Closed Bug 394275 Opened 16 years ago Closed 16 years ago

High surrogate in CSS causes atom table crash on shutdown [@ PL_DHashTableFinish]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: jst)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(3 files)

testcase (causes shutdown crash)
168 bytes, text/html
Details
stack traces
23.83 KB, text/plain
Details
Deal with the case where we have half a surrogate pair at the end of a string
1.42 KB, patch
sicking
: review+
sicking
: superreview+
damons
: approval1.9+
Details | Diff | Splinter Review 
Loading the testcase triggers:

###!!! ASSERTION: Surrogate pair split between fragments: 'Error', file ../../../dist/include/string/nsUTF8Utils.h, line 695

Exiting Firefox then crashes [@ PL_DHashTableFinish] with a random address at the top of the stack.

I'm guessing this is a bug in the atom table, similar to bug bug 377360 (which is fixed).  It's possible that the CSS parser and/or the textContent setter are being bad too, but I think the strategy is to fix the atom table first.
Flags: blocking1.9?
Attached file stack traces 

    
  
Whiteboard: [sg:critical]
Assignee: nobody → jst
Flags: blocking1.9? → blocking1.9+

    
    

    
  
Comment on attachment 279991 [details] [diff] [review]
Deal with the case where we have half a surrogate pair at the end of a string

Would be great if we could add C++ unit tests for this stuff too.

r/sr=me either way.

        Attachment #279991 -
        Flags: superreview?(jonas)

        Attachment #279991 -
        Flags: superreview+

        Attachment #279991 -
        Flags: review?(jonas)

        Attachment #279991 -
        Flags: review+

    
  

        Attachment #279991 -
        Flags: approval1.9?

    
  
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9 M8

        Attachment #279991 -
        Flags: approval1.9? → approval1.9+

    
    

    
  
Fix checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
This bug does not seem to affect branch.
Group: security
Flags: wanted1.8.1.x-

    
    

    
  
I agree with sicking -- this should be tested using a C++ unit test (xpcom/tests).
Flags: in-testsuite?

    
    

    
  
crash test landed
http://hg.mozilla.org/mozilla-central/rev/e184c9ab1e46

leaving in-testsuite? for a C++ test.
Flags: in-testsuite? → in-testsuite+

    
    

    
  
oops
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ PL_DHashTableFinish]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.