Closed Bug 426708 Opened 17 years ago Closed 17 years ago

crash at nsRect::nsRect(const &nsRect)

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: masa141421356, Assigned: bernd_mozilla)

References

(
URL
)

Details

(Keywords: crash, regression)

Attachments

(3 files, 1 obsolete file)

patch
1022 bytes, patch
bzbarsky
: review+
bzbarsky
: superreview+
beltzner
: approval1.9+
Details | Diff | Splinter Review
testcase
544 bytes, text/html; charset=Shift_JIS
Details
basic table structure to crash
583 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008040112 Minefield/3.0pre Build Identifier: When moving caret with shift+down arrow key in left textarea of http://www.excite.co.jp/world/ with Fx Trunk, it crashes. Reproducible: Always Steps to Reproduce: 1.Go to http://www.excite.co.jp/world/ 2.click left textarea (it contains two textarea) 3.hit Shift + Down arrow. or hit down arrow key until caret goes to tail of content of textarea. Actual Results: Browser will crash. Expected Results: Browser should not crash. When using debug build, ###!!! ASSERTION: cellmap is lying: 'frame', file d:/moz-src/mozilla/layout/tabl es/nsTableRowGroupFrame.cpp, line 1743 is displayed before crash. So, crash is caused by null pointer dereference on http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTableRowGroupFrame.cpp&rev=3.404#1752 while (n--) { nsRect rect = frame->GetRect(); <-- here!! Workaround: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTableRowGroupFrame.cpp&rev=3.404#1751 - while (n--) { + while ((n--) && frame) { nsRect rect = frame->GetRect();
Version: unspecified → Trunk
Regression window is Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9b5pre) Gecko/2008032620 Minefield/3.0pre --- No crash Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9b5pre) Gecko/2008032622 Minefield/3.0pre --- Crash
Keywords: crash, regression
Attached patch workaround written in comment #0 (obsolete) — Splinter Review
Confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008040112 Minefield/3.0pre May be related with the check-in to bug 423514 (2008-03-26 22:03).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 423514
excellent diagnostic
Assignee: nobody → bernd_mozilla
Attached patch patchSplinter Review
Thats the same as the previous bug, I just did not see it
Attachment #313295 - Attachment is obsolete: true
Attachment #313329 - Flags: superreview?(bzbarsky)
Attachment #313329 - Flags: review?(bzbarsky)
Attached file testcase
minimal testcase
Comment on attachment 313329 [details] [diff] [review] patch Please make sure to land the crashtest.
Attachment #313329 - Flags: superreview?(bzbarsky)
Attachment #313329 - Flags: superreview+
Attachment #313329 - Flags: review?(bzbarsky)
Attachment #313329 - Flags: review+
Its difficult to get this crashed without interaction.
Attachment #313329 - Flags: approval1.9?
Comment on attachment 313329 [details] [diff] [review] patch Like bz said, make sure that test gets landed as well.
Attachment #313329 - Flags: approval1.9? → approval1.9+
Landing the test is possible but does not make sense as it requires user interaction. So I did not land it. What is needed here is test that crashes without user interaction. If somebody can easily craft such a test case I will certainly check it in.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: