Closed Bug 620311 Opened 9 years ago Closed 9 years ago

crash [@ nsTableFrame::MatchCellMapToColCache | nsTableFrame::RemoveFrame] because cellMap guard did not cover MatchCellMapToColCache

Categories

(Core :: Layout: Tables, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

860 bytes, patch
bernd_mozilla
: review+
dbaron
: approval2.0-
Details | Diff | Splinter Review
2269 nsTableFrame::RemoveFrame(nsIAtom*        aListName,

null checked here:
2312     if (cellMap) {
2318     }

crashes in here:
2320     MatchCellMapToColCache(cellMap);

756 nsTableFrame::MatchCellMapToColCache(nsTableCellMap* aCellMap)

758   PRInt32 numColsInMap   = GetColCount();
759   PRInt32 numColsInCache = mColFrames.Length();
760   PRInt32 numColsToAdd = numColsInMap - numColsInCache;

765   if (numColsToAdd < 0) {
785     aCellMap->ExpandZeroColSpans();
Attached patch patchSplinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #498697 - Flags: review?(bernd_mozilla)
Attachment #498697 - Flags: approval2.0?
Attachment #498697 - Flags: review?(bernd_mozilla) → review+
Comment on attachment 498697 [details] [diff] [review]
patch

Please land this after we branch for Gecko 2.0 / Firefox 4.

(Under what conditions does a table have a null cell map?  Could this be changing behavior?)
Attachment #498697 - Flags: approval2.0? → approval2.0-
http://hg.mozilla.org/mozilla-central/rev/7bb29670ab59
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.2
Crash Signature: [@ nsTableFrame::MatchCellMapToColCache | nsTableFrame::RemoveFrame]
You need to log in before you can comment on or make changes to this bug.