Closed Bug 217907 Opened 22 years ago Closed 21 years ago

nsRange::IsIncreasing caused nsVoidArray::ElementAt(index past end array)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: assertion)

Attachments

(1 file)

ala sicking's suggestion
2.09 KB, patch
caillon
: review+
jst
: superreview+
Details | Diff | Splinter Review
viewer, debug build from last week, editing the default page, deleting stuff. not the first assert i've seen from dom range. but i know people like nsVoidArray assertions so :) ###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug 96108: 'aIndex < Count()', file i:/build/mozilla/xpcom/build/../ds\nsVoidArray.h, line 72 nsDebug::Assertion(const char * 0x00329b24 `string', const char * 0x00329b74 `string', const char * 0x00329be0 `string', int 72) line 109 mImpl->mCount 2 nsVoidArray::ElementAt(int 2) line 72 + 35 bytes nsRange::IsIncreasing(nsIDOMNode * 0x0819cb0c, int 0, nsIDOMNode * 0x0819dccc, int 5) line 823 + 16 bytes nsRange::SetEnd(nsRange * const 0x08195730, nsIDOMNode * 0x0819dccc, int 5) line 1104 + 52 bytes nsRangeStore::GetRange(nsCOMPtr<nsIDOMRange> * 0x0012e864 {0x08195730}) line 710 + 42 bytes nsSelectionState::IsCollapsed() line 140 PlaceholderTxn::Merge(PlaceholderTxn * const 0x0818aa80, nsITransaction * 0x08195830, int * 0x0012e91c) line 204 + 11 bytes nsTransactionManager::EndTransaction() line 1186 + 20 bytes nsTransactionManager::DoTransaction(nsTransactionManager * const 0x0815fc10, nsITransaction * 0x08195830) line 141 + 14 bytes nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction * 0x08195830) line 531 + 30 bytes nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction * 0x08190b50) line 477 nsEditor::DeleteNode(nsEditor * const 0x080e04b0, nsIDOMNode * 0x0819da2c) line 1346 + 16 bytes nsHTMLEditor::DeleteNode(nsHTMLEditor * const 0x080e04b0, nsIDOMNode * 0x0819da2c) line 4025 + 13 bytes nsHTMLEditRules::DeleteNonTableElements(nsIDOMNode * 0x0819da2c) line 2792 + 25 bytes nsHTMLEditRules::WillDeleteSelection(nsISelection * 0x08168630, short 2, int * 0x0012ef28, int * 0x0012ef64) line 2361 + 18 bytes nsHTMLEditRules::WillDoAction(nsHTMLEditRules * const 0x081709f4, nsISelection * 0x08168630, nsRulesInfo * 0x0012ef2c, int * 0x0012ef28, int * 0x0012ef64) line 591 + 31 bytes nsPlaintextEditor::DeleteSelection(nsPlaintextEditor * const 0x080e04b0, short 2) line 863 + 59 bytes nsTextEditorKeyListener::KeyPress(nsTextEditorKeyListener * const 0x0815d3b0, nsIDOMEvent * 0x05eb4d14) line 203 nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x08168ea0, nsIPresContext * 0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680, nsIDOMEventTarget * 0x08141dd4, unsigned int 514, nsEventStatus * 0x0012f818) line 1634 + 41 bytes nsDocument::HandleDOMEvent(nsDocument * const 0x08141da0, nsIPresContext * 0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680, unsigned int 514, nsEventStatus * 0x0012f818) line 3806 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x08143aa0, nsIPresContext * 0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680, unsigned int 519, nsEventStatus * 0x0012f818) line 2035 + 47 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f9ec, nsIView * 0x0810e100, unsigned int 1, nsEventStatus * 0x0012f818) line 6236 + 45 bytes PresShell::HandleEvent(PresShell * const 0x08162858, nsIView * 0x0810e100, nsGUIEvent * 0x0012f9ec, nsEventStatus * 0x0012f818, int 1, int & 1) line 6106 + 25 bytes nsViewManager::HandleEvent(nsView * 0x0810e100, nsGUIEvent * 0x0012f9ec, int 0) line 2255 nsView::HandleEvent(nsViewManager * 0x08117ab0, nsGUIEvent * 0x0012f9ec, int 0) line 305 nsViewManager::DispatchEvent(nsViewManager * const 0x08117ab0, nsGUIEvent * 0x0012f9ec, nsEventStatus * 0x0012f95c) line 2038 + 23 bytes HandleEvent(nsGUIEvent * 0x0012f9ec) line 79 nsWindow::DispatchEvent(nsWindow * const 0x08143054, nsGUIEvent * 0x0012f9ec, nsEventStatus & nsEventStatus_eIgnore) line 1049 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f9ec) line 1070 nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 8, long 0) line 2911 + 15 bytes nsWindow::OnChar(unsigned int 8, unsigned int 8, unsigned char 0) line 3098 nsWindow::ProcessMessage(unsigned int 258, unsigned int 8, long 917505, long * 0x0012fe58) line 3806 + 41 bytes nsWindow::WindowProc(HWND__ * 0x000308e4, unsigned int 258, unsigned int 8, long 917505) line 1332 + 27 bytes USER32! SetTimer + 1077 bytes USER32! DispatchMessageW + 278 bytes USER32! DispatchMessageA + 11 bytes main(int 1, char * * 0x00a141f0) line 158 + 11 bytes I get at least two asserts near here i think. then i get: if (startIdx == endIdx) { // whoa nelly. this shouldn't happen. NS_NOTREACHED("nsRange::IsIncreasing"); } nsDebug::Assertion(const char * 0x05df7604, const char * 0x05df75f8, const char * 0x05df75c8, int 840) line 109 nsRange::IsIncreasing(nsIDOMNode * 0x0819cb0c, int 0, nsIDOMNode * 0x0819dccc, int 5) line 840 + 26 bytes nsRange::SetEnd(nsRange * const 0x08195730, nsIDOMNode * 0x0819dccc, int 5) line 1104 + 52 bytes nsRangeStore::GetRange(nsCOMPtr<nsIDOMRange> * 0x0012e864 {0x08195730}) line 710 + 42 bytes nsSelectionState::IsCollapsed() line 140 PlaceholderTxn::Merge(PlaceholderTxn * const 0x0818aa80, nsITransaction * 0x08195830, int * 0x0012e91c) line 204 + 11 bytes nsTransactionManager::EndTransaction() line 1186 + 20 bytes nsTransactionManager::DoTransaction(nsTransactionManager * const 0x0815fc10, nsITransaction * 0x08195830) line 141 + 14 bytes nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction * 0x08195830) line 531 + 30 bytes nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction * 0x08190b50) line 477 nsEditor::DeleteNode(nsEditor * const 0x080e04b0, nsIDOMNode * 0x0819da2c) line 1346 + 16 bytes
Just ran into this. The assertion is at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsRange.cpp&rev=&cvsroot=/cvsroot#822 The problem seems to be that the while-loop on line 809 aborts the the first time, which then causes |startIdx| and |endIdx| to never get decreased. A could of lines later the indexes are increased and then the out-of-bounds access occurs. Caillon, your code here. This will become a crash soon when we remove the bounds-checks in nsVoidArray, which i want to do as soon as 1.7 opens
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: anthonyd → caillon
Blocks: 160540
i'm running with this in my debug build, and i haven't hit anything yet. although I have hit way too many other fun asserts...
Assignee: caillon → timeless
Status: NEW → ASSIGNED
Attachment #142852 - Flags: superreview?(jst)
Attachment #142852 - Flags: review?(caillon)
Comment on attachment 142852 [details] [diff] [review] ala sicking's suggestion sr=jst
Attachment #142852 - Flags: superreview?(jst) → superreview+
Attachment #142852 - Flags: review?(caillon) → review+
mozilla/content/base/src/nsRange.cpp 1.180
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
No longer blocks: 160540
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: