HARUNAGA Hirotoshi Reporter
	Description • 20 years ago

Crash on loading http://themes.mozdev.org/themes/micromozilla.html

Confirmed with 2004031305/Mac and 2004031207-CVS/FreeBSD.
1.6 final doesn't have this problem.
regression.

Stacktrace:
Program received signal SIGSEGV, Segmentation fault.
0x28fd6fd6 in TableBackgroundPainter::TranslateContext(int, int) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
(gdb) where
#0  0x28fd6fd6 in TableBackgroundPainter::TranslateContext(int, int) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#1  0x28fd7c19 in TableBackgroundPainter::PaintRowGroup(nsTableRowGroupFrame*,
int) () from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#2  0x28fd7927 in TableBackgroundPainter::PaintTable(nsTableFrame*) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#3  0x28fbd96a in nsTableFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#4  0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#5  0x28fcb2f7 in nsTableOuterFrame::Paint(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#6  0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#7  0x28f0f9f5 in nsBlockFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#8  0x28f167c6 in nsBlockFrame::PaintChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#9  0x28f2c761 in
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#10 0x28f16483 in nsBlockFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#11 0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#12 0x28f0f9f5 in nsBlockFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#13 0x28f167c6 in nsBlockFrame::PaintChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#14 0x28f2c761 in
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#15 0x28f16483 in nsBlockFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#16 0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#17 0x28f0f9f5 in nsBlockFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#18 0x28f167c6 in nsBlockFrame::PaintChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#19 0x28f2c761 in
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#20 0x28f16483 in nsBlockFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#21 0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#22 0x28f0f9f5 in nsBlockFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#23 0x28f167c6 in nsBlockFrame::PaintChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#24 0x28f2c761 in
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#25 0x28f16483 in nsBlockFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#26 0x28f1d503 in nsContainerFrame::PaintChild(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#27 0x28f1d3f4 in nsContainerFrame::PaintChildren(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#28 0x28f2c5ed in nsHTMLContainerFrame::Paint(nsIPresContext*,
nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#29 0x28f2d4b1 in CanvasFrame::Paint(nsIPresContext*, nsIRenderingContext&,
nsRect const&, nsFramePaintLayer, unsigned) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#30 0x28f57465 in PresShell::Paint(nsIView*, nsIRenderingContext&, nsRect
const&) () from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#31 0x291ee081 in nsView::Paint(nsIRenderingContext&, nsRect const&, unsigned,
int&) () from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#32 0x291f366c in nsViewManager::RenderDisplayListElement(DisplayListElement2*,
nsIRenderingContext*) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#33 0x291f3033 in nsViewManager::RenderViews(nsView*, nsIRenderingContext&,
nsRegion const&, void*, nsVoidArray const&) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#34 0x291f1d6f in nsViewManager::Refresh(nsView*, nsIRenderingContext*,
nsIRegion*, unsigned) () from
/usr/home/harunaga/lib/mozilla/components/libgklayout.so
#35 0x291f4353 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#36 0x291ed936 in nsSVGAtoms::AddRefAtoms() ()
   from /usr/home/harunaga/lib/mozilla/components/libgklayout.so
#37 0x2955dfb6 in nsCommonWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) ()
   from /usr/home/harunaga/lib/mozilla/components/libwidget_gtk2.so
#38 0x29556467 in nsWindow::OnExposeEvent(_GtkWidget*, _GdkEventExpose*) ()
   from /usr/home/harunaga/lib/mozilla/components/libwidget_gtk2.so
#39 0x2955a828 in nsWindow::DragInProgress() ()
   from /usr/home/harunaga/lib/mozilla/components/libwidget_gtk2.so
#40 0x28205d3e in gtk_propagate_event ()
   from /usr/X11R6/lib/libgtk-x11-2.0.so.200
#41 0x2861fbf1 in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.200
#42 0x286322ed in signal_emit_unlocked_R ()
   from /usr/local/lib/libgobject-2.0.so.200
#43 0x286316e9 in g_signal_emit_valist ()
   from /usr/local/lib/libgobject-2.0.so.200
#44 0x286318e4 in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.200
#45 0x282eb42c in gtk_widget_send_expose ()
   from /usr/X11R6/lib/libgtk-x11-2.0.so.200
#46 0x282eb172 in gtk_widget_send_expose ()
   from /usr/X11R6/lib/libgtk-x11-2.0.so.200
#47 0x28204789 in gtk_main_do_event ()
   from /usr/X11R6/lib/libgtk-x11-2.0.so.200
#48 0x283afbab in gdk_window_clear_area_e ()
   from /usr/X11R6/lib/libgdk-x11-2.0.so.200
#49 0x283afc7a in gdk_window_process_all_updates ()
   from /usr/X11R6/lib/libgdk-x11-2.0.so.200
#50 0x283afce5 in gdk_window_process_all_updates ()
   from /usr/X11R6/lib/libgdk-x11-2.0.so.200
#51 0x28673c8a in g_idle_dispatch () from /usr/local/lib/libglib-2.0.so.200
#52 0x2867123a in g_main_dispatch () from /usr/local/lib/libglib-2.0.so.200
#53 0x2867205a in g_main_context_dispatch ()
   from /usr/local/lib/libglib-2.0.so.200
#54 0x2867240d in g_main_context_iterate ()
   from /usr/local/lib/libglib-2.0.so.200
#55 0x28672bb1 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.200
#56 0x28203fa7 in gtk_main () from /usr/X11R6/lib/libgtk-x11-2.0.so.200
#57 0x2955c939 in nsAppShell::Run() ()
   from /usr/home/harunaga/lib/mozilla/components/libwidget_gtk2.so
#58 0x294c0c8a in nsAppShellService::Run() ()
   from /usr/home/harunaga/lib/mozilla/components/libnsappshell.so
#59 0x0805456f in getCountry(nsAString const&, nsAString&) ()
#60 0x0805128b in main ()
#61 0x08050f35 in _start ()

