Closed Bug 102809 Opened 23 years ago Closed 23 years ago

ABR in nsPlainTextSerializer::AppendText; indexing -1 on array

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jrgmorrison, Assigned: peterv)

References

(
URL
)

Details

Attachments

(2 files)

purify output (more readable form).
2.48 KB, text/plain
Details
Fix
1.72 KB, patch
sicking
: review+
waterson
: superreview+
Details | Diff | Splinter Review
I was looking for something else, but happened to come up with this instead. This is part of the checkin for bug 97687. I'm getting an Array Bounds Read from Purify when running Mozilla. Specifically, I can trigger it by making a selection of part of the text in the URLbar and cutting the selection to the clipboard. Purify info is below. When I break in the debugger, |mTagStackIndex| is '0x00000000', so |mTagStack[mTagStackIndex-1]| is Ooops! (Not sure why it isn't flagging it as an ABW, since it is storing to that address, but...) [E] ABR: Array bounds read in nsPlainTextSerializer::AppendText(nsIDOMText *,int,int,nsAString&) {3 occurrences} Reading 4 bytes from 0x09be7144 (4 bytes at 0x09be7144 illegal) Address 0x09be7144 is 4 bytes before the beginning of a 2000 byte block at 0x09be7148 Address 0x09be7144 points to a C++ new block in heap 0x02c70000 Thread ID: 0x474 Error location nsPlainTextSerializer::AppendText(nsIDOMText *,int,int,nsAString&) [nsPlainTextSerializer.cpp:230] nsAWritableString& aStr) { if ((mTagStack[mTagStackIndex-1] == eHTMLTag_noscript) && => !(mFlags & nsIDocumentEncoder::OutputNoScriptContent)) { return NS_OK; } nsDocumentEncoder::SerializeNodeStart(nsIDOMNode *,int,int,nsAString&) [nsDocumentEncoder.cpp:315] nsDocumentEncoder::SerializeRangeToString(nsIDOMRange *,nsAString&) [nsDocumentEncoder.cpp:861] nsDocumentEncoder::EncodeToString(nsAString&) [nsDocumentEncoder.cpp:914] nsCopySupport::HTMLCopy(nsISelection *,nsIDocument *,short) [nsCopySupport.cpp:119] PresShell::DoCopy(void) [nsPresShell.cpp:4324] nsPlaintextEditor::Copy(void) [nsPlaintextEditor.cpp:1419] nsPlaintextEditor::Cut(void) [nsPlaintextEditor.cpp:1390] nsCutCommand::DoCommand(nsAString const&,nsISupports *) [nsEditorCommands.cpp:131] nsControllerCommandManager::DoCommand(nsAString const&,nsISupports *) [nsControllerCommandManager.cpp:199] Allocation location new(UINT) [msvcrt.DLL] nsPlainTextSerializer::nsPlainTextSerializer(void) [nsPlainTextSerializer.cpp:126] mStartedOutput = PR_FALSE; // initialize the tag stack to zero: => mTagStack = new nsHTMLTag[TagStackSize]; mTagStackIndex = 0; // initialize the OL stack, where numbers for ordered lists are kept: NS_NewPlainTextSerializer(nsIContentSerializer * *) [nsPlainTextSerializer.cpp:87] CreatePlainTextSerializer [nsContentModule.cpp:308] nsComponentManager::CreateInstance(char const*,nsISupports *,nsID const&,void * *) [nsComponentManager.cpp:3146] nsCreateInstanceByContractID::()(nsID const&,void * *)const [nsComponentManager.cpp:164] nsDocumentEncoder::EncodeToString(nsAString&) [nsDocumentEncoder.cpp:888] nsCopySupport::HTMLCopy(nsISelection *,nsIDocument *,short) [nsCopySupport.cpp:119] PresShell::DoCopy(void) [nsPresShell.cpp:4324] nsPlaintextEditor::Copy(void) [nsPlaintextEditor.cpp:1419]
need to resolve this before bug 97687 can (safely) go on the branch. (Maybe this is bogus, but I don't think so, since I can see the bad indexing in the debugger without purify).
Blocks: 97687
Severity: normal → critical
Keywords: nsbranch
(Um, duh. '==' is not '=', so ABR it is. Pretty unlikely that this would give a false positive match to the enum, so most harmless, I suppose).
Attached patch FixSplinter Review
(Man, I meant to assign this peterv ... thanks for the fix.)
Assignee: attinasi → peterv
Comment on attachment 51811 [details] [diff] [review] Fix sr=waterson
Attachment #51811 - Flags: superreview+
Checked in. Thanks to all involved.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Let's get this on the branch.
Keywords: nsbranchnsbranch+
Um, reopening to make this onto PDT radar.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Argh, I should read my bugmail first. This went in on the branch with bug 97687, closing again. Sorry for the noise...
Bugzilla needs natural language parser to act on my comments, darnit!
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
verified no more ABR in purify.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: