Bug 1525631 introduces a potential infinite loop
Categories
(Core :: Disability Access APIs, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox82 | --- | unaffected |
firefox83 | --- | unaffected |
firefox84 | --- | fixed |
People
(Reporter: Jamie, Assigned: MarcoZ)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
The stack dump for the hang in bug 1668695 comment 5 showed that FindLineBoundary (aOffset = 0) was calling IsLineCharEndAt with a negative number (-1267966343). This call came from this code:
while (nextLineBeginOffset >= aOffset &&
!IsLineEndCharAt(nextLineBeginOffset - 1)) {
nextLineBeginOffset--;
}
Because aOffset is 0, nextLineBeginOffset will be >= aOffset even when it's 0. Then, we decrement nextLineBeginOffset. Since nextLineBeginOffset is unsigned, it will wrap around to 4294967295, which is of course >= aOffset. If there is no line end character anywhere, we get into an infinite loop.
This was triggered by Windows 10 text cursor indicator when typing rapidly into the address bar, though I still can't figure out how to trigger the condition in isolation and thus how we got to that code path in the first place.
Assignee | ||
Comment 1•3 years ago
|
||
Use a safer looping method, walking forward from aOffset to tmpOffset to prevent wrapping around at 0.
Pushed by mzehe@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d3aa2ad16823 Prevent an infinite loop when finding the line end boundary for an offset of 0, r=Jamie
Comment 3•3 years ago
|
||
Set release status flags based on info from the regressing bug 1525631
Comment 5•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•