Closed Bug 620311 Opened 14 years ago Closed 14 years ago

crash [@ nsTableFrame::MatchCellMapToColCache | nsTableFrame::RemoveFrame] because cellMap guard did not cover MatchCellMapToColCache

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla5

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

patch
(deleted), patch
bernd_mozilla
: review+
dbaron
: approval2.0-
Details | Diff | Splinter Review
2269 nsTableFrame::RemoveFrame(nsIAtom* aListName, null checked here: 2312 if (cellMap) { 2318 } crashes in here: 2320 MatchCellMapToColCache(cellMap); 756 nsTableFrame::MatchCellMapToColCache(nsTableCellMap* aCellMap) 758 PRInt32 numColsInMap = GetColCount(); 759 PRInt32 numColsInCache = mColFrames.Length(); 760 PRInt32 numColsToAdd = numColsInMap - numColsInCache; 765 if (numColsToAdd < 0) { 785 aCellMap->ExpandZeroColSpans();
Attached patch patch (deleted) — Splinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #498697 - Flags: review?(bernd_mozilla)
Attachment #498697 - Flags: approval2.0?
Attachment #498697 - Flags: review?(bernd_mozilla) → review+
Comment on attachment 498697 [details] [diff] [review] patch Please land this after we branch for Gecko 2.0 / Firefox 4. (Under what conditions does a table have a null cell map? Could this be changing behavior?)
Attachment #498697 - Flags: approval2.0? → approval2.0-
http://hg.mozilla.org/mozilla-central/rev/7bb29670ab59
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.2
Crash Signature: [@ nsTableFrame::MatchCellMapToColCache | nsTableFrame::RemoveFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: