9848 - [malloc] memory allocation problems - html/table

Status: RESOLVED FIXED

(Core :: Layout: Tables, defect, P3)

Description

[chris hofmann]

[malloc] memory allocation problems - html/table

check bug 8227 for more details on what needs to be done to this code

s:/mozilla/layout/html/table/src/BasicTableLayoutStrategy.cpp
   Deref-error: "spanInfo", line 1247
   Deref-error: "spanInfo", line 1248
   Deref-error: "spanInfo", line 1878
   Deref-error: "spanInfo", line 1879
s:/mozilla/layout/html/table/src/nsTableFrame.cpp
   Deref-error: "data", line 1106
   Deref-error: "data", line 1107
   Deref-error: "spanData", line 1132
   Deref-error: "overlap", line 1140
   Deref-error: "overlap", line 1141
   Deref-error: "overlap", line 1142

Comment 1

[karnaze (gone)]

These two files have changed significantly since the bug was opened. I can't
find the relevant info.

Comment 2

[Bernd]

the problem as described in bug 8227 occures at
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/BasicTableLayoutStrategy.cpp#1911
 but this pure debug code not included in the build.

http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#219
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#3371
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#3371
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#3761

look suspicious. Chris could you verify these? The lines as noted in the
original bug report do not exist. I searched for every new statement in those files.

Comment 3

[Bernd Mielke]

yesterday was bugzilla down, so I had time to check all malloc's in the
table/src directory. I tested also the dreftool, but nothing compares to good
old hand craft. I greped '= new ' and looked on all lines that came out. Below
is the result. Lines with OK show that the result of new is checked afterwards,
Problem indicates that the code was not clear enough for me to decide whether
the code handles a new failure or not. Due to the logic expressed in 8227 I
reopen the bug.

OK BasicTableLayoutStrategy.cpp:254:  PRInt32* allocTypes = new PRInt32[numCols];
OK BasicTableLayoutStrategy.cpp:1581:  nsColInfo** colInfo = new
nsColInfo*[numConstrainedCols];
OK BasicTableLayoutStrategy.cpp:1613:    colInfo[constrColX] = new
nsColInfo(colFrame, colX, minWidth, startWidth, maxWidth);
Problem BasicTableLayoutStrategy.cpp:1911:  char* indent = new char[aIndent + 1];
Problem FixedTableLayoutStrategy.cpp:81:  nscoord* colWidths = new PRBool[numCols];
Problem FixedTableLayoutStrategy.cpp:84:  nscoord* propInfo = new PRBool[numCols];
OK nsCellMap.cpp:110:  nsCellMap* newMap = new nsCellMap(aNewGroup);
OK nsCellMap.cpp:245:    nsColInfo* colInfo = new nsColInfo();
Problem nsCellMap.cpp:713:  CellData* origData = new CellData(&aCellFrame);
Problem nsCellMap.cpp:759:          cellData = new CellData(nsnull);
OK nsCellMap.cpp:955:    CellData* origData = new CellData(cellFrame); // the
originating cell
OK nsCellMap.cpp:977:          data = new CellData(nsnull);
OK nsCellMap.cpp:1288:  void** origRows = new void*[numOrigRows];
OK nsCellMap.cpp:1382:  void** origRows = new void*[numOrigRows];
OK nsCellMap.cpp:1603:          CellData* newData = new CellData(nsnull);
Problem nsTableBorderCollapser.cpp:177:    nsBorderEdge* borderToAdd = new
nsBorderEdge();
Problem nsTableBorderCollapser.cpp:260:    nsBorderEdge* borderToAdd = new
nsBorderEdge();
problem nsTableBorderCollapser.cpp:383:    nsBorderEdge* borderToAdd = new
nsBorderEdge();
Problem nsTableBorderCollapser.cpp:473:    nsBorderEdge* borderToAdd = new
nsBorderEdge();
Problem nsTableCellFrame.cpp:174:      mBorderEdges = new nsBorderEdges;
Problem nsTableCellFrame.cpp:180:        nsBorderEdge *borderToAdd = new
nsBorderEdge();
Problem nsTableCellFrame.cpp:182:        borderToAdd = new nsBorderEdge();
Problem nsTableCellFrame.cpp:187:        nsBorderEdge *borderToAdd = new
nsBorderEdge();
Problem nsTableCellFrame.cpp:189:        borderToAdd = new nsBorderEdge();
OK nsTableCellFrame.cpp:1222:  nsTableCellFrame* it = new (aPresShell)
nsTableCellFrame;
Problem nsTableCellFrame.cpp:1335:        nsPoint*  offset = new nsPoint(0, 0);
Problem nsTableColFrame.cpp:218:  char* indent = new char[aIndent + 1];
OK nsTableColFrame.cpp:243:  nsTableColFrame* it = new (aPresShell) nsTableColFrame;
OK nsTableColGroupFrame.cpp:757:  nsTableColGroupFrame* it = new (aPresShell)
nsTableColGroupFrame;
Problem nsTableFrame.cpp:185:  mColumnWidths = new PRInt32[mColumnWidthsLength];
Problem nsTableFrame.cpp:219:  mCellMap = new nsTableCellMap(aPresContext, *this);
Problem nsTableFrame.cpp:234:    mBorderCollapser = new
nsTableBorderCollapser(*this);
Problem nsTableFrame.cpp:3377:    PRInt32 * newColumnWidthsArray = new
PRInt32[mColumnWidthsLength];
Problem nsTableFrame.cpp:3397:      mTableLayoutStrategy = new
FixedTableLayoutStrategy(this);
Problem nsTableFrame.cpp:3399:      mTableLayoutStrategy = new
BasicTableLayoutStrategy(this, eCompatibility_NavQuirks == mode);
Problem nsTableFrame.cpp:3767:      mColumnWidths = new
PRInt32[mColumnWidthsLength];
OK nsTableFrame.cpp:4111:  nsTableFrame* it = new (aPresShell) nsTableFrame;
OK nsTableOuterFrame.cpp:83:  nsTableCaptionFrame* it = new (aPresShell)
nsTableCaptionFrame;
OK nsTableOuterFrame.cpp:1627:  nsTableOuterFrame* it = new (aPresShell)
nsTableOuterFrame;
OK nsTableRowFrame.cpp:1650:  nsTableRowFrame* it = new (aPresShell)
nsTableRowFrame;
OK nsTableRowGroupFrame.cpp:594:    rowHeights = new nscoord[numRows];
OK nsTableRowGroupFrame.cpp:1671:  nsTableRowGroupFrame* it = new (aPresShell)
nsTableRowGroupFrame;

Comment 4

[karnaze (gone)]

Attachment: patch to fix the bug

Comment 5

[karnaze (gone)]

The patch fixes the cases Bernd identified except those involving collapsing 
borders (that code is not enabled and will eventually be removed). Thanks Bernd.

Comment 6

[karnaze (gone)]

The patch is in. It would be useful to to set each of these pointers to null 
right after the call to new to see what happens. I don't have time for this 
right now.