135630 - nsTreeContentView::AttributeChanged nsVoidArray::ElementAt(negative index) - note on bug 96108

Status: RESOLVED FIXED

(Core :: XUL, defect)

Description

[timeless]

else if (tag == nsXULAtoms::treeitem) {
    PRInt32 index = FindContent(aContent);
    Row* row = (Row*)mRows[index];

index == -1


nsTreeContentView::AttributeChanged(nsTreeContentView * const 0x05164ae8, 
nsIDocument * 0x03cc8bd0, nsIContent * 0x051681b8, int 0, nsIAtom * 0x011c88c0, 
int 3, int -1) line 777 + 19 bytes
nsXULDocument::AttributeChanged(nsXULDocument * const 0x03cc8bd0, nsIContent * 
0x051681b8, int 0, nsIAtom * 0x011c88c0, int 3, int -1) line 2199
nsXULElement::UnsetAttr(nsXULElement * const 0x051681b8, int 0, nsIAtom * 
0x011c88c0, int 1) line 3013
nsTreeContentView::ToggleOpenState(nsTreeContentView * const 0x05185548, int 0) 
line 595
XPTC_InvokeByIndex(nsISupports * 0x05185548, unsigned int 25, unsigned int 1, 
nsXPTCVariant * 0x0012af50) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2025 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03ce7ba0, JSObject * 0x036a96e8, unsigned int 
1, long * 0x03c75064, long * 0x0012b1f4) line 1266 + 14 bytes
js_Invoke(JSContext * 0x03ce7ba0, unsigned int 1, unsigned int 0) line 788 + 23 
bytes
js_Interpret(JSContext * 0x03ce7ba0, long * 0x0012bb0c) line 2745 + 15 bytes
js_Invoke(JSContext * 0x03ce7ba0, unsigned int 1, unsigned int 2) line 805 + 13 
bytes
js_InternalInvoke(JSContext * 0x03ce7ba0, JSObject * 0x03d6dcb0, long 59504456, 
unsigned int 0, unsigned int 1, long * 0x0012bd64, long * 0x0012bc34) line 880 
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x03ce7ba0, JSObject * 0x03d6dcb0, long 
59504456, unsigned int 1, long * 0x0012bd64, long * 0x0012bc34) line 3412 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x03ce7a08, void * 
0x03d6dcb0, void * 0x038bf748, unsigned int 1, void * 0x0012bd64, int * 
0x0012bd68, int 0) line 1016 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0501dd78, 
nsIDOMEvent * 0x03b62e90) line 182 + 77 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x05103140, 
nsIDOMEventReceiver * 0x03cfb3f8, nsIDOMEvent * 0x03b62e90) line 447
DoKey(nsIAtom * 0x01303490, nsIXBLPrototypeHandler * 0x05103140, nsIDOMEvent * 
0x03b62e90, nsIDOMEventReceiver * 0x03cfb3f8) line 108
nsXBLKeyHandler::KeyPress(nsXBLKeyHandler * const 0x0514ea10, nsIDOMEvent * 
0x03b62e90) line 123 + 40 bytes


my guess is that FindConent returned a failure code and someone wasn't checking 
for it.

the a jstack dump isn't useful:
0 [native frame]
1 onxblkeypress(event = [object Event @ 0x501ddd0]) ["<unknown>":6]
    parentIndex = undefined
    this = [object XULElement @ 0x5092a80]
2 [native frame]
0 [native frame]
1 onxblkeypress(event = [object Event @ 0x501ddd0]) ["<unknown>":6]
    parentIndex = undefined
    this = [object XULElement @ 0x5092a80]
2 [native frame]


oh right, cvs build from before the fireworks tonight. loading verizon.com, 
selecting pay bill, i saw that the lock icon was glowing w/ a red slash 
rthrough it (classic), i clicked the lock [nothing happned] i did view>page 
info, i selected seecurity, i clicked some button, i got a very oversized (too 
tall) dialog, and i clicked around the top stuff.

I can't see what i'm typing right now in nc4 nor did most of the things in 
mozilla paint. which makes for lots of fun.

Comment 1

[Randell Jesup [:jesup] (needinfo me)]

-1 indexes for array lookup == crash if you're not lucky.

Either we fix the JS code, or we armor the exposed interface against bad inputs.

=> Trees

Comment 2

[Peter Trudelle]

clearing target.  If this needs to be fixed for MachV/1.0, please nominate and
document critical impact.

Comment 3

[Jan Varga [:janv]]

I already fixed this some time ago.

Comment 4

[Jan Varga [:janv]]

duh, this is still marked as NEW
As I said I already fixed this.
So marking fixed.