Closed
Bug 1206105
Opened 9 years ago
Closed 9 years ago
nth-child integer overflow with crash in [@ nthChildGenericMatches ]
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: dbaron)
References
()
Details
(Keywords: crash, reproducible, testcase)
Crash Data
Attachments
(2 files)
34 bytes,
text/html
|
Details | |
2.06 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150826023504 Steps to reproduce: Load the following html in Firefox <style>*:nth-child(-n-2147483647){ Actual results: Integer overflow exception Expected results: Nothing.
CR: https://crash-stats.mozilla.com/report/index/a48e8639-f0d4-479e-b19a-c0f3f2150919
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ nthChildGenericMatches ]
Component: Untriaged → Layout
Ever confirmed: true
Product: Firefox → Core
Summary: nth-child integer overflow → nth-child integer overflow with crash in [@ nthChildGenericMatches ]
Assignee | ||
Comment 3•9 years ago
|
||
Is it new that this is a crash rather than regular old "undefined behavior".
Component: Layout → CSS Parsing and Computation
Version: 40 Branch → Trunk
Comment 5•9 years ago
|
||
Odd. I get a crash on Mac too: Program received signal EXC_ARITHMETIC, Arithmetic exception. The debugger claims we're on this line: const int32_t n = (index - b) / a; with index == 1, b == -2147483647 (so -INT32_MAX) and a == -1. All three variables are int32_t. The subtraction index - b is in fact undefined behavior here, since it's basically 1+INT32_MAX. But what compilers seem to do with it in practice is just let it overflow in the obvious way, so we get INT32_MIN. It's the division of INT32_MIN by -1 that raises EXC_ARITHMETIC. That's probably undefined behavior too, though I haven't checked....
Comment 6•9 years ago
|
||
Anyway, seems like we should just use a CheckedInt32 here, and "not match" if it overflows? And check index-b for being INT32_MIN before dividing by -1.
Flags: needinfo?(dbaron)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•9 years ago
|
||
Attachment #8664087 -
Flags: review?(bzbarsky)
Comment 8•9 years ago
|
||
Comment on attachment 8664087 [details] [diff] [review] Use CheckedInt for an+b selector matching r=me
Attachment #8664087 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 9•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=9986f05fe61d
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(dbaron)
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/000fe1df3e59
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•