Closed Bug 1675172 Opened 3 years ago Closed 3 years ago

Bug 1525631 introduces a potential infinite loop

Categories

(Core :: Disability Access APIs, defect, P1)

defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- unaffected
firefox84 --- fixed

People

(Reporter: Jamie, Assigned: MarcoZ)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

The stack dump for the hang in bug 1668695 comment 5 showed that FindLineBoundary (aOffset = 0) was calling IsLineCharEndAt with a negative number (-1267966343). This call came from this code:

        while (nextLineBeginOffset >= aOffset &&
               !IsLineEndCharAt(nextLineBeginOffset - 1)) {
          nextLineBeginOffset--;
        }

Because aOffset is 0, nextLineBeginOffset will be >= aOffset even when it's 0. Then, we decrement nextLineBeginOffset. Since nextLineBeginOffset is unsigned, it will wrap around to 4294967295, which is of course >= aOffset. If there is no line end character anywhere, we get into an infinite loop.

This was triggered by Windows 10 text cursor indicator when typing rapidly into the address bar, though I still can't figure out how to trigger the condition in isolation and thus how we got to that code path in the first place.

Use a safer looping method, walking forward from aOffset to tmpOffset to prevent wrapping around at 0.

Pushed by mzehe@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d3aa2ad16823
Prevent an infinite loop when finding the line end boundary for an offset of 0, r=Jamie

Set release status flags based on info from the regressing bug 1525631

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: