Closed Bug 67864 Opened 24 years ago Closed 23 years ago

crashes in nsTableCellFrame::MapBorderPadding

Categories

(Core :: Layout: Tables, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla0.9

People

(Reporter: daniel.pz, Assigned: karnaze)

References

()

Details

(Keywords: crash)

Attachments

(3 files)

Hello!

I use

Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20010206

(the same with 2001020320 on Win98).

If I go to URL
http://www.geizkragen.de
Mozilla crashes and exits with an exception after some seconds.

The Talkback-ID: TB25907506X.

Thanks.

Bye,
Daniel
Confirming, I've seen this on build 2001020604 Windows 2000.  I'll grab the stack.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Here's what I got (Talkback isn't finding that ID #, might be too new).

Unhandled exception in mozilla.exe (Gkhtml.dll) 0xC0000005 Access Violation.
01d2940e() is listed in the Context area of Visual C++ 6.0's debugger.

Additionally, 01D2940E   mov         ecx,dword ptr [eax]

Is the line the debugger jumps to when opening the trace.
Severity: normal → major
Keywords: crash
Chris, I think this belongs to you.
Assignee: asa → karnaze
crashes on linux too after a pagefull of assertions like these:
Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.

non-debug seems to crash in nsHTMLReflowState::Init () from
/usr/local/mozilla/components/libgklayout.so
OS: Windows 98 → All
Adding harishd to CC just in case this is caused by bug 68160
*** Bug 68281 has been marked as a duplicate of this bug. ***
Backtrace same as in bug 68281 -> TB26046791Q
Layout
Component: Browser-General → Layout
QA Contact: doronr → petersen
Summary: Mozilla crashes if I go to this URL → Mozilla crashes if I go to this URL - nsHTMLReflowState::Init
*** Bug 68391 has been marked as a duplicate of this bug. ***
The cause of the crash is in nsTableCellFrame::MapBorderPadding, which can't
actually call nsTableOuterFrame::IR_TargetIsCaptionFrame.

This also occurs (see the dups) on
http://www.prezentacje.pl/prezentacje/index/index1.htm

Correcting component to HTMLTables.
Severity: major → critical
Component: Layout → HTMLTables
Keywords: mozilla0.9
Summary: Mozilla crashes if I go to this URL - nsHTMLReflowState::Init → crashes in nsTableCellFrame::MapBorderPadding
removing harishd from CC. This one still crashes but bug 68160 is fixed.
Here is what I could gather: the problem is that the pseudo-tablecell created
to wrap the caption element is getting confused and is returning an erronous
parent table:

void nsTableCellFrame::MapBorderPadding(nsIPresContext* aPresContext)
{
...
  nsTableFrame* tableFrame;
  nsTableFrame::GetTableFrame(this, tableFrame);

It appears that this call is returning the _outerTable_ frame that is supposed 
to wrap the caption and the innerTable. Therefore, a disaster strikes in the
subsequent call
  ...
  nscoord defaultPadding = tableFrame->GetCellPadding();

because GetCellPadding() is not a method of nsTableOuterFrame. (The subsequent
function on the trace is just the one at that position on nsTableOuterFrame's
vtable.)
Target Milestone: --- → mozilla0.9
*** Bug 71398 has been marked as a duplicate of this bug. ***
Using nscatfood keyword to track crash car bugs.
Keywords: nsCatFood
Keywords: patch
The patch is checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Marking verified in the March 23rd build (2001032308)
Status: RESOLVED → VERIFIED
Hmmm. I tested the page again. No crash, but what are these?:

Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.
Gdk-CRITICAL **: file gdkgc.c: line 277 (gdk_gc_ref): assertion `gc != NULL' failed.
Gdk-CRITICAL **: file gdkwindow.c: line 989 (gdk_window_copy_area): assertion
`gc != NULL' failed.
Gdk-CRITICAL **: file gdkgc.c: line 288 (gdk_gc_unref): assertion `gc != NULL'
failed.
*** Bug 34698 has been marked as a duplicate of this bug. ***
*** Bug 74316 has been marked as a duplicate of this bug. ***
I'm seeing what I guess is this bug, with build 2001050304, Win98.  Reproduce by
going to http://www.nnanime.com/staff.shtml.  Then click on the image map where
it says "Flyer Gallery".  It crashes 100% of the time for me in gklayout.dll
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: