A few of the assertions leading up to the crash, the stack and some data.

The same call stack as above, but 'row' = 0xdadadada

I'm about to attach a testcase that (on Mac) sometimes crashes [@ nsVoidArray::Count], sometimes crashes [@ nsCellMap::GetRowSpanForNewCell], and sometimes doesn't crash. It also triggers the following assertion: ###!!! ASSERTION: SetDataAt called with row index > num rows: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsCellMap.cpp, line 2401

<table id="table"> <thead></thead> <tfoot id="A"><tr><td>td</td></tr></tfoot> <tfoot id="B"><tr><td>td</td></tr></tfoot> <thead></thead> </table> produces the following cellmap ***** START TABLE CELL MAP DUMP ***** 02FEBF00 cols array orig/span-> 02FEBF000=2/0 cols in cache 1 ***** START GROUP CELL MAP DUMP ***** 02FF5C58 thead mapRowCount=0 tableRowCount=0 ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 02FF5CC0 tfoot mapRowCount=1 tableRowCount=1 row 0 : C0,0 C0,0=02FF51C4(0) ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 02FF5E38 thead mapRowCount=0 tableRowCount=0 ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 02FF5EA0 tfoot mapRowCount=1 tableRowCount=1 row 0 : C0,0 C0,0=02FF4EB4(0) ***** END GROUP CELL MAP DUMP ***** ***** END TABLE CELL MAP DUMP ***** ***END TABLE DUMP*** the dynamic case: function boom() { var table = document.getElementById("table"); table.insertBefore(document.createElement("thead"), document.getElementById("A")); } </script> </head> <body onload="boom();"> <table id="table"> <tfoot id="A"><tr><td>td</td></tr></tfoot> <tfoot id="B"><tr><td>td</td></tr></tfoot> <thead></thead> </table> produces the following cellmap: Please notice the difference between the second maps. ***** START TABLE CELL MAP DUMP ***** 02B91FD8 cols array orig/span-> 02B91FD80=2/0 cols in cache 1 ***** START GROUP CELL MAP DUMP ***** 03017028 thead mapRowCount=0 tableRowCount=0 ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 03004348 thead mapRowCount=0 tableRowCount=0 ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 030043B0 tfoot mapRowCount=1 tableRowCount=1 row 0 : C0,0 C0,0=03003374(0) ***** END GROUP CELL MAP DUMP ***** ***** START GROUP CELL MAP DUMP ***** 02B92190 tfoot mapRowCount=1 tableRowCount=1 row 0 : C0,0 C0,0=030CAA54(0) ***** END GROUP CELL MAP DUMP ***** ***** END TABLE CELL MAP DUMP ***** ***END TABLE DUMP*** as I stated in https://bugzilla.mozilla.org/show_bug.cgi?id=317554#c7 > Once the cellmap is out of sync with the row > group frames, its only a matter of dom transitions till we crash And this is exactly what is happening again here. The cure for this is to remove OrderRowGroups see https://bugzilla.mozilla.org/show_bug.cgi?id=328017#c6 This however implies a major surgery at table printing. To test this one needs to get the printing regression tests running again. They got removed from tree together with the viewer removal and need to be reimplemented in the layout debugger. Which is exactly the plan that I had to follow the next weeks.

I will develop the patch open inside bug 328017. The print rtest work is bug 339500 and bug 339521.

Comment on attachment 224446 [details] [diff] [review] patch I did not go for the big solution. This fixes the synchronization between rowgroups and cellmaps. The sad news is that it does not fix any other of the stirtable crashes. Its rather frustrating. The good thing is due to the small size the patch is branchable.

aTableFrame.OrderRowGroups(orderedRowGroups, numRowGroups); - NS_ASSERTION(orderedRowGroups.Count() == (PRInt32) numRowGroups,"problem in OrderRowGroups"); the assertion is bogus as the table could have non rowgroup children which would then be after the rowgroups (see nsTableFrame::OrderRowGroups)

Bernd, do you still want review on the "revised patch"?

Comment on attachment 224723 [details] [diff] [review] revised patch Yes, I need a review for this. I am only a little bit scared by the low quality that the patches currently have where I ask for review. (see bug 339315 for another example). The second thing is that due to the various crashes its difficult to test that one does not introduce new crashes. Hopefully the patch for bug 339246 will help, but currently, whichever seed I take, the stirtable crashes within 250 steps :-( .

Comment on attachment 224723 [details] [diff] [review] revised patch >Index: nsCellMap.cpp >+nsTableCellMap::Synchronize(nsTableFrame* aTableFrame) >+ maps.Clear(); This isn't needed, right? Why do it? >+ aTableFrame->OrderRowGroups(orderedRowGroups, numRowGroups); If this fails due to OOM, is that an issue? >+ maps.AppendElement(map); If this fails due to OOM, is that an issue? r+sr=bzbarsky

fixed on trunk, the whole bunch of fixes for 339128 needs serious baking as the changed code is pretty old.

This crash happens on the 1.8 branches also, nominating.

Is this patch suitable for the branch? Can we get a branch-suitable patch up for approval?

I think the patch in bug 346980 is the branch-suitable version (and includes this fix). I'm not sure, though, and bernd is away. :(

fixed by the patch for bug 346980 on branch

the only bug that should block 1.8.0.7 is bug 346980 which is blocked by the regression 347725 asking for 1.8.0.7- on this

https://bugzilla.mozilla.org/attachment.cgi?id=223437&action=view ff2b2 windows, linux, macppc no crash; macppc shows 2 tds while windows/linux show 3. ff2b2 debug windows, linux no crash verified fixed 1.8

Moving to 1.8.0.8 at Bernd's request (regression worries)

fixed by the cellmap branch patch

https://bugzilla.mozilla.org/attachment.cgi?id=223437&action=view should not crash browser. Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060829 Firefox/1.5.0.7pre verified 1.8.0.7

crash test landed http://hg.mozilla.org/mozilla-central/rev/bc81c570de7e