Closed
Bug 14386
Opened 25 years ago
Closed 25 years ago
Bad memory block assertion when collapsing/expanding IMAP server
Categories
(SeaMonkey :: MailNews: Message Display, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
M11
People
(Reporter: sfraser_bugs, Assigned: scottputterman)
References
Details
I'm seeing consistent assertions about a bad memory block being freed when I
collapse or expand an IMAP server in the messenger window. Here's the stack:
Calling chain using A6/R1 links
Back chain ISA Caller
00000000 PPC 1FFDC61C
0ADC6CC0 PPC 1FFD8DA8 main+0013C
0ADC6C50 PPC 1FFD894C main1(int, char**)+004C4
0ADC6B50 PPC 1C75A620 nsAppShellService::Run()+00020
0ADC6B10 PPC 1C718F58 nsAppShell::Run()+00050
0ADC6A90 PPC 1C719CFC nsMacMessagePump::DoMessagePump()+00044
0ADC6A40 PPC 1C719F00 nsMacMessagePump::DispatchEvent(int, EventRecord*)+
00084
0ADC69F0 PPC 1C71A1F4 nsMacMessagePump::DoMouseDown(EventRecord&)+000C0
0ADC6900 PPC 1C71AD28
nsMacMessagePump::DispatchOSEventToRaptor(EventRecord&, GrafPort
*)+0004C
0ADC68B0 PPC 1C7142D4 nsMacMessageSink::DispatchOSEvent(EventRecord&,
GrafPort*)+00048
0ADC6870 PPC 1C70D890 nsMacWindow::HandleOSEvent(EventRecord&)+0004C
0ADC6810 PPC 1C70E020 nsMacEventHandler::HandleOSEvent(EventRecord&)+000B0
0ADC67C0 PPC 1C70FA4C nsMacEventHandler::HandleMouseDownEvent(EventRecord&
)+0022C
0ADC6700 PPC 1C6F5F4C nsWindow::DispatchMouseEvent(nsMouseEvent&)+00060
0ADC66A0 PPC 1C6F5E8C nsWindow::DispatchWindowEvent(nsGUIEvent&)+00028
0ADC6660 PPC 1C6F5D98 nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&
)+000A8
0ADC6610 PPC 1C694950 HandleEvent(nsGUIEvent*)+00064
0ADC65C0 PPC 1C6912C0 nsViewManager::DispatchEvent(nsGUIEvent*,
nsEventStatus&)+007C4
0ADC63E0 PPC 1C6968E4 nsView::HandleEvent(nsGUIEvent*, unsigned int,
nsEventStatus&, i
nt&)+001F0
0ADC6360 PPC 1D0A7C88 PresShell::HandleEvent(nsIView*, nsGUIEvent*,
nsEventStatus&)+00
50C
0ADC62C0 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC6180 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC6040 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC5F00 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC5DC0 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC5C80 PPC 1C9B2770 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00428
0ADC5B40 PPC 1C9B27B8 RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00470
0ADC5A00 PPC 1D153888 nsEventListenerManager::HandleEvent(nsIPresContext&,
nsEvent*, n
sIDOMEvent**, unsigned int, nsEventStatus&)+001D0
0ADC58B0 PPC 1D3C7900 nsTreeTwistyListener::MouseDown(nsIDOMEvent*)+0039C
0ADC55B0 PPC 1C9AB2F0 RDFElementImpl::RemoveAttribute(const nsString&)+
000AC
0ADC5550 PPC 1C9B1B18 RDFElementImpl::UnsetAttribute(int, nsIAtom*, int)+
009D8
0ADC5270 PPC 1C994FB4 XULDocumentImpl::AttributeChanged(nsIContent*,
nsIAtom*, int)+00
200
0ADC5030 PPC 1C9A0CA4 XULDocumentImpl::CloseWidgetItem(nsIContent*)+002A4
0ADC4EC0 PPC 1C9C8A10 RDFGenericBuilderImpl::CloseContainer(nsIContent*)+
00284
0ADC4E10 PPC 1C9D4F48
RDFGenericBuilderImpl::RemoveGeneratedContent(nsIContent*)+001B8
0ADC4D00 PPC 1C9AF330 RDFElementImpl::RemoveChildAt(int, int)+00940
0ADC4BA0 PPC 1C9956C0 XULDocumentImpl::ContentRemoved(nsIContent*,
nsIContent*, int)+0
0080
0ADC4B40 PPC 1D0A67C8 PresShell::ContentRemoved(nsIDocument*, nsIContent*,
nsIContent*
, int)+000A0
0ADC4AF0 PPC 1D0A1420 PresShell::ExitReflowLock()+00034
0ADC4AB0 PPC 1D0A4724 PresShell::ProcessReflowCommands()+001E0
0ADC4A10 PPC 1D14A30C nsHTMLReflowCommand::Dispatch(nsIPresContext&,
nsHTMLReflowMetri
cs&, const nsSize&, nsIRenderingContext&)+00174
0ADC48F0 PPC 1D32FD60 ViewportFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, con
st nsHTMLReflowState&, unsigned int&)+002FC
0ADC4760 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*,
nsIPresContext&, nsHTML
ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC
0ADC4650 PPC 1D15E608 RootFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, const n
sHTMLReflowState&, unsigned int&)+002C4
0ADC44C0 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*,
nsIPresContext&, nsHTML
ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC
0ADC43B0 PPC 1D35D090 nsBoxFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, const
nsHTMLReflowState&, unsigned int&)+00184
0ADC42C0 PPC 1D35F5C0 nsBoxFrame::GetBoxInfo(nsIPresContext&, const
nsHTMLReflowState&
, nsBoxInfo&)+000C0
0ADC41F0 PPC 1D35CE10 nsBoxFrame::GetChildBoxInfo(nsIPresContext&, const
nsHTMLReflowS
tate&, nsIFrame*, nsCalculatedBoxInfo&)+00380
0ADC40F0 PPC 1D35E25C nsBoxFrame::FlowChildAt(nsIFrame*, nsIPresContext&,
nsHTMLReflow
Metrics&, const nsHTMLReflowState&, unsigned int&, nsCalculatedBoxInfo&, int&,
nsString&)+004
60
0ADC3F60 PPC 1D29C4BC nsBlockFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, cons
t nsHTMLReflowState&, unsigned int&)+00204
0ADC3CE0 PPC 1D29DC4C nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)+
000A0
0ADC3C20 PPC 1D29E364 nsBlockFrame::ReflowLine(nsBlockReflowState&,
nsLineBox*, int*,
int)+00100
0ADC3B70 PPC 1D29F92C nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&,
nsLineBox*,
int*)+00260
0ADC39E0 PPC 1D311094 nsBlockReflowContext::ReflowBlock(nsIFrame*, const
nsRect&, int,
int, int, nsMargin&, unsigned int&)+0032C
0ADC36D0 PPC 1D13DA34 nsTableOuterFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&,
const nsHTMLReflowState&, unsigned int&)+00164
0ADC3340 PPC 1D13BCDC nsTableOuterFrame::IncrementalReflow(nsIPresContext&
, nsHTMLRefl
owMetrics&, OuterTableReflowState&, unsigned int&)+00104
0ADC32E0 PPC 1D13BDE0 nsTableOuterFrame::IR_TargetIsChild(nsIPresContext&,
nsHTMLReflo
wMetrics&, OuterTableReflowState&, unsigned int&, nsIFrame*)+00064
0ADC3280 PPC 1D13BFB0
nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsIPresContext&, n
sHTMLReflowMetrics&, OuterTableReflowState&, unsigned int&)+00040
0ADC3240 PPC 1D13CBB0
nsTableOuterFrame::IR_InnerTableReflow(nsIPresContext&, nsHTMLRe
flowMetrics&, OuterTableReflowState&, unsigned int&)+0018C
0ADC2FA0 PPC 1D083F14 nsContainerFrame::ReflowChild(nsIFrame*,
nsIPresContext&, nsHTML
ReflowMetrics&, const nsHTMLReflowState&, unsigned int&)+000BC
0ADC2E90 PPC 1D31EC70 nsTreeFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, const
nsHTMLReflowState&, unsigned int&)+000D4
0ADC2E30 PPC 1D131278 nsTableFrame::Reflow(nsIPresContext&,
nsHTMLReflowMetrics&, cons
t nsHTMLReflowState&, unsigned int&)+0014C
0ADC2D00 PPC 1D123410 nsCellMap::~nsCellMap()+00120
0ADC2CA0 PPC 1E033428 __dla__FPv+0001C
0ADC2C40 PPC 1E0332F4 operator delete(void*)+0001C
0ADC2BE0 PPC 1E0344A4 free+0006C
User break at 1E034EDC nsFixedSizeAllocator::AllocatorFreeBlock(void*)+0006C
Bad block trailer
Closing log
Comment 1•25 years ago
|
||
Reassign to hyatt; cc karnaze; bump severity to critical
Updated•25 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M12
Comment 2•25 years ago
|
||
My hands have deteriorated to the point where I can no longer type. I need
help. If you think you can fix this bug on your own, please take it away from
me. If you'd like to volunteer to be my hands for a specific bug, then I'll be
happy to come up to your cube and sit with you and fix the bug (assuming you
have the patience for that).
Assignee | ||
Updated•25 years ago
|
Assignee: hyatt → putterman
Status: ASSIGNED → NEW
Assignee | ||
Comment 3•25 years ago
|
||
I'll look into this.
Assignee | ||
Comment 4•25 years ago
|
||
I have a fix for this and will send a patch to karnaze and hyatt for review
today. I don't know if it solves the overall problem, but it prevents the
memory corruption. Basically what's happening is that nsCellMap has an array of
collapsed rows, with one boolean entry per row. When rows are added/removed
from the cell map, this collapsed row array is not being updated. In this case,
we are inserting new rows, and then setting the collapsed value. Unfortunately,
the new collapsed values are being written into unallocated pieces of memory and
causing this problem. The fix is to make sure the collapsed row array is kept
in synch with the rows being added/removed.
Assignee | ||
Updated•25 years ago
|
Target Milestone: M12 → M11
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•25 years ago
|
||
I checked in the fix.
Updated•25 years ago
|
QA Contact: lchiang → huang
Comment 8•25 years ago
|
||
Change QA Contact to me.
Updated•25 years ago
|
QA Contact: huang → ppandit
Comment 9•25 years ago
|
||
After confirmed with Lisa, change QA Contact to Par since it need debugger to
verify this bug.
Comment 10•25 years ago
|
||
Based on conversation with putterman and quick check
of mozilla/layout/html/table/src/nsCellMap.cpp - marking as VERIFIED
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•