crashes in nsTableCellFrame::MapBorderPadding

VERIFIED FIXED in mozilla0.9

Status

()

Core
Layout: Tables
--
critical
VERIFIED FIXED
17 years ago
17 years ago

People

(Reporter: daniel.pz, Assigned: karnaze (gone))

Tracking

({crash})

Trunk
mozilla0.9
x86
All
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments)

(Reporter)

Description

17 years ago
Hello!

I use

Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20010206

(the same with 2001020320 on Win98).

If I go to URL
http://www.geizkragen.de
Mozilla crashes and exits with an exception after some seconds.

The Talkback-ID: TB25907506X.

Thanks.

Bye,
Daniel
Confirming, I've seen this on build 2001020604 Windows 2000.  I'll grab the stack.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Here's what I got (Talkback isn't finding that ID #, might be too new).

Unhandled exception in mozilla.exe (Gkhtml.dll) 0xC0000005 Access Violation.
01d2940e() is listed in the Context area of Visual C++ 6.0's debugger.

Additionally, 01D2940E   mov         ecx,dword ptr [eax]

Is the line the debugger jumps to when opening the trace.
Severity: normal → major
Keywords: crash
Created attachment 24609 [details]
Stack Trace, I'll CVS-blame and get who's code this belongs to.
Chris, I think this belongs to you.
Assignee: asa → karnaze

Comment 5

17 years ago
crashes on linux too after a pagefull of assertions like these:
Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.

non-debug seems to crash in nsHTMLReflowState::Init () from
/usr/local/mozilla/components/libgklayout.so
OS: Windows 98 → All

Comment 6

17 years ago
Adding harishd to CC just in case this is caused by bug 68160

Comment 7

17 years ago
*** Bug 68281 has been marked as a duplicate of this bug. ***

Comment 8

17 years ago
Backtrace same as in bug 68281 -> TB26046791Q
Layout
Component: Browser-General → Layout
QA Contact: doronr → petersen
Summary: Mozilla crashes if I go to this URL → Mozilla crashes if I go to this URL - nsHTMLReflowState::Init

Comment 9

17 years ago
*** Bug 68391 has been marked as a duplicate of this bug. ***
The cause of the crash is in nsTableCellFrame::MapBorderPadding, which can't
actually call nsTableOuterFrame::IR_TargetIsCaptionFrame.

This also occurs (see the dups) on
http://www.prezentacje.pl/prezentacje/index/index1.htm

Correcting component to HTMLTables.
Severity: major → critical
Component: Layout → HTMLTables
Keywords: mozilla0.9
Summary: Mozilla crashes if I go to this URL - nsHTMLReflowState::Init → crashes in nsTableCellFrame::MapBorderPadding

Comment 11

17 years ago
removing harishd from CC. This one still crashes but bug 68160 is fixed.

Comment 12

17 years ago
Created attachment 25049 [details]
Mininimized testcase - <caption> containing another <table>

Comment 13

17 years ago
Here is what I could gather: the problem is that the pseudo-tablecell created
to wrap the caption element is getting confused and is returning an erronous
parent table:

void nsTableCellFrame::MapBorderPadding(nsIPresContext* aPresContext)
{
...
  nsTableFrame* tableFrame;
  nsTableFrame::GetTableFrame(this, tableFrame);

It appears that this call is returning the _outerTable_ frame that is supposed 
to wrap the caption and the innerTable. Therefore, a disaster strikes in the
subsequent call
  ...
  nscoord defaultPadding = tableFrame->GetCellPadding();

because GetCellPadding() is not a method of nsTableOuterFrame. (The subsequent
function on the trace is just the one at that position on nsTableOuterFrame's
vtable.)
(Assignee)

Updated

17 years ago
Target Milestone: --- → mozilla0.9
(Assignee)

Comment 14

17 years ago
Created attachment 27762 [details] [diff] [review]
patch to not create anonymous ancestors of table inside caption
(Assignee)

Comment 15

17 years ago
*** Bug 71398 has been marked as a duplicate of this bug. ***

Comment 16

17 years ago
Using nscatfood keyword to track crash car bugs.
Keywords: nsCatFood
(Assignee)

Updated

17 years ago
Keywords: patch
(Assignee)

Comment 17

17 years ago
The patch is checked in.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 18

17 years ago
Marking verified in the March 23rd build (2001032308)
Status: RESOLVED → VERIFIED

Comment 19

17 years ago
Hmmm. I tested the page again. No crash, but what are these?:

Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.
Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.
(Assignee)

Comment 20

17 years ago
*** Bug 34698 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 21

17 years ago
*** Bug 74316 has been marked as a duplicate of this bug. ***

Comment 22

17 years ago
I'm seeing what I guess is this bug, with build 2001050304, Win98.  Reproduce by
going to http://www.nnanime.com/staff.shtml.  Then click on the image map where
it says "Flyer Gallery".  It crashes 100% of the time for me in gklayout.dll
You need to log in before you can comment on or make changes to this bug.