolete) — 
Loading the testcase makes Firefox crash [@ nsCellMapColumnIterator::GetNextFrame].
In a debug build, I see

###!!! ASSERTION: Bogus mOrigCells?: 'mCurMapRow < mCurMapRelevantRowCount', file /Users/admin/trunk/mozilla/layout/tables/nsCellMap.cpp, line 2763

before the crash.
also crashed on

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a2pre) Gecko/20070129 Minefield/3.0a2pre ID:2007012917 [cairo]

Talkback ID: TB28838680Y
nsTableCellMap::GetEffectiveColSpan  [mozilla\layout\tables\nscellmap.cpp, line 412]
BasicTableLayoutStrategy::ComputeColumnIntrinsicWidths  [mozilla\layout\tables\basictablelayoutstrategy.cpp, line 381]
SearchTable  [mozilla\xpcom\build\pldhash.c, line 421]
BasicTableLayoutStrategy::ComputeIntrinsicWidths  [mozilla\layout\tables\basictablelayoutstrategy.cpp, line 596]
nsTableRowFrame::GetContinuousBCBorderWidth  [mozilla\layout\tables\nstablerowframe.h, line 433]
nsTableFrame::OrderRowGroups  [mozilla\layout\tables\nstableframe.cpp, line 2702]
nsFrame::ComputeSize  [mozilla\layout\generic\nsframe.cpp, line 3141]
nsTableFrame::OrderRowGroups  [mozilla\layout\tables\nstableframe.cpp, line 2667]
nsHTMLReflowState::nsHTMLReflowState  [mozilla\layout\generic\nshtmlreflowstate.cpp, line 137]
nsPopupFrameList::nsPopupFrameList  [mozilla\layout\xul\base\src\nspopupsetframe.cpp, line 86]
nsTableOuterFrame::GetMargin  [mozilla\layout\tables\nstableouterframe.cpp, line 445]
nsTableOuterFrame::OuterReflowChild  [mozilla\layout\tables\nstableouterframe.cpp, line 1123]
nsTableOuterFrame::Reflow  [mozilla\layout\tables\nstableouterframe.cpp, line 1228]
OS: Mac OS X → All
Hardware: Macintosh → All

        Attachment #253273 -
        Attachment is obsolete: true
Blocks: 352461

    
    

    
  

      
      
      
      

        Attached patch
          
          
        PathchSplinter Review
      

    


  
It's not my fault!  It's a cellmap bug, I tell you!

If you grab a build from before bug 368651 landed and load the "Testcase with text so you can see layout" and the "Same but without the JS -- just static page" testcase, they render differently.  They shouldn't.  The reason they do is that CellsSpanInOrOut doesn't detect this case, since there's nothing in the row in question _yet_.  There will be once the row is added, however...

The HTML versions of those testcases show the same problem.

I just realized that we don't honor zero-spans in quirks mode, so ignore the quirks testcase.  ;)

        Attachment #253301 -
        Flags: review?(bernd_mozilla)
Assignee: nobody → bzbarsky
Summary: Crash [@ nsCellMapColumnIterator::GetNextFrame] with zero rowspan → [FIX]Crash [@ nsCellMapColumnIterator::GetNextFrame] with zero rowspan
Target Milestone: --- → mozilla1.9alpha

    
  

        Attachment #253299 -
        Attachment description: HTML quirks version of static testcase → HTML quirks version (rowspan=0 not supported in quirks mode)

        Attachment #253299 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 253301 [details] [diff] [review]
Pathch

basing decisions with zero rowspans on numrows
as in 
> if (aStartRowIndex == numRows && numRows > 0) {

is wrong. Zerorowspans expand only to mContentRowCount. see coming patch.

        Attachment #253301 -
        Flags: review?(bernd_mozilla) → review-

    
    

    
  


  
Assignee: bzbarsky → bernd_mozilla
Status: NEW → ASSIGNED

        Attachment #254318 -
        Flags: superreview?(bzbarsky)

        Attachment #254318 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 254318 [details] [diff] [review]
patch based on mContentRowCount

I like this a _lot_ more than what I did.  Could we document this invariant (zerospans only span up to mContentRowCount) somewhere?

>Index: nsCellMap.cpp
>@@ -1608,16 +1611,22 @@ PRBool nsCellMap::CellsSpanInOrOut(PRInt
>+      if (aStartRowIndex >= mContentRowCount) {
>+        cellData = GetDataAt(mContentRowCount - 1, colX);

I know GetDatAt handles random stuff like -1 being passed in at the moment, but I'd still prefer an mContentRowCount > 0 check here.

r+sr=bzbarsky with that.  And thanks!

        Attachment #254318 -
        Flags: superreview?(bzbarsky)

        Attachment #254318 -
        Flags: superreview+

        Attachment #254318 -
        Flags: review?(bzbarsky)

        Attachment #254318 -
        Flags: review+

    
    

    
  
fix checked in
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED

    
  
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsCellMapColumnIterator::GetNextFrame]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: