STEPS TO REPRODUCE 1. load the attached testcase ACTUAL RESULT Crash occurs in local Firefox debug build on Linux (64-bit). Crash occurs in Firefox 2008-10-22-02 nightly build (64-bit). Crash does NOT occur in Firefox 2008-10-22-02 nightly build (32-bit).
Regression window: 2008-08-18-05 -- 2008-08-19-05 http://hg.mozilla.org/mozilla-central/shortlog/3c518880b8d4 bug 449447 ?
http://hg.mozilla.org/mozilla-central/file/6c4bb68efd2c/layout/style/nsCSSRuleProcessor.cpp#l1011 With a random value at *curChildPtr and then calling the virtual method IsNodeOfType() on it this bug seems sg:critical to me.
Whiteboard: [sg:critical?] virtual method call on random pointer value
Created attachment 344399 [details] [diff] [review] Patch rev. 1 The problem is that 'childCount' is unsigned. I found one more in SelectorMatches().
So how come this wasn't a problem before? I guess because a very large |cur| just caused us to get null and bail? The code in ::lastNode is ok, because if index == 0 then GetChildAt() will just return null and the effect will be the same: null lastNode and ending the loop.
Comment on attachment 344399 [details] [diff] [review] Patch rev. 1 >+++ b/layout/style/nsCSSRuleProcessor.cpp > stopPtr = curChildPtr - 1; >- curChildPtr += childCount - 1; >+ curChildPtr += PRInt32(childCount) - 1; I'd prefer: curChildPtr = stopPtr + childCount; since that more clearly indicates that we'll walk through childCount (possibly 0) entries.
(In reply to comment #6) > I guess because a very large |cur| just caused us to get null and bail? I would guess so too.
Created attachment 344783 [details] [diff] [review] Patch rev. 2
Comment on attachment 344783 [details] [diff] [review] Patch rev. 2 Please add a test.
I pushed the fix. The testcase seems to depend on timeouts and even worse on details of the textbox binding. Jesse, do you think you can whip together a self-contained crashtest?
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1? → blocking1.9.1+
Reading comment 0 I assume it's 64bit only? I'm not able to reproduce it on 32bit.
Hardware: x86 → x86_64
Target Milestone: --- → mozilla1.9.1b2
Version: unspecified → Trunk
Crash Signature: [@ RuleProcessorData::GetNthIndex]
You need to log in before you can comment on or make changes to this bug.