	Rene Pronk
	Comment 1 • 20 years ago

No problem here with Mozilla 1.7a under WinXP so either it doesn't occur under
WinXP or it is a regression between 2004021913 and 2004031207. In my debug build
I do see a lot of assertions but no crash.

	HARUNAGA Hirotoshi Reporter
	Comment 2 • 20 years ago

2004030805 doesn't crash.
2004030905 crashes.

	Ben Fowler
	Comment 3 • 20 years ago

WFM
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7b) Gecko/20040313
Firefox/0.8.0+

with these Assertions failures:

###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h,
line 72
Break: at file ../../../../dist/include/xpcom/nsVoidArray.h, line 72
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file
../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545
Break: at file ../../../../../src/layout/html/table/src/nsTableFrame.cpp, line 4545

	Bernd Assignee
	Comment 4 • 20 years ago

Fantasai, (Houston) we have a problem.

	Bernd Assignee
	Comment 5 • 20 years ago

this is a regression from the checkin for bug 4510

	Bernd Assignee
	Comment 7 • 20 years ago

The issue here are rowspans in table cells that span beyond the table and then
when the style sheets are all loaded some rows inbetween are marked as
display:none. The colmap and the colframe cache get out of sync. The crash
scenario is usually preceeded by a 
else NS_ASSERTION(numColsInCache == numColsInMap, "cell map has too many cols");
at
http://lxr.mozilla.org/seamonkey/source/layout/html/table/src/nsTableFrame.cpp#1209
The border collapse code asserts like hell but is protected via the ABORT(0) macro.
I would like to wallpaper first, as these cellmap issues are usually difficult
to debug. This means I will need several hours/days until I can nail it down.

	David Baron :dbaron:
	Comment 8 • 20 years ago

Comment on attachment 143883 [details] [diff] [review]
wallpaper

r+sr=dbaron, but maybe comment citing this bug number

	Bernd Assignee
	Comment 9 • 20 years ago

Comment on attachment 143883 [details] [diff] [review]
wallpaper

I think we should have the wallpaper while I am working on it.

	chris hofmann
	Comment 10 • 20 years ago

Comment on attachment 143883 [details] [diff] [review]
wallpaper

a=chofmann for 1.7b

	Bernd Assignee
	Comment 11 • 20 years ago

patch checked in

	Bernd Assignee
	Comment 12 • 20 years ago

I think we should ship 1.7b with the wallpaper. and remove the 1.7b+ from this
bug. I don't expect to have anything reasonable before sunday.

	James Rome
	Comment 13 • 20 years ago

I get a segmentation fault (SuSE 8.2, build 2004031708) at
http://themes.mozdev.org/ when I click the nautopolis theme.
line 451: 29789 Segmentation fault      "$prog" ${1+"$@"}

Not sure where the crash occurs, but it is repeatable.

	Andrew Schultz
	Comment 14 • 20 years ago

this is a stack with current CVS crashing on
http://themes.mozdev.org/themes/micromozilla.html

	Bernd Assignee
	Comment 15 • 20 years ago

My main development machine was broken over the last few days, and on win98 I
dont get a build with scrollbars due to the style cache, so again a wallpaper

	Bernd Assignee
	Comment 16 • 20 years ago

Comment on attachment 144242 [details] [diff] [review]
next wallpaper

I loaded all pages themes.mozdev.org with that patch and the build survived

	Matt
	Comment 17 • 20 years ago

Can someone test the patch with valgrind on linux (or purify on windows, for 
that matter)?

	David Baron :dbaron:
	Comment 18 • 20 years ago

(In reply to comment #17)
> Can someone test the patch with valgrind on linux (or purify on windows, for 
> that matter)?

Why?

	Matt
	Comment 19 • 20 years ago

I have always found it very useful to verify that all vestiges of a crash bug 
are gone with a runtime analysis tool. I had far too many instances where there 
was still memory corruption, it was just masked by the previous piece of memory 
corruption. And of course, the worst thing is that it would be subtle and not 
cause any immediate crash or change in functionlity. I wiped out my mozilla 
source directory, otherwise I would do this myself. It should only take a few 
minutes to do this with valgrind (http://valgrind.kde.org).

	Bernd Assignee
	Comment 20 • 20 years ago

Matt, the patches that I attached are marked as wallpaper, that means they dont
fix the root they fix the symptom. So once the real fix is in you might run
valgrind, but currently it is useless. As long as this asserts like hell, I know
there is something completely going wrong without valgrind.

	Andrew Schultz
	Comment 21 • 20 years ago

this testcase triggers assertions mentioned in comment 3, but does not crash
(even without the patches):

ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug 96108:
'aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h, line 72

	Andrew Schultz
	Comment 22 • 20 years ago

this does crash trunk builds

###!!! ASSERTION: cell map has too many cols: 'numColsInCache == numColsInMap',
file nsTableFrame.cpp, line 1209
###!!! ASSERTION: colgroup data should not be null - bug 237421:
'mCols[i].mColGroup', file nsTablePainter.cpp, line 351
###!!! ASSERTION: colgroup data should not be null - bug 237421:
'mCols[i].mColGroup', file nsTablePainter.cpp, line 270

	Andrew Schultz
	Comment 23 • 20 years ago

FYI: While making the testcases, I wasted a lot of time before I realized that
you have to block cookies from the URL (even file:///) to trigger this bug. 
Once you do that, the crash/assertions are easily reproducible loading locally.

	Andrew Schultz
	Comment 24 • 20 years ago

no crash for this one
###!!! ASSERTION: invalid BC damage area: 'PR_FALSE', file nsTableFrame.cpp,
line 4545

the relevant rule from themes_one.css is:
tr.t-hide {display: none;}

inlining the style changes instead of disabling/enabling the stylesheet doesn't
seem to trigger the asseritons for this testcase (or #2).

	Asa Dotzler [:asa]
	Comment 25 • 20 years ago

Comment on attachment 144242 [details] [diff] [review]
next wallpaper

a=asa (on behalf of drivers) for checkin to 1.7

	Bernd Assignee
	Comment 26 • 20 years ago

So what happens here, is that when the second row is deleted, the rowspan from
the first row will push the cell in the last row from pos 0 to pos 2. When this
happens we need to create a anonymous col frame, because now our table has
three columns. That colframe would have a reference in the tables col frame
cache (mColFrames). I promised Boris that I will document how the colframe
creation stuff works inside the table frames (thats for bug 233463), obviously
I can't hide from it.

	HARUNAGA Hirotoshi Reporter
	Comment 27 • 20 years ago

*** Bug 238075 has been marked as a duplicate of this bug. ***

	Olivier Cahagne
	Comment 28 • 20 years ago

*** Bug 238106 has been marked as a duplicate of this bug. ***

	Bill Mason
	Comment 29 • 20 years ago

*** Bug 238119 has been marked as a duplicate of this bug. ***

	HARUNAGA Hirotoshi Reporter
	Comment 30 • 20 years ago

2004032018-CVS/FreeBSD doesn't crash. Thanks.

	Bernd Assignee
	Comment 31 • 20 years ago

The core crash fix is in nsTableFrame.cpp, the cellmap stuff is only to avoid
access past array boundaries, which are currently clamped by the nsVoidArray,
but where one should either use SafeElementAt or the correct boundaries.

	chris hofmann
	Comment 32 • 20 years ago

This is the #1 top crash in early 1.7beta talkback data.  See
http://bugzilla.mozilla.org/show_bug.cgi?id=238214 for additional sites, test
cases and details.

	chris hofmann
	Comment 33 • 20 years ago

*** Bug 238214 has been marked as a duplicate of this bug. ***

	Adam Hauner
	Comment 34 • 20 years ago

*** Bug 237961 has been marked as a duplicate of this bug. ***

	Bernd Assignee
	Comment 35 • 20 years ago

Thge second patch, that got checked in shortly after 1.7b got taged, fixes all
url's mentioned by Chris. The patch simply did not get approval for 1.7b.

	Olivier Cahagne
	Comment 36 • 20 years ago

*** Bug 238321 has been marked as a duplicate of this bug. ***

	David Baron :dbaron:
	Comment 37 • 20 years ago

Comment on attachment 144435 [details] [diff] [review]
patch

Are the non-whitespace nsCellMap changes checking for things that should never
happen?  If so, please add assertions.	r+sr=dbaron

	Bernd Assignee
	Comment 38 • 20 years ago

The nonwhitespace changes in nsCellmap.cpp fix illegal uses of GetElementAt. In
the first case we loop over the columns its legal that a row has less elements
than the table has columns, so we need to use the SafeElementAt. In the second
case we would like delete the elements of a row, so it is natural not to take
the number of columns in the whole table but the number of elements in that row.
There is no need to assert, the code was just wrong. If we would turn off the
crash protection in GetElementAt we would have crashed without the patch.

	chris hofmann
	Comment 39 • 20 years ago

Comment on attachment 144435 [details] [diff] [review]
patch

a=chofmann for 1.7

	Olivier Cahagne
	Comment 40 • 20 years ago

*** Bug 238520 has been marked as a duplicate of this bug. ***

	Bernd Assignee
	Comment 41 • 20 years ago

fix checked in

	R.K.Aa.
	Comment 42 • 20 years ago

*** Bug 240143 has been marked as a duplicate of this bug. ***

	Bill Mason
	Comment 43 • 20 years ago

*** Bug 240279 has been marked as a duplicate of this bug. ***

	Bill Mason
	Comment 44 • 20 years ago

*** Bug 240371 has been marked as a duplicate of this bug. ***

	Boris Zbarsky [:bzbarsky]
	Comment 45 • 20 years ago

*** Bug 241048 has been marked as a duplicate of this bug. ***

	Jay Patel [:jay]
	Comment 46 • 20 years ago

After over a thousand incidents with Mozilla 1.7beta, I don't see any for
Mozilla 1.7rc1 and the testcase no longer crashes for me.  Marking verified.

	Bob Clary [:bc] (inactive)
	Comment 47 • 15 years ago

layout/tables/crashtests/237421-1.html
layout/tables/crashtests/237421-2.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3