Closed
Bug 394275
Opened 17 years ago
Closed 17 years ago
High surrogate in CSS causes atom table crash on shutdown [@ PL_DHashTableFinish]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: jruderman, Assigned: jst)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])
Crash Data
Attachments
(3 files)
168 bytes,
text/html
|
Details | |
23.83 KB,
text/plain
|
Details | |
1.42 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase triggers: ###!!! ASSERTION: Surrogate pair split between fragments: 'Error', file ../../../dist/include/string/nsUTF8Utils.h, line 695 Exiting Firefox then crashes [@ PL_DHashTableFinish] with a random address at the top of the stack. I'm guessing this is a bug in the atom table, similar to bug bug 377360 (which is fixed). It's possible that the CSS parser and/or the textContent setter are being bad too, but I think the strategy is to fix the atom table first.
Flags: blocking1.9?
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical]
Assignee: nobody → jst
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Comment 2•17 years ago
|
||
Attachment #279991 -
Flags: superreview?(jonas)
Attachment #279991 -
Flags: review?(jonas)
Comment on attachment 279991 [details] [diff] [review] Deal with the case where we have half a surrogate pair at the end of a string Would be great if we could add C++ unit tests for this stuff too. r/sr=me either way.
Attachment #279991 -
Flags: superreview?(jonas)
Attachment #279991 -
Flags: superreview+
Attachment #279991 -
Flags: review?(jonas)
Attachment #279991 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #279991 -
Flags: approval1.9?
Assignee | ||
Updated•17 years ago
|
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9 M8
Updated•17 years ago
|
Attachment #279991 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 4•17 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 5•16 years ago
|
||
This bug does not seem to affect branch.
Group: security
Flags: wanted1.8.1.x-
Reporter | ||
Comment 6•16 years ago
|
||
I agree with sicking -- this should be tested using a C++ unit test (xpcom/tests).
Flags: in-testsuite?
Comment 7•15 years ago
|
||
crash test landed http://hg.mozilla.org/mozilla-central/rev/e184c9ab1e46 leaving in-testsuite? for a C++ test.
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ PL_DHashTableFinish]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•