Closed Bug 620312 Opened 15 years ago Closed 15 years ago

crash [@ nsTableFrame::InsertCol] because lastColGroup guard did not cover lastColGroup->GetColCount()

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b12

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

patch
1.05 KB, patch
bernd_mozilla
: review+
dbaron
: approval2.0+
Details | Diff | Splinter Review
579 void nsTableFrame::InsertCol(nsTableColFrame& aColFrame, 599 if (lastColGroup) { 600 lastColGroup->RemoveChild(*lastCol, PR_FALSE); 601 } 602 // remove the col group if it is empty 603 if (lastColGroup->GetColCount() <= 0) { 604 mColGroups.DestroyFrame((nsIFrame*)lastColGroup);
Attached patch patchSplinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #498698 - Flags: review?(bernd_mozilla)
Attachment #498698 - Flags: approval2.0?
Attachment #498698 - Flags: review?(bernd_mozilla) → review+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/1593777e94b8
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b12
Hmm, isn't this null check bogus? How can we a col frame in 'mColFrames' but no frames in 'mColGroups'?
mColFrames is a col frame cache on the table frame which is only manually kept in sync with the frame structure.
Ok, so this is one of the places 'mColFrames' is kept in sync with the frame tree. There's only one caller of nsTableFrame::InsertCol and that is nsTableColGroupFrame::AddColsToTable: http://mxr.mozilla.org/mozilla-central/source/layout/tables/nsTableColGroupFrame.cpp#116 Since 'this' is non-null, it implies 'mColGroups' has at least one frame in it, so 'lastColGroup' can never be null (unless 'mColGroups' is also "out-of-sync" with the frame tree). Furthermore, when a col-group frame is removed by nsTableFrame::RemoveFrame http://mxr.mozilla.org/mozilla-central/source/layout/tables/nsTableFrame.cpp#2277 all col frames for it is explicitly removed from 'mColFrames'. I added an invariant there that when the last frame is removed from 'mColGroups', 'mColFrames' is also empty -- it passed unit tests. From reading the code that updates 'mColFrames' and 'mColGroups', I don't see how they can be out-of-sync with the frame tree, except temporarily in the methods that deals with inserting/removing frames but those methods appears to update these members properly. Am I missing something?
Crash Signature: [@ nsTableFrame::InsertCol]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: