Closed Bug 364318 Opened 19 years ago Closed 19 years ago

[FIX]shrinkwithoutcells should verify cells before deleting them

Categories

(Core :: Layout: Tables, defect, P1)

Product:
Core
Component:
Layout: Tables
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: bernd_mozilla, Assigned: bernd_mozilla)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

testcase
316 bytes, application/xhtml+xml
Details
This fixes the bug for me
2.75 KB, patch
bernd_mozilla
: review+
roc
: superreview+
Details | Diff | Splinter Review
patch for the underlying problem
6.56 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
this is a regression from bug 356335
Attached file testcase
Blocks: 356335
Severity: normal → critical
So... I don't crash with the testcase. nsCellMap::DestroyCellData is null-safe, so is the problem that endColIndex or aColIndex might be out of range?
Er, I was using the build that has bug 357729 fixed (and therefore a lot of this stuff is safer)... I'll try to look into this today, but I'm not sure I'll have time. :(
Hmm... So yeah, this is a problem with that patch too. It's just that nsTArray::RemoveElementsAt doesn't assert. It should.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #249117 - Flags: superreview?(roc)
Attachment #249117 - Flags: review?(bernd_mozilla)
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: shrinkwithoutcells should verify cells before deleting them → [FIX]shrinkwithoutcells should verify cells before deleting them
Target Milestone: --- → mozilla1.9alpha
+ PRUint32 endIndexForRow = PR_MIN(endColIndex + 1, row.Length()); I believe that if this coerce, while being correct from a point of view "you shall not go past the array", kicks in, it signals a serious cellmap problem. How can a cell with a rowspan and colspan not warrant the existence of the corresponding entries in the rows. In short, it should martially assert. I suspect there is a second issue with 0-spans, that I am going to debug.
The zero rowspan issue comes from http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/tables/nsCellMap.cpp&rev=3.116&mark=2007-2009#1983 which is now just wrong. It makes us trying to remove the rowspan from row 2. The patch will lead to a removal of the rowspan belonging to C1,0 cellmap dump: thead mapRowCount=3 tableRowCount=2 row 0 : C0,0 C0,1 row 1 : C1,0 R row 2 : R I would prefer to only assert and to bail.
Assert and bail in which case? If we get to a row for which row.Length() <= endColIndex?
Comment on attachment 249117 [details] [diff] [review] This fixes the bug for me as usual "reading the patch helps" Deep in my heart, I would prefer to put after NS_ASSERTION(count == 0 || start < Length(), "Invalid start index"); a 0 deref that crashes hard because if this triggers we have a serious buffer overflow issue.
Attachment #249117 - Flags: review?(bernd_mozilla) → review+
Attachment #249117 - Flags: superreview?(roc) → superreview+
Bernd, you convinced me that my patch should assert and bail, btw. So how do I interpret your r+ on it?
Your patch does already bail. Just assert that endColIndex + 1 <= row.Length(), so that we get alerted if we coerce.
My patch doesn't bail out of the function by any means. It just skips the DestroyCellData and RemoveElementsAt calls when they don't make sense. So it doesn't sound to me like it does what you want it to do....
I checked in attachment 249117 [details] [diff] [review]. The coerce of the endrowindex will cause exactly the bail that I asked for as endrowindex will become smaller than startrowindex and the for loop will do nothing. I also added the assert.
Assignee: bzbarsky → bernd_mozilla
Status: ASSIGNED → NEW
Attachment #249214 - Flags: superreview?(bzbarsky)
Attachment #249214 - Flags: review?(bzbarsky)
Comment on attachment 249214 [details] [diff] [review] patch for the underlying problem >Index: nsCellMap.cpp > PRInt32 nsCellMap::GetRowSpan(PRInt32 aRowIndex, So the idea here is that now that we do non-lazy zero-rowspan expansion the cellmap always reflects reality and we shouldn't mess with the return value due to zero-rowspans, right? >Index: nsCellMap.h > PRInt32 GetRowSpan(PRInt32 aRowIndex, > PRInt32 aColIndex, >- PRBool aGetEffective, >- PRBool& aIsZeroRowSpan) const; >+ PRBool aGetEffective) const; Could you please add documentation explaining what this function does? Especialy how aGetEffective affects the return value? r+sr=bzbarsky assuming the answer to my question is "yes" and with the comments added.
Attachment #249214 - Flags: superreview?(bzbarsky)
Attachment #249214 - Flags: superreview+
Attachment #249214 - Flags: review?(bzbarsky)
Attachment #249214 - Flags: review+
>So the idea here is that now that we do non-lazy zero-rowspan expansion the >cellmap always reflects reality and we shouldn't mess with the return value due >to zero-rowspans, right? exactly >Could you please add documentation explaining what this function does? >Especialy how aGetEffective affects the return value? done see the commit, the language might be not perfect, I am open for a better wording
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Language looks fine to me. Thanks!
I missed the fact that this patch included the one for bug 363239 (which didn't have reviews yet at the time)...
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: