###!!! ASSERTION: prevent array boundary violation: 'colIndex < mNumCols'

RESOLVED FIXED

Status

()

Core
Layout: Tables
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: mats, Unassigned)

Tracking

({assertion, testcase})

Trunk
assertion, testcase
Points:
---
Bug Flags:
blocking1.9 -
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse])

(Reporter)

Description

10 years ago
The testcase in bug 430814 triggers the following assertions:

###!!! ASSERTION: no common ancestor at all???: 'parent', file mozilla/layout/base/nsLayoutUtils.cpp, line 377
###!!! ASSERTION: no common ancestor at all???: 'parent', file mozilla/layout/base/nsLayoutUtils.cpp, line 377
###!!! ASSERTION: prevent array boundary violation: 'colIndex < mNumCols', file mozilla/layout/tables/nsTablePainter.cpp, line 616

Comment 1

10 years ago
All your bugs belong to me
Assignee: nobody → bernd_mozilla

Comment 2

10 years ago
When I print the testcase, I get

###!!! ASSERTION: CreateRenderingContext failure: 'Not Reached', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 6236

plus the assertions in comment 0.
Group: security
Flags: wanted1.9.0.x?
Flags: blocking1.9?
This was spun out of a security bug, and the assertion kind of screams "hack me here".

Nominating for blocking 1.9 because this was originally a public bug -- did it get spotted?
Do we think we can have a fix for this quickly?
I think the assertion is saying that we are hitting the extra check (added in bug 430814) that prevents us from going past the end of the array, not that we are actually going past the end of the array.

Thus I think that the bug made sense in its original state -- public, and not nominated for blocking1.9.  But Mats/Bernd should confirm that.
(Reporter)

Comment 6

10 years ago
Correct.

Comment 8

10 years ago
option 1 is bug  424377 
Depends on: 424377
Not going to block the final release on this, and based on what happened with bug 424377, I think we want to play whack-a-mole :(
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
(In reply to comment #5)
> the assertion is saying that we are hitting the extra check [...],
> not that we are actually going past the end of the array.

Maybe an NS_WARNING() would appear less alarming in that case then.

> Thus I think that the bug made sense in its original state -- public, and not
> nominated for blocking1.9

Sounds good, thanks for clarifying.
Group: security
Whiteboard: [sg:nse]

Comment 11

10 years ago
The nextinflow idea does not fly the additional table cells are copies but not nextinflows. So I will leave this like it is.
 

Updated

10 years ago
Assignee: bernd_mozilla → nobody

Comment 12

10 years ago
I do not see the point of 1.9.0+ing this. The workaround that I thought about does not work. I don't see a another option than  bug 424377.
Depends on: 425265
No longer depends on: 424377
Can't reproduce after bug 425265.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.