Closed Bug 217907 Opened 21 years ago Closed 20 years ago

nsRange::IsIncreasing caused nsVoidArray::ElementAt(index past end array)

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows 2000
defect
Not set
minor

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: assertion)

Attachments

(1 file)

viewer, debug build from last week, editing the default page, deleting stuff.
not the first assert i've seen from dom range. but i know people like
nsVoidArray assertions so :)

###!!! ASSERTION: nsVoidArray::ElementAt(index past end array) - note on bug
96108: 'aIndex < Count()', file
i:/build/mozilla/xpcom/build/../ds\nsVoidArray.h, line 72

nsDebug::Assertion(const char * 0x00329b24 `string', const char * 0x00329b74
`string', const char * 0x00329be0 `string', int 72) line 109

	mImpl->mCount	2
nsVoidArray::ElementAt(int 2) line 72 + 35 bytes
nsRange::IsIncreasing(nsIDOMNode * 0x0819cb0c, int 0, nsIDOMNode * 0x0819dccc,
int 5) line 823 + 16 bytes
nsRange::SetEnd(nsRange * const 0x08195730, nsIDOMNode * 0x0819dccc, int 5) line
1104 + 52 bytes
nsRangeStore::GetRange(nsCOMPtr<nsIDOMRange> * 0x0012e864 {0x08195730}) line 710
+ 42 bytes
nsSelectionState::IsCollapsed() line 140
PlaceholderTxn::Merge(PlaceholderTxn * const 0x0818aa80, nsITransaction *
0x08195830, int * 0x0012e91c) line 204 + 11 bytes
nsTransactionManager::EndTransaction() line 1186 + 20 bytes
nsTransactionManager::DoTransaction(nsTransactionManager * const 0x0815fc10,
nsITransaction * 0x08195830) line 141 + 14 bytes
nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction *
0x08195830) line 531 + 30 bytes
nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction *
0x08190b50) line 477
nsEditor::DeleteNode(nsEditor * const 0x080e04b0, nsIDOMNode * 0x0819da2c) line
1346 + 16 bytes
nsHTMLEditor::DeleteNode(nsHTMLEditor * const 0x080e04b0, nsIDOMNode *
0x0819da2c) line 4025 + 13 bytes
nsHTMLEditRules::DeleteNonTableElements(nsIDOMNode * 0x0819da2c) line 2792 + 25
bytes
nsHTMLEditRules::WillDeleteSelection(nsISelection * 0x08168630, short 2, int *
0x0012ef28, int * 0x0012ef64) line 2361 + 18 bytes
nsHTMLEditRules::WillDoAction(nsHTMLEditRules * const 0x081709f4, nsISelection *
0x08168630, nsRulesInfo * 0x0012ef2c, int * 0x0012ef28, int * 0x0012ef64) line
591 + 31 bytes
nsPlaintextEditor::DeleteSelection(nsPlaintextEditor * const 0x080e04b0, short
2) line 863 + 59 bytes
nsTextEditorKeyListener::KeyPress(nsTextEditorKeyListener * const 0x0815d3b0,
nsIDOMEvent * 0x05eb4d14) line 203
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x08168ea0,
nsIPresContext * 0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680,
nsIDOMEventTarget * 0x08141dd4, unsigned int 514, nsEventStatus * 0x0012f818)
line 1634 + 41 bytes
nsDocument::HandleDOMEvent(nsDocument * const 0x08141da0, nsIPresContext *
0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680, unsigned int 514,
nsEventStatus * 0x0012f818) line 3806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x08143aa0,
nsIPresContext * 0x081564d0, nsEvent * 0x0012f9ec, nsIDOMEvent * * 0x0012f680,
unsigned int 519, nsEventStatus * 0x0012f818) line 2035 + 47 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f9ec, nsIView * 0x0810e100,
unsigned int 1, nsEventStatus * 0x0012f818) line 6236 + 45 bytes
PresShell::HandleEvent(PresShell * const 0x08162858, nsIView * 0x0810e100,
nsGUIEvent * 0x0012f9ec, nsEventStatus * 0x0012f818, int 1, int & 1) line 6106 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x0810e100, nsGUIEvent * 0x0012f9ec, int 0)
line 2255
nsView::HandleEvent(nsViewManager * 0x08117ab0, nsGUIEvent * 0x0012f9ec, int 0)
line 305
nsViewManager::DispatchEvent(nsViewManager * const 0x08117ab0, nsGUIEvent *
0x0012f9ec, nsEventStatus * 0x0012f95c) line 2038 + 23 bytes
HandleEvent(nsGUIEvent * 0x0012f9ec) line 79
nsWindow::DispatchEvent(nsWindow * const 0x08143054, nsGUIEvent * 0x0012f9ec,
nsEventStatus & nsEventStatus_eIgnore) line 1049 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f9ec) line 1070
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 8,
long 0) line 2911 + 15 bytes
nsWindow::OnChar(unsigned int 8, unsigned int 8, unsigned char 0) line 3098
nsWindow::ProcessMessage(unsigned int 258, unsigned int 8, long 917505, long *
0x0012fe58) line 3806 + 41 bytes
nsWindow::WindowProc(HWND__ * 0x000308e4, unsigned int 258, unsigned int 8, long
917505) line 1332 + 27 bytes
USER32! SetTimer + 1077 bytes
USER32! DispatchMessageW + 278 bytes
USER32! DispatchMessageA + 11 bytes
main(int 1, char * * 0x00a141f0) line 158 + 11 bytes

I get at least two asserts near here i think.
then i get:
  if (startIdx == endIdx) {
    // whoa nelly. this shouldn't happen.
    NS_NOTREACHED("nsRange::IsIncreasing");
  }
nsDebug::Assertion(const char * 0x05df7604, const char * 0x05df75f8, const char
* 0x05df75c8, int 840) line 109
nsRange::IsIncreasing(nsIDOMNode * 0x0819cb0c, int 0, nsIDOMNode * 0x0819dccc,
int 5) line 840 + 26 bytes
nsRange::SetEnd(nsRange * const 0x08195730, nsIDOMNode * 0x0819dccc, int 5) line
1104 + 52 bytes
nsRangeStore::GetRange(nsCOMPtr<nsIDOMRange> * 0x0012e864 {0x08195730}) line 710
+ 42 bytes
nsSelectionState::IsCollapsed() line 140
PlaceholderTxn::Merge(PlaceholderTxn * const 0x0818aa80, nsITransaction *
0x08195830, int * 0x0012e91c) line 204 + 11 bytes
nsTransactionManager::EndTransaction() line 1186 + 20 bytes
nsTransactionManager::DoTransaction(nsTransactionManager * const 0x0815fc10,
nsITransaction * 0x08195830) line 141 + 14 bytes
nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction *
0x08195830) line 531 + 30 bytes
nsEditor::DoTransaction(nsEditor * const 0x080e04b0, nsITransaction *
0x08190b50) line 477
nsEditor::DeleteNode(nsEditor * const 0x080e04b0, nsIDOMNode * 0x0819da2c) line
1346 + 16 bytes
Just ran into this. The assertion is at

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsRange.cpp&rev=&cvsroot=/cvsroot#822

The problem seems to be that the while-loop on line 809 aborts the the first
time, which then causes |startIdx| and |endIdx| to never get decreased. A could
of lines later the indexes are increased and then the out-of-bounds access occurs.

Caillon, your code here. This will become a crash soon when we remove the
bounds-checks in nsVoidArray, which i want to do as soon as 1.7 opens
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: anthonyd → caillon
Blocks: 160540
i'm running with this in my debug build, and i haven't hit anything yet.
although I have hit way too many other fun asserts...
Assignee: caillon → timeless
Status: NEW → ASSIGNED
Attachment #142852 - Flags: superreview?(jst)
Attachment #142852 - Flags: review?(caillon)
Comment on attachment 142852 [details] [diff] [review]
ala sicking's suggestion

sr=jst
Attachment #142852 - Flags: superreview?(jst) → superreview+
Attachment #142852 - Flags: review?(caillon) → review+
mozilla/content/base/src/nsRange.cpp 	1.180
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
No longer blocks: 160540
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: