Closed
Bug 224643
Opened 21 years ago
Closed 20 years ago
[FIX]nsContentIterator::PositionAt triggered ASSERTION: RemoveElementsAt(negative index): 'aIndex >= 0'
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.8beta1
People
(Reporter: timeless, Assigned: bzbarsky)
References
()
Details
(Keywords: assertion)
Attachments
(1 file, 2 obsolete files)
2.78 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
the only mention of this assert is bug 183987, but there's no stack, so i have no idea whether it's related. I'm not 100% certain about this, but i think i loaded http://webtools.mozilla.org/registry/file.cgi?cvsroot=/cvsroot&file=Bugzilla-Guide.pdf&dir=mozilla/webtools/bugzilla/docs/pdf or something like it, and then clicked "View Diff's". note that this assert happened hours ago, i'm only now getting around to filing. the stack is still in msdev if someone wants something from it today. - this 0x046c5ab0 \- mIndexes {...} \- nsVoidArray {...} \- mImpl 0x046c5ad4 | mBits 8 \ mCount 1 + lastNode {0x04a7c8c0} + newCurNode {0x04a7c988} + firstNode {0x04a7c9ac} firstOffset 0 i 2 + parent {0x04a7c988} - oldParentStack {...} \- nsVoidArray {...} \- mImpl 0x046c5d88 | mBits 2147483650 \ mCount 1 lastOffset 1 + tempNode {0x04a7cf18} ###!!! ASSERTION: RemoveElementsAt(negative index): 'aIndex >= 0', file i:/build/mozilla/xpcom/ds/nsVoidArray.cpp, line 561 Break: at file i:/build/mozilla/xpcom/ds/nsVoidArray.cpp, line 561 nsDebug::Assertion(const char * 0x002d65a0, const char * 0x002d6594, const char * 0x002d6568, int 561) line 109 nsVoidArray::RemoveElementsAt(int -1, int 1) line 561 + 31 bytes nsContentIterator::PositionAt(nsContentIterator * const 0x046c5ab0, nsIContent * 0x04a7c988) line 1165 + 6 bytes nsContentIterator::Next(nsContentIterator * const 0x046c5ab0) line 1026 + 1 byte nsHTMLAnchorElement::GetText(nsHTMLAnchorElement * const 0x04a7c9b0, nsAString & {...}) line 596 + 13 bytes XPTC_InvokeByIndex(nsISupports * 0x04a7c9b0, unsigned int 17, unsigned int 1, nsXPTCVariant * 0x0012db58) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_GETTER) line 2023 + 42 bytes 0 [native frame] 1 js_file_menu( repos = "/cvsroot", dir = "mozilla/webtools/bugzilla/docs/pdf", file = "Bugzilla-Guide.pdf", rev = "1.5", branch = "HEAD", d = [object Event @ 0x4ae0b98]) ["http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=mozilla2.617490e-308btoolsbugzilla&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=week&mindate=&maxdate=&cvsroot= evsroot":30] fileName = "" i = 0 this = [object Window @ 0x3432c10] 2 onclick(event = [object Event @ 0x4ae0b98]) ["<unknown>":0] this = http://bonsai.mozilla.org/cvsview2.cgi?subdir=mozilla/webtools/bugzilla/docs/pdf&files=Bugzilla-Guide.pdf&command=DIRECTORY&branch=HEAD&root=/cvsroot 3 [native frame] XPCWrappedNative::GetAttribute(XPCCallContext & {...}) line 1886 + 14 bytes XPC_WN_GetterSetter(JSContext * 0x0421e950, JSObject * 0x04059e70, unsigned int 0, long * 0x048c5110, long * 0x0012de24) line 1301 + 12 bytes js_Invoke(JSContext * 0x0421e950, unsigned int 0, unsigned int 2) line 912 + 23 bytes js_InternalInvoke(JSContext * 0x0421e950, JSObject * 0x04059e70, long 68617688, unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012e724) line 1006 + 20 bytes js_InternalGetOrSet(JSContext * 0x0421e950, JSObject * 0x04059e70, long 44337872, long 68617688, int 4, unsigned int 0, long * 0x00000000, long * 0x0012e724) line 1049 + 31 bytes js_GetProperty(JSContext * 0x0421e950, JSObject * 0x04059e70, long 44337872, long * 0x0012e724) line 2665 + 51 bytes js_Interpret(JSContext * 0x0421e950, long * 0x0012e8c4) line 2763 + 1795 bytes js_Invoke(JSContext * 0x0421e950, unsigned int 1, unsigned int 2) line 929 + 13 bytes js_InternalInvoke(JSContext * 0x0421e950, JSObject * 0x04059e70, long 68617144, unsigned int 0, unsigned int 1, long * 0x0012eb1c, long * 0x0012e9ec) line 1006 + 20 bytes JS_CallFunctionValue(JSContext * 0x0421e950, JSObject * 0x04059e70, long 68617144, unsigned int 1, long * 0x0012eb1c, long * 0x0012e9ec) line 3572 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0421e8d8, void * 0x04059e70, void * 0x041703b8, unsigned int 1, void * 0x0012eb1c, int * 0x0012eb20, int 0) line 1297 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04a7ca68, nsIDOMEvent * 0x04673168) line 180 + 77 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04a7cb48, nsIDOMEvent * 0x04673168, nsIDOMEventTarget * 0x04547a08, unsigned int 4, unsigned int 7) line 1423 + 13 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04a7ca00, nsIPresContext * 0x03f83ad8, nsEvent * 0x0012f280, nsIDOMEvent * * 0x0012eef0, nsIDOMEventTarget * 0x04547a08, unsigned int 7, nsEventStatus * 0x0012f5bc) line 1524 + 8 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04a7c988, nsIPresContext * 0x03f83ad8, nsEvent * 0x0012f280, nsIDOMEvent * * 0x0012eef0, unsigned int 7, nsEventStatus * 0x0012f5bc) line 2001 + 16 bytes nsGenericHTMLElement::HandleDOMEventForAnchors(nsIPresContext * 0x03f83ad8, nsEvent * 0x0012f280, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f5bc) line 1416 GKLAYOUT! 0134a7af() PresShell::HandleEventInternal(nsEvent * 0x0012f280, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f5bc) line 6184 + 42 bytes PresShell::HandleEventWithTarget(PresShell * const 0x04527aa8, nsEvent * 0x0012f280, nsIFrame * 0x04b32e94, nsIContent * 0x04a7c988, unsigned int 1, nsEventStatus * 0x0012f5bc) line 6141 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x03f83ad8, nsMouseEvent * 0x0012f7d4, nsEventStatus * 0x0012f5bc) line 2912 + 13 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x044156a8, nsIPresContext * 0x03f83ad8, nsEvent * 0x0012f7d4, nsIFrame * 0x04b32e94, nsEventStatus * 0x0012f5bc, nsIView * 0x04650ea0) line 1901 + 5 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f7d4, nsIView * 0x04650ea0, unsigned int 1, nsEventStatus * 0x0012f5bc) line 6236 + 49 bytes PresShell::HandleEvent(PresShell * const 0x04527ac0, nsIView * 0x04650ea0, nsGUIEvent * 0x0012f7d4, nsEventStatus * 0x0012f5bc, int 0, int & 1) line 6079 + 25 bytes nsViewManager::HandleEvent(nsView * 0x045df570, nsGUIEvent * 0x0012f7d4, int 0) line 2303 GKLAYOUT! 01237e6b() nsViewManager::DispatchEvent(nsViewManager * const 0x03f83d20, nsGUIEvent * 0x0012f7d4, nsEventStatus * 0x0012f6cc) line 2044 + 11 bytes nsView::SetZIndex(int 1243092, int 2809328, int 0) line 690 + 4 bytes nsWindow::DispatchEvent(nsWindow * const 0x045df63c, nsGUIEvent * 0x0012f7d4, nsEventStatus & nsEventStatus_eIgnore) line 1049 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7d4) line 1070 nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5189 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5446 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 13369623, long * 0x0012fc34) line 3979 + 28 bytes nsWindow::WindowProc(HWND__ * 0x00130b2c, unsigned int 514, unsigned int 0, long 13369623) line 1332 + 27 bytes USER32! SetTimer + 1077 bytes USER32! DispatchMessageW + 278 bytes USER32! DispatchMessageW + 11 bytes nsAppShellService::Run(nsAppShellService * const 0x00c67968) line 476 main1(int 1, char * * 0x00444300, nsISupports * 0x00baaaa0) line 1292 + 32 bytes main(int 1, char * * 0x00444300) line 1679 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! SetUnhandledExceptionFilter + 92 bytes
Comment 1•21 years ago
|
||
snarf.... This looks like a bug in the optimization stuff bz and i did for the iterator. I can't repro this but I may be able to deduce from the stack what the bug is.
Assignee: general → mozeditor
Comment 2•21 years ago
|
||
if we get into a state in PositionAt where we are trying to save time by piecing together how to change the array of cached indices, only do this if we have a set of cached indices! :-)
Updated•21 years ago
|
Attachment #134826 -
Flags: superreview?(kinmoz)
Attachment #134826 -
Flags: review?(caillon)
Comment 3•21 years ago
|
||
Comment on attachment 134826 [details] [diff] [review] patch to content/base/src/nsContentIterator.cpp This won't actually fix this assertion though, since mIndexes.Count() == 1 at the time.
Updated•21 years ago
|
Attachment #134826 -
Flags: superreview?(kinmoz)
Attachment #134826 -
Flags: review?(caillon)
Updated•21 years ago
|
Attachment #134826 -
Attachment is obsolete: true
Comment 4•21 years ago
|
||
I don't think the original logic of the problem line makes much sense. I changed it to simply use IndexOf on the void array to find the right point to prune from. Since these arrays are typically short, this should be fine.
Comment 5•21 years ago
|
||
Updated•21 years ago
|
Attachment #134828 -
Flags: superreview?(kinmoz)
Attachment #134828 -
Flags: review?(caillon)
Comment 6•21 years ago
|
||
Comment on attachment 134828 [details] [diff] [review] content/base/src/nsContentIterator.cpp patch Ok, I thought about this and I think this is the right patch. If we get asserts after this still, then there really is something seriously screwed up somewhere.
Attachment #134828 -
Flags: review?(caillon) → review+
Comment on attachment 134828 [details] [diff] [review] content/base/src/nsContentIterator.cpp patch So I'm a bit curious, would the bug be fixed if we just removed the +1 being added here: // plus one for the node we're currently on. for (PRInt32 i = mIndexes.Count()+1; i > 0 && tempNode; i--) and here? // All we need to do is drop some indexes. Shortcut here. mIndexes.RemoveElementsAt(mIndexes.Count() - (oldParentStack.Count()+1), oldParentStack.Count());
*** Bug 254329 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 9•20 years ago
|
||
*** Bug 194151 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 10•20 years ago
|
||
I also added some comments to make it clearer what's going on (in particular why one of the +1 things is actually needed)
Assignee: mozeditor → bzbarsky
Attachment #134828 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #171001 -
Flags: superreview?(jst)
Attachment #171001 -
Flags: review?(jst)
Assignee | ||
Updated•20 years ago
|
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Summary: nsContentIterator::PositionAt triggered ASSERTION: RemoveElementsAt(negative index): 'aIndex >= 0' → [FIX]nsContentIterator::PositionAt triggered ASSERTION: RemoveElementsAt(negative index): 'aIndex >= 0'
Target Milestone: --- → mozilla1.8beta
Assignee | ||
Updated•20 years ago
|
Attachment #134828 -
Flags: superreview?(kinmoz)
Comment 11•20 years ago
|
||
Comment on attachment 171001 [details] [diff] [review] Equivalent but slightly faster patch r+sr=jst
Attachment #171001 -
Flags: superreview?(jst)
Attachment #171001 -
Flags: superreview+
Attachment #171001 -
Flags: review?(jst)
Attachment #171001 -
Flags: review+
Assignee | ||
Comment 12•20 years ago
|
||
Fixed on trunk for 1.8b
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general
You need to log in
before you can comment on or make changes to this bug.
Description
•