Closed
Bug 424276
Opened 16 years ago
Closed 16 years ago
"ASSERTION: disconnected nodes" and "ASSERTION: invalid array index" with selection/range
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b2
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [sg:critical?] post 1.8-branch)
Attachments
(4 files, 1 obsolete file)
254 bytes,
text/html
|
Details | |
16.75 KB,
text/plain
|
Details | |
1.16 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.9.0.7+
|
Details | Diff | Splinter Review |
853 bytes,
patch
|
Details | Diff | Splinter Review |
Loading the testcase triggers: ###!!! ASSERTION: disconnected nodes: 'parents1.ElementAt(pos1) == parents2.ElementAt(pos2) || aDisconnected', file /Users/jruderman/trunk/mozilla/content/base/src/nsContentUtils.cpp, line 1570 ###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317 Filing as security-sensitive because the "invalid array index" assertion is happening in nsTArray::ElementAt, which is not bounds-checked at runtime.
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:low?]
Reporter | ||
Updated•16 years ago
|
Flags: blocking1.9?
Comment 2•16 years ago
|
||
Given low severity, this can wait for a 1.9.0.x release.
Comment 3•16 years ago
|
||
Given comment 2 moving to wanted list.
Flags: tracking1.9+
Flags: blocking1.9?
Flags: blocking1.9-
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Updated•16 years ago
|
Flags: tracking1.9+
Updated•16 years ago
|
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Reporter | ||
Updated•16 years ago
|
Flags: blocking1.9.1?
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Target Milestone: --- → mozilla1.9.1
Comment 4•16 years ago
|
||
On second thought, not blocking on this. Wanted 1.9.1 though. And this sounds like it could be sg:critical, given the out of bounds array access.
Assignee: nobody → bent.mozilla
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Priority: P3 → P1
Whiteboard: [sg:low?] → [sg:critical?]
Reporter | ||
Comment 5•16 years ago
|
||
I had set this as sg:low because it looked like a read (rather than a write) out of bounds.
Assignee | ||
Comment 6•16 years ago
|
||
It's a SEGV crash with a Firefox debug build on Linux (64-bit).
Assignee: bent.mozilla → mats.palmgren
Severity: normal → critical
Keywords: crash
OS: Mac OS X → All
Hardware: PC → All
Assignee | ||
Comment 7•16 years ago
|
||
The latter part of nsContentUtils::ComparePoints() doesn't make sense for disconnected nodes, so return early. The change in nsSelection.cpp is to allow comparing boundary points for ranges that may be disconnected, which I think is allowed so it shouldn't assert (but please correct me if I'm wrong).
Attachment #344316 -
Flags: superreview?(bzbarsky)
Attachment #344316 -
Flags: review?(bzbarsky)
Comment 8•16 years ago
|
||
Er.... But shouldn't we do something sane in this case with the return value instead of just using it?
Assignee | ||
Comment 9•16 years ago
|
||
Yeah, we should propagate 'disconnected' to the callers of CompareDOMPoints and make them deal with it properly. I'd like to fix the crash here first though and do that in a followup bug. Should I leave nsSelection.cpp as is and just let it assert then?
Comment 10•16 years ago
|
||
Yeah, that sounds like a better idea than just hiding the problem.
Assignee | ||
Comment 11•16 years ago
|
||
Same patch without the nsSelection.cpp change.
Attachment #344316 -
Attachment is obsolete: true
Attachment #344954 -
Flags: superreview?(bzbarsky)
Attachment #344954 -
Flags: review?(bzbarsky)
Attachment #344316 -
Flags: superreview?(bzbarsky)
Attachment #344316 -
Flags: review?(bzbarsky)
Comment 12•16 years ago
|
||
Comment on attachment 344954 [details] [diff] [review] Patch rev. 2 Please add a test.
Attachment #344954 -
Flags: superreview?(bzbarsky)
Attachment #344954 -
Flags: superreview+
Attachment #344954 -
Flags: review?(bzbarsky)
Attachment #344954 -
Flags: review+
Assignee | ||
Comment 13•16 years ago
|
||
Assignee | ||
Comment 14•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6a229538f526 I'm holding the crashtest until 1.9.0.x is released with a fix. -> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9.1 → mozilla1.9.1b2
Reporter | ||
Comment 15•16 years ago
|
||
I filed bug 462897 on the remaining assertion.
Updated•16 years ago
|
Flags: blocking1.9.0.6?
Comment 16•16 years ago
|
||
Mats: Does this patch apply to 1.9.0? Can you please request approval if so?
Updated•16 years ago
|
Flags: blocking1.9.0.6?
Updated•16 years ago
|
Flags: blocking1.9.0.7?
Assignee | ||
Comment 17•16 years ago
|
||
Comment on attachment 344954 [details] [diff] [review] Patch rev. 2 Yes, it applies and fixes the crash. (sorry, I forgot)
Attachment #344954 -
Flags: approval1.9.0.7?
Updated•16 years ago
|
Flags: blocking1.9.0.7? → blocking1.9.0.7+
Comment 18•16 years ago
|
||
Comment on attachment 344954 [details] [diff] [review] Patch rev. 2 Approved for 1.9.0.7, a=dveditz for release-drivers.
Attachment #344954 -
Flags: approval1.9.0.7? → approval1.9.0.7+
Assignee | ||
Comment 19•15 years ago
|
||
Landed on CVS trunk for 1.9.0.7: mozilla/content/base/src/nsContentUtils.cpp 1.311
Keywords: fixed1.9.0.7
Comment 20•15 years ago
|
||
The testcase does not crash 1.8 nor does the patched code seem to exist (unconnected ranges don't seem to exist until bug 409380)
Flags: wanted1.8.1.x-
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Comment 21•15 years ago
|
||
The testcase doesn't crash 1.9.0.6 (non-debug). Tomcat, can you run the testcase with a debug 1.9.0.7 nightly? (If you have a debug 1.9.0.6 final, that would be good as well).
Comment 22•15 years ago
|
||
verified 1.9.0.7 using the testcase and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021407 Firefox/3.0.7pre i don't see the crash on this debug build, but ###!!! ASSERTION: unexpected disconnected nodes: 'aDisconnected', file /work/mozilla/builds/1.9.0/mozilla/content/base/src/nsContentUtils.cpp, line 1573
Keywords: fixed1.9.0.7 → verified1.9.0.7
Updated•15 years ago
|
Group: core-security
Comment 23•15 years ago
|
||
crash test added http://hg.mozilla.org/mozilla-central/rev/1824b971b236
Flags: in-testsuite? → in-testsuite+
Updated•11 years ago
|
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•