Closed Bug 431087 Opened 17 years ago Closed 16 years ago

###!!! ASSERTION: prevent array boundary violation: 'colIndex < mNumCols'

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:nse])

The testcase in bug 430814 triggers the following assertions: ###!!! ASSERTION: no common ancestor at all???: 'parent', file mozilla/layout/base/nsLayoutUtils.cpp, line 377 ###!!! ASSERTION: no common ancestor at all???: 'parent', file mozilla/layout/base/nsLayoutUtils.cpp, line 377 ###!!! ASSERTION: prevent array boundary violation: 'colIndex < mNumCols', file mozilla/layout/tables/nsTablePainter.cpp, line 616
All your bugs belong to me
Assignee: nobody → bernd_mozilla
When I print the testcase, I get ###!!! ASSERTION: CreateRenderingContext failure: 'Not Reached', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 6236 plus the assertions in comment 0.
Group: security
Flags: wanted1.9.0.x?
Flags: blocking1.9?
This was spun out of a security bug, and the assertion kind of screams "hack me here". Nominating for blocking 1.9 because this was originally a public bug -- did it get spotted?
Do we think we can have a fix for this quickly?
I think the assertion is saying that we are hitting the extra check (added in bug 430814) that prevents us from going past the end of the array, not that we are actually going past the end of the array. Thus I think that the bug made sense in its original state -- public, and not nominated for blocking1.9. But Mats/Bernd should confirm that.
Correct.
option 1 is bug 424377
Depends on: 424377
Not going to block the final release on this, and based on what happened with bug 424377, I think we want to play whack-a-mole :(
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
(In reply to comment #5) > the assertion is saying that we are hitting the extra check [...], > not that we are actually going past the end of the array. Maybe an NS_WARNING() would appear less alarming in that case then. > Thus I think that the bug made sense in its original state -- public, and not > nominated for blocking1.9 Sounds good, thanks for clarifying.
Group: security
Whiteboard: [sg:nse]
The nextinflow idea does not fly the additional table cells are copies but not nextinflows. So I will leave this like it is.
Assignee: bernd_mozilla → nobody
I do not see the point of 1.9.0+ing this. The workaround that I thought about does not work. I don't see a another option than bug 424377.
Depends on: 425265
No longer depends on: 424377
Can't reproduce after bug 425265.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.