Closed Bug 617637 Opened 14 years ago Closed 14 years ago

nsTableFrame::PushChildren imagines it can pass null to [@ nsFrameList::RemoveFrame] violating its preconditions

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b8

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

patch
763 bytes, patch
bzbarsky
: review+
bzbarsky
: approval2.0+
Details | Diff | Splinter Review 
113 nsFrameList::RemoveFrame(nsIFrame* aFrame)
114 {
115   NS_PRECONDITION(aFrame, "null ptr");
116 #ifdef DEBUG_FRAME_LIST
117   // ContainsFrame is O(N)
118   NS_PRECONDITION(ContainsFrame(aFrame), "wrong list");
119 #endif
120 
121   nsIFrame* nextFrame = aFrame->GetNextSibling();

1946 nsTableFrame::PushChildren(const RowGroupArray& aRowGroups,
1947                            PRInt32 aPushFrom)
1948 {
1949   NS_PRECONDITION(aPushFrom > 0, "pushing first child");
1950 
1951   // extract the frames from the array into a sibling list
1952   nsFrameList frames;
1953   PRUint32 childX;
1954   for (childX = aPushFrom; childX < aRowGroups.Length(); ++childX) {
1955     nsTableRowGroupFrame* rgFrame = aRowGroups[childX];
1956     if (!rgFrame || !rgFrame->IsRepeatable()) {
1957       mFrames.RemoveFrame(rgFrame);
Luckily, we never actually have null there, afaik.
Summary: nsTableFrame::PushChildren will pass null to [@ nsFrameList::RemoveFrame] which doesn't want it → nsTableFrame::PushChildren imagines it can pass null to [@ nsFrameList::RemoveFrame] violating its preconditions
Attached patch patchSplinter Review 
ok, i read the code and agree this shouldn't happen. my current mailbox also has no indication of a crash for this codepath.
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #496389 - Flags: review?(bzbarsky)
Attachment #496389 - Flags: approval2.0?
Attachment #496389 - Flags: review?(bzbarsky)
Attachment #496389 - Flags: review+
Attachment #496389 - Flags: approval2.0?
Attachment #496389 - Flags: approval2.0+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/2fc586fe3250
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Crash Signature: [@ nsFrameList::RemoveFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: