Closed Bug 116413 Opened 24 years ago Closed 22 years ago

negative VoidArray index in GetMenuAt() in View menu on Mac

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Platform:
PowerPC
Mac System 9.x
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: jesup, Assigned: jesup)

References

Details

(Keywords: crash)

Attachments

(1 file, 2 obsolete files)

last bit
991 bytes, patch
mozeditor
: review+
jst
: superreview+
Details | Diff | Splinter Review
From bug 96108: ------- Additional Comments From peterv@netscape.com 2001-12-21 08:56 ------- I hit the assertion "###!!! ASSERTION: nsVoidArray::ElementAt(negative index) - note on bug 96108: 'aIndex >= 0', file nsVoidArry.h, line 77", coming from http://lxr.mozilla.org/seamonkey/source/widget/src/mac/nsDynamicMDEF.cpp#465. gPreviousMenuHandleStack.Count() is 0. I tried to open the View menu on my mac build. ------- Patch to be attached. I might be able to patch it with less perf hit (not that it will be noticable) if i had the stack backtrace. Can cause crash in opt build.
Depends on: 96108
Keywords: crash
Attached patch patch ready for review (obsolete) — Splinter Review
This will fix the problem. I'd prefer to fix the caller; I looked at several and didn't see how we'd get in with an empty list.
Looking for review of a trivial fix for a VoidArray negative-index use missed by the patch.
Status: NEW → ASSIGNED
Comment on attachment 62531 [details] [diff] [review] patch ready for review sr=jst. Go ahead and check this one in if you want, no need for a separate r= for something this trivial.
Attachment #62531 - Flags: superreview+
Attachment #62531 - Flags: review+
Fix checked in, thanks
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
THis was nsSupportsArray, not nsVoidArray. I HATE that Supports and Void are so close but don't inherit or share; it bites us again and again. We'll need to track down the caller's stack and make them not do that.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Calling chain using A6/R1 links Back chain ISA Caller 0A50BDBD PPC FFCEC3FC EmToNatEndMoveParams+00014 0A50BD40 PPC 009D96E0 GetSubmenuParentChoosable+00178 0A50BCF0 PPC 009D9ED0 GetSubmenuParentChoosable+00968 0A50BC50 PPC 009D9B8C GetSubmenuParentChoosable+00624 0A50BBB0 PPC 009DA2B4 GetSubmenuParentChoosable+00D4C 0A50BB70 PPC 009DA7FC GetSubmenuParentChoosable+01294 0A50BB20 PPC 009D2DD8 CallMenuBar+00138 0A50BA1A 68K 01D4D5C8 0A50B9CB PPC FFCEC3FC EmToNatEndMoveParams+00014 0A50B980 PPC 01A7F088 'MBDF 003F 0002'+00148 0A50B940 PPC 009DEE00 StandardMBDF+00200 0A50B860 PPC 009E1AC0 StandardMBDF+02EC0 0A50B810 PPC FFD0B760 CalcMenuSize+00018 0A50B6F3 PPC FFCEC3FC EmToNatEndMoveParams+00014 0A50B680 PPC 0823900C nsDynamicMDEFMain+003EC 0A50B590 PPC 08239374 nsDynamicSizeTheMenu(MenuInfo**)+00014 0A50B550 PPC 082395C8 nsDoMagic(MenuInfo**)+00118 0A50B500 PPC 082399B4 nsBuildMenu(MenuInfo**, int)+00394 0A50B360 PPC 08239F3C nsPostBuild(nsIMenu*, MenuInfo**, int)+0006C 0A50B300 PPC 086AB71C nsDebug::Assertion(const char*, const char*, const char*, int)+0005C Randell, let me know if you need anything else. This assertion is getting rather annoying.
I'll try to solve this Monday
Status: REOPENED → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla0.9.8
Please review/test. I went over the file with a fine-tooth comb; I believe I caught all possible negative index references.
Attachment #62531 - Attachment is obsolete: true
Comment on attachment 63814 [details] [diff] [review] Patch to stop 3 negative array refs >- if(isChild || (gPreviousMenuHandleStack[gPreviousMenuHandleStack.Count() - 1] != theMenu)) >+ if(isChild || >+ (gPreviousMenuHandleStack.Count() > 0 && >+ gPreviousMenuHandleStack[gPreviousMenuHandleStack.Count() - 1] != theMenu)) This breaks hierarchical menus. I came up with this which seems to work: + PRInt32 count = gPreviousMenuHandleStack.Count(); + if(isChild || + ((count > 0 && + gPreviousMenuHandleStack[gPreviousMenuHandleStack.Count() - 1] != theMenu) || + (count <= 0 && theMenu))) Not really sure if this is the best way to do it, but you need to handle the case where theMenu is non-null and count <= 0. >- *aMenu = (MenuHandle) gPreviousMenuHandleStack[gPreviousMenuHandleStack.Count() - 1]; >- gPreviousMenuHandleStack.RemoveElementAt(gPreviousMenuHandleStack.Count() - 1); >+ if (gPreviousMenuHandleStack.Count() > 0) >+ { >+ *aMenu = (MenuHandle) gPreviousMenuHandleStack[gPreviousMenuHandleStack.Count() - 1]; >+ gPreviousMenuHandleStack.RemoveElementAt(gPreviousMenuHandleStack.Count() - 1); >+ } Not sure if we should set *aMenu to null here, when .Count() <= 0.
Sfraser checked in fixes for two of the three spots you found. http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=mozilla/widget/src/mac&command=DIFF_FRAMESET&file=nsDynamicMDEF.cpp&rev1=1.21&rev2=1.22&root=/cvsroot Leaves the on in nsPopMenuHandle, not sure if we need to do anything there.
I'm pretty sure the nsPopMenuHandle fix is needed. Updating my tree and I'll post a new patch ASAP to get this in. (I've just finished getting my system back together after a disk drive started squeaking instead of reading data - lost my mozilla development tree and all patches I hadn't posted, along with lots of other things).
The nsPopMenuHandle fix is needed, but there are no uses of nsPopMenuHandle, so it's non-critical. (We nsPushMenuHandle and nsPushMenu, but we don't pop menus or menu handles ever.) Changing target. We should probably remove the dead code unless it's there for a reason - some future use? Adding previous modifiers of this code for comment.
Severity: major → normal
Target Milestone: mozilla0.9.8 → mozilla0.9.9
The code in question (nsPopMenuHandle fix) is dead code at this point; nothing calls it. We should either check in the fix for it, or nuke the function if it doesn't serve a purpose. Retargetting for 1.0 as a cleanup/footprint issue. Very minor, could be ignored though I dislike leaving known crasher code in even if it can't get called (now).
Target Milestone: mozilla0.9.9 → mozilla1.0
Severity: normal → trivial
Keywords: mozilla1.1
Target Milestone: mozilla1.0 → mozilla1.0.1
Hardware: PC → Macintosh
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and <http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss bugs are of critical or possibly higher severity. Only changing open bugs to minimize unnecessary spam. Keywords to trigger this would be crash, topcrash, topcrash+, zt4newcrash, dataloss.
Severity: trivial → critical
Attached patch last bitSplinter Review
i know we don't believe this code is alive, but i'd like to close this bug.
Attachment #63814 - Attachment is obsolete: true
Attachment #112055 - Flags: review?(mozeditor)
This bug is targeted at a Mac classic platform/OS, which is no longer supported by mozilla.org. Please re-target it to another platform/OS if this bug applies there as well or resolve this bug. I will resolve this bug as WONTFIX in four weeks if no action has been taken. To filter this and similar messages out, please filter for "mac_cla_reorg".
Comment on attachment 112055 [details] [diff] [review] last bit r=mozeditor
Attachment #112055 - Flags: review?(mozeditor) → review+
Attachment #112055 - Flags: superreview?(jst)
Comment on attachment 112055 [details] [diff] [review] last bit sr=jst
Attachment #112055 - Flags: superreview?(jst) → superreview+
last bit checked in
Status: ASSIGNED → RESOLVED
Closed: 24 years ago22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: