Closed Bug 417384 Opened 12 years ago Closed 12 years ago

"ASSERTION: Span level will be negative"

Categories

(Core :: DOM: Editor, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(3 files, 2 obsolete files)

Attached file testcase
Smaug, remember those assertions you added for in bug 409990? :)

###!!! ASSERTION: Span level will be negative!: 'mSpanLevel', file /Users/jruderman/trunk/mozilla/content/base/src/nsPlainTextSerializer.cpp, line 948

Cautiously filing as security-sensitive because the last time this kind of thing happened (bug 409990), it caused memory corruption.
Flags: blocking1.9?
Assignee: nobody → Olli.Pettay
This isn't critical, since mSpanLevel isn't used for array indexing or anything.
But I'll look at this.
Attached patch proposed patchSplinter Review
Ok, this is bad after all. mInHead doesn't take account nested head elements.
So changing from bool to a counter.
But have to make nsPlainTextSerializer::OpenHead() no-op, though as far as I see
that isn't really used in serializer. It is just something coming from 
nsIHTMLContentSink and is used only by 
http://lxr.mozilla.org/seamonkey/source/parser/htmlparser/src/CNavDTD.cpp#3023
In nsHTMLContentSink OpenHead does open head context, but serializer
doesn't really have such concept.
Attachment #303269 - Flags: superreview?(peterv)
Attachment #303269 - Flags: review?(peterv)
Would it make sense to change the variable name from mInHead to mHeadNestingLevel now that it's not a boolean?
Comment on attachment 303269 [details] [diff] [review]
proposed patch

Let's name it mHeadLevel or something and we should add this to the testsuite.
Attachment #303269 - Flags: superreview?(peterv)
Attachment #303269 - Flags: superreview+
Attachment #303269 - Flags: review?(peterv)
Attachment #303269 - Flags: review+
Attached patch mHeadLevel (obsolete) — Splinter Review
I don't know how to write a (mochitest or similar) testcase for this, because 
the interfaces nsPlainTextSerializer implements aren't scriptable.
Attachment #303515 - Flags: approval1.9?
Attachment #303515 - Flags: approval1.9?
Attached patch with test (obsolete) — Splinter Review
Thanks Jeff!
Attachment #303515 - Attachment is obsolete: true
Attachment #303531 - Flags: approval1.9?
Attached patch with testSplinter Review
And the right file
Attachment #303531 - Attachment is obsolete: true
Attachment #303531 - Flags: approval1.9?
Attachment #303532 - Flags: approval1.9?
Credit where credit's due, I think -- philor, see comments 5-8.
Attachment #303532 - Flags: approval1.9? → approval1.9+
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Depends on: 418719
Depends on: 418727
Group: core-security
You need to log in before you can comment on or make changes to this bug.