Closed
Bug 409990
Opened 12 years ago
Closed 12 years ago
Memory corruption with document.execCommand("selectAll"), <ol>, <li>
Categories
(Core :: DOM: Editor, defect, critical)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Attachments
(3 files)
|
561 bytes,
application/xhtml+xml
|
Details | |
|
1.43 KB,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
|
2.79 KB,
patch
|
mtschrep
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase locally usually triggers a crash before it reaches retry=200. (This takes less than a minute.) The crashes all have different stacks, so I'm guessing this is some kind of random memory corruption.
Flags: blocking1.9?
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [sg:critical]
|
Assignee | |
Comment 1•12 years ago
|
||
as far as I see nsPlainTextSerializer::mOLStackIndex is decreased sometimes even if its value is 0, and that leads to wrong indexing elsewhere.
|
|
Assignee | |
Comment 2•12 years ago
|
||
Different kinds of counters in plaintextserializer may do something wrong without this. They are increased in DoOpenContainer and decreased in DoCloseContainer. But if only decrease is called... not good. To review this I suggest reading nsPlainTextSerializer::DoOpenContainer and nsPlainTextSerializer::DoCloseContainer.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #294779 -
Flags: superreview?(peterv)
Attachment #294779 -
Flags: review?(peterv)
|
|
Reporter | |
Comment 3•12 years ago
|
||
(In reply to comment #1) > as far as I see nsPlainTextSerializer::mOLStackIndex is decreased sometimes > even > if its value is 0, and that leads to wrong indexing elsewhere. Would it be useful to add an assertion for that, in addition to fixing the thing that's causing it to happen with this testcase?
|
|
Assignee | |
Comment 4•12 years ago
|
||
Sure, and perhaps adding few more assertions for other counters.
|
||
Updated•12 years ago
|
Attachment #294779 -
Flags: superreview?(peterv)
Attachment #294779 -
Flags: superreview+
Attachment #294779 -
Flags: review?(peterv)
Attachment #294779 -
Flags: review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Attachment #295640 -
Flags: approval1.9?
|
||
Updated•12 years ago
|
Attachment #295640 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
||
Updated•7 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•