Closed Bug 14386 Opened 25 years ago Closed 25 years ago

Bad memory block assertion when collapsing/expanding IMAP server

Categories

(SeaMonkey :: MailNews: Message Display, defect, P3)

PowerPC
Mac System 8.5
defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: sfraser_bugs, Assigned: scottputterman)

References

Details

I'm seeing consistent assertions about a bad memory block being freed when I collapse or expand an IMAP server in the messenger window. Here's the stack: Calling chain using A6/R1 links Back chain ISA Caller 00000000 PPC 1FFDC61C 0ADC6CC0 PPC 1FFD8DA8 main+0013C 0ADC6C50 PPC 1FFD894C main1(int, char**)+004C4 0ADC6B50 PPC 1C75A620 nsAppShellService::Run()+00020 0ADC6B10 PPC 1C718F58 nsAppShell::Run()+00050 0ADC6A90 PPC 1C719CFC nsMacMessagePump::DoMessagePump()+00044 0ADC6A40 PPC 1C719F00 nsMacMessagePump::DispatchEvent(int, EventRecord*)+ 00084 0ADC69F0 PPC 1C71A1F4 nsMacMessagePump::DoMouseDown(EventRecord&)+000C0 0ADC6900 PPC 1C71AD28 nsMacMessagePump::DispatchOSEventToRaptor(EventRecord&, GrafPort *)+0004C 0ADC68B0 PPC 1C7142D4 nsMacMessageSink::DispatchOSEvent(EventRecord&, GrafPort*)+00048 0ADC6870 PPC 1C70D890 nsMacWindow::HandleOSEvent(EventRecord&)+0004C 0ADC6810 PPC 1C70E020 nsMacEventHandler::HandleOSEvent(EventRecord&)+000B0 0ADC67C0 PPC 1C70FA4C nsMacEventHandler::HandleMouseDownEvent(EventRecord& )+0022C 0ADC6700 PPC 1C6F5F4C nsWindow::DispatchMouseEvent(nsMouseEvent&)+00060 0ADC66A0 PPC 1C6F5E8C nsWindow::DispatchWindowEvent(nsGUIEvent&)+00028 0ADC6660 PPC 1C6F5D98 nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus& )+000A8 0ADC6610 PPC 1C694950 HandleEvent(nsGUIEvent*)+00064 0ADC65C0 PPC 1C6912C0 nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus&)+007C4 0ADC63E0 PPC 1C6968E4 nsView::HandleEvent(nsGUIEvent*, unsigned int, nsEventStatus&, i nt&)+001F0 0ADC6360 PPC 1D0A7C88 PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus&)+00 50C 0ADC62C0 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC6180 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC6040 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC5F00 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC5DC0 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC5C80 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00428 0ADC5B40 PPC 1C9B27B8 RDFElementImpl::HandleDOMEvent(nsIPresContext&, nsEvent*, nsIDOM Event**, unsigned int, nsEventStatus&)+00470 0ADC5A00 PPC 1D153888 nsEventListenerManager::HandleEvent(nsIPresContext&, nsEvent*, n sIDOMEvent**, unsigned int, nsEventStatus&)+001D0 0ADC58B0 PPC 1D3C7900 nsTreeTwistyListener::MouseDown(nsIDOMEvent*)+0039C 0ADC55B0 PPC 1C9AB2F0 RDFElementImpl::RemoveAttribute(const nsString&)+ 000AC 0ADC5550 PPC 1C9B1B18 RDFElementImpl::UnsetAttribute(int, nsIAtom*, int)+ 009D8 0ADC5270 PPC 1C994FB4 XULDocumentImpl::AttributeChanged(nsIContent*, nsIAtom*, int)+00 200 0ADC5030 PPC 1C9A0CA4 XULDocumentImpl::CloseWidgetItem(nsIContent*)+002A4 0ADC4EC0 PPC 1C9C8A10 RDFGenericBuilderImpl::CloseContainer(nsIContent*)+ 00284 0ADC4E10 PPC 1C9D4F48 RDFGenericBuilderImpl::RemoveGeneratedContent(nsIContent*)+001B8 0ADC4D00 PPC 1C9AF330 RDFElementImpl::RemoveChildAt(int, int)+00940 0ADC4BA0 PPC 1C9956C0 XULDocumentImpl::ContentRemoved(nsIContent*, nsIContent*, int)+0 0080 0ADC4B40 PPC 1D0A67C8 PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent* , int)+000A0 0ADC4AF0 PPC 1D0A1420 PresShell::ExitReflowLock()+00034 0ADC4AB0 PPC 1D0A4724 PresShell::ProcessReflowCommands()+001E0 0ADC4A10 PPC 1D14A30C nsHTMLReflowCommand::Dispatch(nsIPresContext&, nsHTMLReflowMetri cs&, const nsSize&, nsIRenderingContext&)+00174 0ADC48F0 PPC 1D32FD60 ViewportFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, con st nsHTMLReflowState&, unsigned int&)+002FC 0ADC4760 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*, nsIPresContext&, nsHTML ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC 0ADC4650 PPC 1D15E608 RootFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, const n sHTMLReflowState&, unsigned int&)+002C4 0ADC44C0 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*, nsIPresContext&, nsHTML ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC 0ADC43B0 PPC 1D35D090 nsBoxFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+00184 0ADC42C0 PPC 1D35F5C0 nsBoxFrame::GetBoxInfo(nsIPresContext&, const nsHTMLReflowState& , nsBoxInfo&)+000C0 0ADC41F0 PPC 1D35CE10 nsBoxFrame::GetChildBoxInfo(nsIPresContext&, const nsHTMLReflowS tate&, nsIFrame*, nsCalculatedBoxInfo&)+00380 0ADC40F0 PPC 1D35E25C nsBoxFrame::FlowChildAt(nsIFrame*, nsIPresContext&, nsHTMLReflow Metrics&, const nsHTMLReflowState&, unsigned int&, nsCalculatedBoxInfo&, int&, nsString&)+004 60 0ADC3F60 PPC 1D29C4BC nsBlockFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, cons t nsHTMLReflowState&, unsigned int&)+00204 0ADC3CE0 PPC 1D29DC4C nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)+ 000A0 0ADC3C20 PPC 1D29E364 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineBox*, int*, int)+00100 0ADC3B70 PPC 1D29F92C nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineBox*, int*)+00260 0ADC39E0 PPC 1D311094 nsBlockReflowContext::ReflowBlock(nsIFrame*, const nsRect&, int, int, int, nsMargin&, unsigned int&)+0032C 0ADC36D0 PPC 1D13DA34 nsTableOuterFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+00164 0ADC3340 PPC 1D13BCDC nsTableOuterFrame::IncrementalReflow(nsIPresContext& , nsHTMLRefl owMetrics&, OuterTableReflowState&, unsigned int&)+00104 0ADC32E0 PPC 1D13BDE0 nsTableOuterFrame::IR_TargetIsChild(nsIPresContext&, nsHTMLReflo wMetrics&, OuterTableReflowState&, unsigned int&, nsIFrame*)+00064 0ADC3280 PPC 1D13BFB0 nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsIPresContext&, n sHTMLReflowMetrics&, OuterTableReflowState&, unsigned int&)+00040 0ADC3240 PPC 1D13CBB0 nsTableOuterFrame::IR_InnerTableReflow(nsIPresContext&, nsHTMLRe flowMetrics&, OuterTableReflowState&, unsigned int&)+0018C 0ADC2FA0 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*, nsIPresContext&, nsHTML ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC 0ADC2E90 PPC 1D31EC70 nsTreeFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000D4 0ADC2E30 PPC 1D131278 nsTableFrame::Reflow(nsIPresContext&, nsHTMLReflowMetrics&, cons t nsHTMLReflowState&, unsigned int&)+0014C 0ADC2D00 PPC 1D123410 nsCellMap::~nsCellMap()+00120 0ADC2CA0 PPC 1E033428 __dla__FPv+0001C 0ADC2C40 PPC 1E0332F4 operator delete(void*)+0001C 0ADC2BE0 PPC 1E0344A4 free+0006C User break at 1E034EDC nsFixedSizeAllocator::AllocatorFreeBlock(void*)+0006C Bad block trailer Closing log
Reassign to hyatt; cc karnaze; bump severity to critical
Blocks: 11091
Status: NEW → ASSIGNED
Target Milestone: M12
My hands have deteriorated to the point where I can no longer type. I need help. If you think you can fix this bug on your own, please take it away from me. If you'd like to volunteer to be my hands for a specific bug, then I'll be happy to come up to your cube and sit with you and fix the bug (assuming you have the patience for that).
Assignee: hyatt → putterman
Status: ASSIGNED → NEW
I'll look into this.
I have a fix for this and will send a patch to karnaze and hyatt for review today. I don't know if it solves the overall problem, but it prevents the memory corruption. Basically what's happening is that nsCellMap has an array of collapsed rows, with one boolean entry per row. When rows are added/removed from the cell map, this collapsed row array is not being updated. In this case, we are inserting new rows, and then setting the collapsed value. Unfortunately, the new collapsed values are being written into unallocated pieces of memory and causing this problem. The fix is to make sure the collapsed row array is kept in synch with the rows being added/removed.
Target Milestone: M12 → M11
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
I checked in the fix.
*** Bug 12885 has been marked as a duplicate of this bug. ***
*** Bug 14253 has been marked as a duplicate of this bug. ***
QA Contact: lchiang → huang
Change QA Contact to me.
QA Contact: huang → ppandit
After confirmed with Lisa, change QA Contact to Par since it need debugger to verify this bug.
Status: RESOLVED → VERIFIED
Based on conversation with putterman and quick check of mozilla/layout/html/table/src/nsCellMap.cpp - marking as VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.