Closed Bug 393760 Opened 17 years ago Closed 17 years ago

"ASSERTION: nsVoidArray::ElementAt: index out of range" with mfenced, mathbackground

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: assertion, testcase, Whiteboard: [wanted-1.9] post-1.8-branch)

Attachments

(4 files)

testcase
298 bytes, application/xhtml+xml
Details
reference
174 bytes, application/xhtml+xml
Details
stack trace for the assertion
9.42 KB, text/plain
Details
reftests
5.60 KB, patch
Details | Diff | Splinter Review
Attached file testcase 
Loading the testcase triggers:

###!!! ASSERTION: nsVoidArray::ElementAt: index out of range: '0 <= aIndex && aIndex < Count()', file ../../../dist/include/xpcom/nsVoidArray.h, line 81

There's also a visual glitch: instead of a pair of parentheses with a yellow background, I see a *random unicode character* with a white background.  It's different on every load, suggesting an uninitialized variable or an OOB read.  (nsVoidArray::ElementAt has a runtime check, so if there's an OOB read, it's somewhere else.)
Flags: blocking1.9?
Attached file reference 
The same DOM, but static, makes a nice reference (for reftest).
Generated with:
  export XPCOM_DEBUG_BREAK=stack
  (run firefox)
  (copy sketchy assertion stack to clipboard)
  pbpaste | mac2unix | ~/trunk/mozilla/tools/rb/fix-macosx-stack.pl
Flags: blocking1.9? → blocking1.9-
Whiteboard: [wanted-1.9]
Reproducing on Linux as well as Mac:

WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x805303E8: file /home/karl/moz/mozilla/layout/style/nsCSSStyleSheet.cpp, line 1520
###!!! ASSERTION: nsVoidArray::ElementAt: index out of range: '0 <= aIndex && aIndex < Count()', file ../../../../dist/include/xpcom/nsVoidArray.h, line 81
WARNING: String ending in half a surrogate pair!: file ../../../dist/include/string/nsUTF8Utils.h, line 748
OS: Mac OS X → All
Whiteboard: [wanted-1.9] → [wanted-1.9] post-1.8-branch
No longer asserts for me on trunk (Mac).  Apparently we no longer honor the mathbackground attribute on <mfenced> elements.  This brings us more in line with the MathML spec, which specifies mathbackground as being an attribute of <mstyle> and tokens only.  I'm guessing this change was intentional and part of bug 355548.

Doesn't assert for me on branch.
Assignee: rbs → roc
Depends on: 355548
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
roc, should I add this testcase as a crashtest, or should I make reftests to test that we support mathbackground on the correct elements but not on mfenced?
you could do both :-)
Attached patch reftestsSplinter Review 
Ok, I checked in a crashtest, and here's some reftests.
Old builds fail almost every line of 393760-1.xml ;)
Reftests checked in too.
Flags: in-testsuite? → in-testsuite+
I had to remove the first line from the first reftest because the span's height was more than the math's height on a Linux Tinderbox.
This reftest is failing for Fedora unit tests (see bug 560882).
I have machines available to help fixing it.
Let me know if it should make sense to file another bug instead of reopening this one.
Blocks: ReftestFedoraOrange
Armen, please file a new bug (blocking this one if you want).  We usually don't reopen bugs except for backouts or patches that didn't fix the bug as reported.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: