Jst discovered this while helping me debug my patch for bug 274777 (I'd already fixed it without realizing it in my patch for bug 22942). See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/parser/htmlparser/src/nsExpatDriver.cpp&rev=3.86&mark=879#871 It should read |startOffset = aLength / sizeof(PRUnichar);|.
Created attachment 205954 [details] [diff] [review] v1
There's quite a bit of crashes in Talkback that seem caused by this: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsExpatDriver::ParseBuffer&vendor=MozillaOrg&product=Firefox15&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid It's number 37 in the topcrashers list for 1.5. The crash usually happens when we access the buffer, probably with an index that's too big: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/parser/htmlparser/src/nsExpatDriver.cpp&mark=892&rev=MOZILLA_1_8_BRANCH#872
Comment on attachment 205954 [details] [diff] [review] v1 sr=jst
Comment on attachment 205954 [details] [diff] [review] v1 r=mrbkap
Checked in on trunk.
Can we bake a few more takes and then we'll consider.
Comment on attachment 205954 [details] [diff] [review] v1 a=dveditz Please add the fixed220.127.116.11 and fixed1.8.1 when checked in to the branches
Would like to verify this on the branch, but without a testcase or STR it is tough. Can someone help here?
In order to certify the 18.104.22.168 release, I have been asked to verify this bug. Can I please get some help getting a testcase or STR to verify? Thanks.
I'll try to come up with a testcase but it's not trivial. This bug was discovered through code inspection. Note that there are a bunch of talkbacks (see comment 2), but I never got the crash myself.
Peter: I don't want to cause excessive work, so if it will take too much time we can have someone inspect the code to verify. (In reply to comment #10) > I'll try to come up with a testcase but it's not trivial. This bug was > discovered through code inspection. > Note that there are a bunch of talkbacks (see comment 2), but I never got the > crash myself. >
The patch that caused this wasn't checked in on the 1.7.x branch.
nsExpatDriver::ParseBuffer is still showing up as a topcrash for Fx 22.214.171.124.