Closed Bug 456041 Opened 17 years ago Closed 17 years ago

Crash [@ nsCellMapColumnIterator::GetNextFrame] with contenteditable, generated content on table and double tbody

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(6 files)

testcase
5.61 KB, text/html
Details
complete stack of debug build
8.04 KB, text/plain
Details
patch that shows the root of the issue
2.09 KB, patch
Details | Diff | Splinter Review
patch
10.25 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
testcase2
455 bytes, text/html
Details
patch that got checked in
6.22 KB, patch
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build. This seems to have regressed between 2008-08-15 and 2008-08-18. Perhaps this is the same as bug 393936, but this has a different regression range. Some assertions, prior to the crash from my debug build: ###!!! ASSERTION: expected only one child frame: '!aFrameList->GetNextSibling()' , file c:/mozilla-build-1.3/mozilla-central/layout/tables/nsTableFrame.cpp, line 2298 ++WEBSHELL 05E26F70 == 6 ++DOMWINDOW == 10 (08B7516C) [serial = 13] [outer = 00000000] ###!!! ASSERTION: Bogus mOrigCells?: 'mCurMapRow < mCurMapRelevantRowCount', fil e c:/mozilla-build-1.3/mozilla-central/layout/tables/nsCellMap.cpp, line 2928 Stack of the crash: > xpcom_core.dll!nsTArray_base::Length() Line 66 + 0x3 bytes C++ gklayout.dll!nsTArray<nsTPtrArray<CellData> >::ElementAt(unsigned int i=0) Line 326 + 0x9 bytes C++ gklayout.dll!nsTArray<nsTPtrArray<CellData> >::operator[](unsigned int i=0) Line 356 C++ gklayout.dll!nsCellMapColumnIterator::GetNextFrame(int * aRow=0x0012d0ec, int * aColSpan=0x0012d0f4) Line 2932 + 0x12 bytes C++ gklayout.dll!BasicTableLayoutStrategy::ComputeColumnIntrinsicWidths(nsIRenderingContext * aRenderingContext=0x05d97af0) Line 292 + 0x16 bytes C++ gklayout.dll!BasicTableLayoutStrategy::ComputeIntrinsicWidths(nsIRenderingContext * aRenderingContext=0x05d97af0) Line 410 C++ gklayout.dll!BasicTableLayoutStrategy::GetMinWidth(nsIRenderingContext * aRenderingContext=0x05d97af0) Line 70 C++ gklayout.dll!nsTableFrame::GetMinWidth(nsIRenderingContext * aRenderingContext=0x05d97af0) Line 1633 C++ gklayout.dll!nsTableFrame::TableShrinkWidthToFit(nsIRenderingContext * aRenderingContext=0x05d97af0, int aWidthInCB=83880) Line 1687 + 0x14 bytes C++ gklayout.dll!nsTableFrame::ComputeAutoSize(nsIRenderingContext * aRenderingContext=0x05d97af0, nsSize aCBSize={...}, int aAvailableWidth=83880, nsSize aMargin={...}, nsSize aBorder={...}, nsSize aPadding={...}, int aShrinkWrap=1) Line 1719 + 0x15 bytes C++ gklayout.dll!nsFrame::ComputeSize(nsIRenderingContext * aRenderingContext=0x05d97af0, nsSize aCBSize={...}, int aAvailableWidth=83880, nsSize aMargin={...}, nsSize aBorder={...}, nsSize aPadding={...}, int aShrinkWrap=1) Line 3118 C++ gklayout.dll!nsTableFrame::ComputeSize(nsIRenderingContext * aRenderingContext=0x05d97af0, nsSize aCBSize={...}, int aAvailableWidth=83880, nsSize aMargin={...}, nsSize aBorder={...}, nsSize aPadding={...}, int aShrinkWrap=1) Line 1675 C++ gklayout.dll!ChildShrinkWrapWidth(nsIRenderingContext * aRenderingContext=0x05d97af0, nsIFrame * aChildFrame=0x05e288fc, nsSize aCBSize={...}, int aAvailableWidth=83880, int * aMarginResult=0x00000000) Line 609 C++ etc..
the assertion on top is just to the point http://mxr.mozilla.org/seamonkey/source/layout/tables/nsTableFrame.cpp#2290 2294 // Asssume there's only one frame being inserted. The problem is that 2295 // row group frames and col group frames go in separate child lists and 2296 // so if there's more than one this gets messy... 2297 // XXX The frame construction code should be separating out child frames 2298 // based on the type, bug 343048. 2299 NS_PRECONDITION(!aFrameList->GetNextSibling(), "expected only one child frame");
> This seems to have regressed between 2008-08-15 and 2008-08-18. bug 238072 would fit especially the checkin comment: Make generated content take the normal frame construction path. Relanding with changes so that counter and quote nodes are initialized after their frames are available, more like the old code. r+sr=dbaron,bzbarsky
Ah, right, probably a regression from bug 238072.
Blocks: 238072
Attached patch patch Splinter Review
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED
Attachment #339676 - Flags: superreview?(bzbarsky)
Attachment #339676 - Flags: review?(bzbarsky)
So why is that <style> with all the mmm's in it needed? Why are the two tbodys needed, for that matter? I guess the point is that we're ending up with multiple rowgroups? But then why is the ::after style relevant for that? "heterogenous" or "heterogeneous" are OK spellings: need an 'o' after the 'r'.
> So why is that <style> with all the mmm's in it needed? > Why are the two tbodys needed, for that matter? > But then why is the ::after style relevant for that? Because it will otherwise not crash. This is minimized. And frankly I do not care, what is in the testcase as long as I see code that first assumes that there is a list and then uses InsertFrame 2378 nsFrameList newList(aFrameList); 2379 nsIFrame* lastSibling = newList.LastChild(); <===== 2380 // Insert the frames in the sibling chain 2381 mFrames.InsertFrame(nsnull, aPrevFrame, aFrameList); <===== I can remove the testcase from the patch if you like. The story is that Martijn found a way that will send more than one rowgroup to this function. I am not sure that he/one will be able to get a mixed list down that path, that is why I added the assert. I guess if dbaron fixes that content insert for pseudos this patch will be necessary anyway.
No, I mean why is this crashing? Why are we ending up with a list in this case but not others? I'd really like to understand how this is failing so I can figure out whether the patch is the right way to fix it, basically... Does replacing that huge style block with <script>document.body.offsetWidth</script> still reproduce the crash, for example?
Attached file testcase2
(In reply to comment #9) > Does replacing that huge style block with <script>document.body.offsetWidth</script> > still reproduce the crash, for example? Yes, it does. (oops)
And at that point do you still need the generated content?
Yes, the generated content is needed for the crash.
Comment on attachment 339676 [details] [diff] [review] patch r+sr=bzbarsky with the spelling fixed and the big style block replaced with a layout flush.
Attachment #339676 - Flags: superreview?(bzbarsky)
Attachment #339676 - Flags: superreview+
Attachment #339676 - Flags: review?(bzbarsky)
Attachment #339676 - Flags: review+
re comment 9 Boris the code was blatant wrong to me that I that I just thought this should never have been written like this. Do you know why do not assert that aNewFrame->GetNextSibling() is null at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generi/nsFrameList.cpp&rev=3.54&mark=190#169 I mean if this happens bad things should be expected.
Adding an assert there sounds good to me.
Blocks: 457115
Boris, I added the assert and the testcase from bug 457115 and of course did what you asked for.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080928204134 Minefield/3.1b1pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsCellMapColumnIterator::GetNextFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: