User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 firefox 1.0rc2 crashes on linux and win2000 with fresh profile when you load the attached file. Reproducible: Always Steps to Reproduce: 1. download the attached file and open it Actual Results: firefox crashes Expected Results: firefox doesn't crash Talkback ID TB1781279K

I crash with cvs trunk from yesterday nsCellMap::GetCellInfoAt(nsTableCellMap & {...}, int 1, int 0, int * 0x00121280, int * 0x00121284) line 2392 + 16 bytes nsTableCellMap::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284) line 762 + 23 bytes nsTableFrame::GetCellInfoAt(int 1, int 0, int * 0x00121280, int * 0x00121284) line 4475 BasicTableLayoutStrategy::AssignNonPctColumnWidths(int 1073741824, const nsHTMLReflowState & {...}) line 1034 + 28 bytes BasicTableLayoutStrategy::Initialize(const nsHTMLReflowState & {...}) line 143 + 17 bytes nsTableFrame::Reflow(nsTableFrame * const 0x038974c4, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1928 nsContainerFrame::ReflowChild(nsIFrame * 0x038974c4, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 3, unsigned int & 0) line 958 + 26 bytes nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x038973b8, nsPresContext * 0x037dd120, nsIFrame * 0x038974c4, const nsHTMLReflowState & {...}, nsHTMLReflowMetrics & {...}, int 1073741824, nsSize & {...}, nsMargin & {...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_StyleChange, unsigned int & 0, int * 0x00000000) line 1328 + 41 bytes nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x038973b8, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1995 + 69 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001222f4) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001222f4, int 0) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x03959170, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001232a8) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001232a8, int 0) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0395929c, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012425c) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012425c, int 0) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x03959740, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00125210) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00125210, int 1) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0396659c, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 1073741824, int 5748, int 1) line 5266 nsFrame::DoLayout(nsFrame * const 0x0396659c, nsBoxLayoutState & {...}) line 5008 + 39 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsSprocketLayout::Layout(nsSprocketLayout * const 0x02cbe7d0, nsIFrame * 0x039664e0, nsBoxLayoutState & {...}) line 547 nsBoxFrame::DoLayout(nsBoxFrame * const 0x039664e0, nsBoxLayoutState & {...}) line 1097 + 83 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsBoxFrame::Reflow(nsBoxFrame * const 0x039664e0, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 853 nsLineLayout::ReflowFrame(nsIFrame * 0x039664e0, unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1001 + 40 bytes nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, nsIFrame * 0x039664e0, unsigned char * 0x001260d0) line 3702 + 21 bytes nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, int * 0x001265fc, unsigned char * 0x001261d4, int 0, int 1) line 3566 + 27 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001265fc, int 1, int 0) line 3455 + 40 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001265fc, int 1) line 2573 + 28 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b964, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 8892, int 6210, int 1) line 5266 nsFrame::DoLayout(nsFrame * const 0x0390b964, nsBoxLayoutState & {...}) line 5008 + 39 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x03966228, nsBoxLayoutState & {...}) line 333 nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x03966228, const nsRect & {...}) line 2683 + 11 bytes nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame * 0x03966228, const nsRect & {...}) line 1670 + 14 bytes nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813 nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x0390b9b8, nsBoxLayoutState & {...}) line 577 + 17 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsBoxFrame::Reflow(nsBoxFrame * const 0x0390b9b8, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 853 nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x0390b9b8, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 506 + 20 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00127cc8) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00127cc8, int 1) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0390b838, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00128c7c) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00128c7c, int 1) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x037ece0c, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 0, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00129c30) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00129c30, int 1) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x037ef158, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 543 + 51 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012abe4) line 3203 + 67 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012abe4, int 1) line 2455 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2111 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x037eefd4, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 826 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x037eefd4, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 958 + 26 bytes CanvasFrame::Reflow(CanvasFrame * const 0x037efd8c, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 551 nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 9084, int 12060, int 1) line 5266 nsFrame::DoLayout(nsFrame * const 0x037efd8c, nsBoxLayoutState & {...}) line 5008 + 39 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x037efffc, nsBoxLayoutState & {...}) line 333 nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsBoxFrame::LayoutChildAt(nsBoxLayoutState & {...}, nsIFrame * 0x037efffc, const nsRect & {...}) line 2683 + 11 bytes nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIFrame * 0x037efffc, const nsRect & {...}) line 1670 + 14 bytes nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1813 nsHTMLScrollFrame::DoLayout(nsHTMLScrollFrame * const 0x037efebc, nsBoxLayoutState & {...}) line 577 + 17 bytes nsIFrame::Layout(nsBoxLayoutState & {...}) line 805 nsBoxFrame::Reflow(nsBoxFrame * const 0x037efebc, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 853 nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x037efebc, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 506 + 20 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x037efebc, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 958 + 26 bytes ViewportFrame::Reflow(ViewportFrame * const 0x037efc84, nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 248 + 40 bytes IncrementalReflow::Dispatch(nsPresContext * 0x037dd120, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 906 PresShell::ProcessReflowCommands(int 0) line 6295 PresShell::FlushPendingNotifications(PresShell * const 0x03481428, mozFlushType Flush_Layout) line 5013 nsDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 4056 nsHTMLDocument::FlushPendingNotifications(mozFlushType Flush_Layout) line 1261 nsGenericHTMLElement::GetOffsetRect(nsRect & {...}, nsIContent * * 0x0012c25c) line 617 nsGenericHTMLElement::GetOffsetLeft(int * 0x0012c4f0) line 827 + 58 bytes nsGenericHTMLElementTearoff::GetOffsetLeft(nsGenericHTMLElementTearoff * const 0x02def4b8, int * 0x0012c4f0) line 215 + 17 bytes XPTC_InvokeByIndex(nsISupports * 0x02def4b8, unsigned int 4, unsigned int 1, nsXPTCVariant * 0x0012c4f0) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_GETTER) line 2034 + 31 bytes XPC_WN_GetterSetter(JSContext * 0x035633b0, JSObject * 0x03a126e0, unsigned int 0, long * 0x03a660ec, long * 0x0012c7f4) line 1319 + 14 bytes js_Invoke(JSContext * 0x035633b0, unsigned int 0, unsigned int 2) line 1286 + 19 bytes js_InternalInvoke(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 60892992, unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012d790) line 1428 + 17 bytes js_InternalGetOrSet(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 36430464, long 60892992, int 4, unsigned int 0, long * 0x00000000, long * 0x0012d790) line 1472 + 25 bytes js_GetProperty(JSContext * 0x035633b0, JSObject * 0x03a126e0, long 36430464, long * 0x0012d790) line 2680 + 45 bytes js_Interpret(JSContext * 0x035633b0, long * 0x0012d968) line 3303 + 1684 bytes js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 0) line 1306 + 12 bytes js_Interpret(JSContext * 0x035633b0, long * 0x0012e8cc) line 3507 + 13 bytes js_Invoke(JSContext * 0x035633b0, unsigned int 1, unsigned int 2) line 1306 + 12 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x023441e8, nsXPCWrappedJS * 0x0395c108, unsigned short 3, const nsXPTMethodInfo * 0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 1339 + 16 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x0395c108, unsigned short 3, const nsXPTMethodInfo * 0x02289088, nsXPTCMiniVariant * 0x0012ece8) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x0395c108, unsigned int 3, unsigned int * 0x0012ed98, unsigned int * 0x0012ed88) line 117 + 26 bytes SharedStub() line 147 nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0395a1a8, nsIDOMEvent * 0x03a65b70, nsIDOMEventTarget * 0x0356311c, unsigned int 1, unsigned int 7) line 1512 + 19 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x037aaa10, nsPresContext * 0x037dd120, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f06c, nsIDOMEventTarget * 0x0356311c, unsigned int 7, nsEventStatus * 0x0012f180) line 1606 GlobalWindowImpl::HandleDOMEvent(nsPresContext * 0x037dd120, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f06c, unsigned int 7, nsEventStatus * 0x0012f180) line 908 DocumentViewerImpl::LoadComplete(DocumentViewerImpl * const 0x038cbae8, unsigned int 0) line 890 + 41 bytes nsDocShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0, unsigned int 0) line 4311 nsWebShell::EndPageLoad(nsIWebProgress * 0x03580384, nsIChannel * 0x036019c0, unsigned int 0) line 750 nsDocShell::OnStateChange(nsDocShell * const 0x03562c1c, nsIWebProgress * 0x03580384, nsIRequest * 0x036019c0, unsigned int 131088, unsigned int 0) line 4238 nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 0x03580384, nsIRequest * 0x036019c0, int 131088, unsigned int 0) line 1225 nsDocLoaderImpl::doStopDocumentLoad(nsIRequest * 0x036019c0, unsigned int 0) line 832 nsDocLoaderImpl::DocLoaderIsEmpty() line 729 nsDocLoaderImpl::DocLoaderIsEmpty() line 732 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03a53674, nsIRequest * 0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 661 nsLoadGroup::RemoveRequest(nsLoadGroup * const 0x03a538a0, nsIRequest * 0x03a53d68, nsISupports * 0x00000000, unsigned int 0) line 695 + 76 bytes nsInputStreamChannel::OnStopRequest(nsInputStreamChannel * const 0x03a53d6c, nsIRequest * 0x03a53eb0, nsISupports * 0x00000000, unsigned int 0) line 371 nsInputStreamPump::OnStateStop() line 505 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03a53eb4, nsIAsyncInputStream * 0x03a53fa0) line 341 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03a54214) line 119 PL_HandleEvent(PLEvent * 0x03a54214) line 692 + 9 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ed5098) line 627 + 8 bytes _md_EventReceiverProc(HWND__ * 0x002e037e, unsigned int 49422, unsigned int 0, long 15552664) line 1433 + 8 bytes USER32! 77d18709() USER32! 77d187eb() USER32! 77d189a5() USER32! 77d189e8() nsAppShell::Run(nsAppShell * const 0x00f9ac00) line 135 nsAppStartup::Run(nsAppStartup * const 0x00f9a980) line 221 main1(int 3, char * * 0x002a4250, nsISupports * 0x00edaec8) line 1321 + 31 bytes main(int 3, char * * 0x002a4250) line 1799 + 34 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()

Robert, could you help here with a much reduced testcase from the attached testcase?

Doesn't crash on Mozilla 1.7.2 release: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 I'll try some other builds, and see if I can narrow down when this got broke.

It does crash mozilla 1.7.5 nightly build 20041103 on WindowsME. Talkback TB1785061G

Today trunk CVS build (20041107 for date challenged) went also kaput. The crash looked the same but I cannot provide a talkback from the CVS build.

Things broke sometime before 29 October [I can't get at nightlies older than that] -- here's some history of what does/does not crash Doesn't Crash -- Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041029 Firefox/0.9.1+ Crashes - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041107 --> TB1785295Q Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041029 Firefox/1.0RC1 --> TB1785852K So on the 29th the trunk worked, but Firefox 1.0RC1 doesn't ...

I have seen a crash with a 2004-09-22 build http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1786824G

did some regression testing, used zip-builds, deleted components/compreg.dat to get talkback working. Couldn´t crash with downloaded file, had to load from bugzilla. Mozilla 1.8: 2004090407 working 2004091016 crashing on close, reproducible 2004091306 crashing 2004091804 crashing Mozilla 1.7 20041010 working (1.7.4 Release) 2004102108 working 2004110106 crashing a trunk talkback containing symbols: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1788990 talkbacks containing bug number: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=comments&match=contains&searchfor=268231&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a4) Gecko/20040911 did sometimes crash on close like BuildID 2004091016, both in MORK.DLL So I assume this is not related to this bug, and the regression time frame is BuildID 2004091105 not crashing on testcase, BuildID 2004091306 crashing on testcase. http://archive.mozilla.org/pub/mozilla/nightly/ has a lot of empty directories, all with newer than the original dates. Seems, from time to time somebody is deleting stuff in the archives. Some folders have the original, nightly date, other with newer date also contain some files, but often folders with newer date are empty.

I expect this can be reduced further. I am not obsoleting the original testcase since the stack looked quite different even though this was reduced from the original testcase.

The original and reduced testcases would only crash for me when viewing them locally after a refresh Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041106. I suspect the reduced testcase is a duplicate of bug 268157 due to the talkbacks and hence this bug may also be a duplicate. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1793590Z Stack Trace 0x00c40004 nsHTMLReflowState::ComputePadding [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp, line 2327]

I also get a crash with a different stack trace when when viewing the new testcase remotely and performing a refresh. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1794000Y Stack Trace 0x000003cf nsContainerFrame::ReflowChild [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 948] nsTableRowGroupFrame::IR_TargetIsChild [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1634]

couldn´t crash 2nd testcase on BuildID 2004091306, oldest crashing build on testcase 1. The original testcase wasn´t crashing when tested locally with a relatively current nightly. testcase 2 crashing only when reloading, BuildID 2004110606 http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=1794206 Regression timeframe for testcase1 is 2004091105 thru 2004091306, so testcase2 must be some other bug, maybe bug 268157, as seen in 2nd line of stack frame http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsHTMLReflowState%3A%3AComputePadding&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

I was able to crash with testcase 1 using a debug build from today.

I just verified that by taking out the following either testcase my debug build from today no longer crashes when viewed locally. This is in the img tag towards the end of both testcases. border="9122426235884966334877847689486752756034152801619730234669552883524144378493472595827"

Comment on attachment 165446 [details] [diff] [review] patch Why is this the right patch? In particular, can't tables split in columns even in non-paginated prescontexts?

Currently, no. One day, hopefully yes. Although duplicating <thead> frames across columns in dynamic prescontexts is likely to be a massive architectural change to do right.

Comment on attachment 165446 [details] [diff] [review] patch r+sr=bzbarsky, in that case.... But we may want to add an assert here for cases when this is triggered. That way when we try to do this for columns, we'll know this code needs fixing.

When we do table breaking in columns, I'll just search for IsPaginated everywhere in layout/html/table.

wfm with tinderbox build 2004111110 having the patch Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a5) Gecko/20041111 Tested both testcases, load/Reload/Shift-Reload multiple times, no crash. Seen with first testcase: While loading, there is a vertical scrollbar to the right. Scrolling is possible using the keyboard, the arrow buttons or the slider of the scrollbar. When loading finishes and the marquees start shifting in, the the slider vanishes, the arrow buttons are grayed out, scroll keys get inactive, scrolling is impossible. check in: 2004-11-11 09:27 bmlk%gmx.de mozilla/ layout/ html/ table/ src/ nsTableRowGroupFrame.cpp 3.335 10/3 Split row groups works only for paginated media bug 268231 r/sr=bzbarsky

taking

Comment on attachment 165446 [details] [diff] [review] patch this might be good for branch too

Comment on attachment 165446 [details] [diff] [review] patch a=mkaply for 1.7. Please put on the aviary branch as well.

Comment on attachment 165446 [details] [diff] [review] patch Per drivers discussion, we really want to make 1.7.5 match FF 1.0, so changing these back to requests. (We might want it for 1.7.6 / FF 1.0.1 or something like that, so changing to requests, rather than minuses, since we don't really have flags yet.)

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20041201 Firefox/1.0+ The testcase in Comment 11 doesn't crash here.

That's because the patch was checked in.....

If I am out of line in posting this low-content message to an already fairly long bug, then I apologise, and make the suggestion that each bug should as well as a link to (for example) the 'search page' have also a link to either the 'bugzilla etiquette' or a 'bugzilla howto' page. ( http://bugzilla.mozilla.org/page.cgi?id=etiquette.html 1.1 ... Additional "I see this too" or "It works for me" comments are unnecessary ... ) I would guess that I have a double dose of the "just catch it" gene (named for the anecdote in the CVS book) in that I take it personally when a program crashes, and feel that it should be possible (on an open system, intended and designed to work properly) to identify the chain of causation of every crash and find a simple and effective way of eliminating the crash. It is also quite difficult to identify problems which are worth fixing, simple enough for me to produce a patch, the patch is clear enough to be submitted and worth the developers time, and not important enough to aleady have a developer working on an maybe have a fix for. I bet that most of these are crash problems (see Bug 203784 ). Yes, I occasionally post at least potentially empty comments, and if asked not to, I will pipe down or shut up entirely. Most (but not all, see Bug 260388 ) of my comments relate to the Mac OS platform running a build made here, using the standard methods from the trunk, no more than a day or two old. Maybe I am wrong, but I would have thought that nearly always this would produce new and probably useful information The reason for posting on this bug was that it was marked as NEW, and I thought that further information was still required. Although I could see that a patch was submitted, I could not see that it had been applied to the trunk and was known to have fixed the problem. Had the crash occurred then my paragraph 3 would have applied, and I would have attempted to produce a patch. As there was no crash, I reported this good news. Speaking for myself, if I were fixing bugs on Mac OS I would love to hear from people on, say, linux, reporting that that my work was OK; but this may not be relevant. http://www.mozilla.org/contribute/ deals with how to help with bugs in the UNCONFORMED state, but I cannot find guidance for helping with bugs in the NEW state http://www.mozilla.org/hacking/life-cycle.html sounds as though it should, but doesn't.

Ben: Sorry for the inconvience and the time that you spent but no need for a complete roman, here comes the short version: Bernd sucks in his bug handling; a) mark bugs as assigned when you are working on them, b) write clearly when you checkin. And hmm reading helps (comment 22 )

fixed on the 1.7 branch

verified fixed. testcase does not cause crash with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050310

mistakenly removed fixed1.7.6 --pardon the bugspam. set your filter/quicksearch to "ZippidityDooDahHey" to catch these for easy removal/etc/

*** Bug 294053 has been marked as a duplicate of this bug. ***