Closed Bug 409990 Opened 12 years ago Closed 12 years ago

Memory corruption with document.execCommand("selectAll"), <ol>, <li>

Categories

(Core :: DOM: Editor, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Attachments

(3 files)

Loading the testcase locally usually triggers a crash before it reaches retry=200.  (This takes less than a minute.)  The crashes all have different stacks, so I'm guessing this is some kind of random memory corruption.
Flags: blocking1.9?
Whiteboard: [sg:critical]
as far as I see nsPlainTextSerializer::mOLStackIndex is decreased sometimes even
if its value is 0, and that leads to wrong indexing elsewhere.
Attached patch proposed patchSplinter Review
Different kinds of counters in plaintextserializer may do something wrong without
this. They are increased in DoOpenContainer and decreased in DoCloseContainer.
But if only decrease is called... not good.
To review this I suggest reading nsPlainTextSerializer::DoOpenContainer and
nsPlainTextSerializer::DoCloseContainer.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #294779 - Flags: superreview?(peterv)
Attachment #294779 - Flags: review?(peterv)
(In reply to comment #1)
> as far as I see nsPlainTextSerializer::mOLStackIndex is decreased sometimes
> even
> if its value is 0, and that leads to wrong indexing elsewhere.

Would it be useful to add an assertion for that, in addition to fixing the thing that's causing it to happen with this testcase?
Sure, and perhaps adding few more assertions for other counters.
Attachment #294779 - Flags: superreview?(peterv)
Attachment #294779 - Flags: superreview+
Attachment #294779 - Flags: review?(peterv)
Attachment #294779 - Flags: review+
Attachment #295640 - Flags: approval1.9?
Attachment #295640 - Flags: approval1.9? → approval1.9+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.