Closed
Bug 479931
Opened 16 years ago
Closed 15 years ago
Crash [@ nsTreeContentView::InsertRow] with <xul:tree> and <option>
Categories
(Core :: XUL, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta2-fixed |
blocking1.9.1 | --- | .6+ |
status1.9.1 | --- | .6-fixed |
People
(Reporter: jruderman, Assigned: tnikkel)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(5 files, 1 obsolete file)
449 bytes,
application/xhtml+xml
|
Details | |
7.71 KB,
text/plain
|
Details | |
1.12 KB,
patch
|
neil
:
review+
|
Details | Diff | Splinter Review |
1.32 KB,
patch
|
dveditz
:
approval1.9.1.6+
dveditz
:
approval1.9.0.16+
|
Details | Diff | Splinter Review |
940 bytes,
application/vnd.mozilla.xul+xml
|
Details |
Firefox crashes trying to do something with memory at 0x1c6ffffc.
Reporter | ||
Comment 1•16 years ago
|
||
Comment 2•16 years ago
|
||
Attachment #364001 -
Flags: superreview?(neil)
Attachment #364001 -
Flags: review?(neil)
Comment 3•16 years ago
|
||
Comment on attachment 364001 [details] [diff] [review]
Like so?
It's not the parent index that's wrong, it's the child index, and that's wrong because we're not allowing for the <div>. Mind you, I think the code for <optgroup> is wrong too, but that just fails "safe".
Attachment #364001 -
Flags: superreview?(neil)
Attachment #364001 -
Flags: superreview-
Attachment #364001 -
Flags: review?(neil)
Attachment #364001 -
Flags: review-
Comment 4•16 years ago
|
||
This is all just xbl form controls stuff. We should just remove it from the tree code.
Updated•16 years ago
|
Attachment #364001 -
Attachment is obsolete: true
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 5•15 years ago
|
||
Ah, there is already a function that takes into account content nodes that the tree ignores in order to determine proper indices, so use it here.
Assignee: nobody → tnikkel
Attachment #406901 -
Flags: review?(neil)
Comment 6•15 years ago
|
||
Comment on attachment 406901 [details] [diff] [review]
patch
>- PRInt32 count = InsertRow(parentIndex, aIndexInContainer, aChild);
>+ PRInt32 index = 0;
>+ GetIndexInSubtree(aContainer, aChild, &index);
>+ PRInt32 count = InsertRow(parentIndex, index, aChild);
> if (mBoxObject)
> mBoxObject->RowCountChanged(parentIndex + aIndexInContainer + 1, count);
You meant to use index here too, right? r=me with that fixed.
Attachment #406901 -
Flags: review?(neil) → review+
Assignee | ||
Comment 7•15 years ago
|
||
Whoops, thanks for catching that!
Assignee | ||
Comment 8•15 years ago
|
||
Fixed Neil's comment.
Assignee | ||
Comment 9•15 years ago
|
||
Even though 1.9.0 and 1.9.1 don't crash on the testcase, the same vulnerable code is on all branches, so I think we should take this on all branches.
blocking1.9.1: --- → ?
Flags: blocking1.9.0.16?
Assignee | ||
Updated•15 years ago
|
Attachment #406942 -
Flags: approval1.9.2?
Attachment #406942 -
Flags: approval1.9.1.5?
Attachment #406942 -
Flags: approval1.9.0.16?
Updated•15 years ago
|
blocking1.9.1: ? → .5+
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.16?
Flags: blocking1.9.0.16+
Comment 11•15 years ago
|
||
Is there any reason this hasn't landed on mozilla-central for testing yet?
Assignee | ||
Comment 12•15 years ago
|
||
Flags: in-testsuite?
Target Milestone: --- → mozilla1.9.3a1
Assignee | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][needs 1.9.2 approval or blocking]
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
Updated•15 years ago
|
Whiteboard: [sg:critical?][needs 1.9.2 approval or blocking] → [sg:critical?][needs 1.9.2 landing]
Comment 13•15 years ago
|
||
Comment on attachment 406942 [details] [diff] [review]
patch v2
This is blocking 1.9.2 now, so it doesn't need approval to land there.
Attachment #406942 -
Flags: approval1.9.2?
Assignee | ||
Comment 14•15 years ago
|
||
status1.9.2:
--- → final-fixed
Whiteboard: [sg:critical?][needs 1.9.2 landing] → [sg:critical?]
Target Milestone: mozilla1.9.3a1 → mozilla1.9.2
Comment 15•15 years ago
|
||
Is it possible to write a testcase that exercises the bug on the 1.9.1/1.9.0 branches? Otherwise QA won't be able to verify this.
Assignee | ||
Comment 16•15 years ago
|
||
I think the reason is doesn't crash on 1.9.0 and 1.9.1 is the switch from a nsVoidArray to a nsTArray. I haven't looked any more closely.
Assignee | ||
Comment 17•15 years ago
|
||
If you just need something that has observable differences before/after this patch on 1.9.1/1.9.0 this testcase will do.
Clicking the button should insert an x between the a and b. Without the patch the x is inserted between the b and c.
Comment 18•15 years ago
|
||
Comment on attachment 406942 [details] [diff] [review]
patch v2
Approved for 1.9.1.5 and 1.9.0.16, a=dveditz for release-drivers
Attachment #406942 -
Flags: approval1.9.1.6?
Attachment #406942 -
Flags: approval1.9.1.6+
Attachment #406942 -
Flags: approval1.9.0.16?
Attachment #406942 -
Flags: approval1.9.0.16+
Assignee | ||
Comment 19•15 years ago
|
||
Comment 20•15 years ago
|
||
Checking in nsTreeContentView.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeContentView.cpp,v <-- nsTreeContentView.cpp
new revision: 1.71; previous revision: 1.70
Keywords: fixed1.9.0.16
Comment 21•15 years ago
|
||
(In reply to comment #17)
> Created an attachment (id=410163) [details]
> testcase with observable difference on 1.9.1/1.9.0
>
> If you just need something that has observable differences before/after this
> patch on 1.9.1/1.9.0 this testcase will do.
>
> Clicking the button should insert an x between the a and b. Without the patch
> the x is inserted between the b and c.
Verified using this testcase on 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5. I see the difference in behavior between 1.9.1.5 and 1.9.1.6.
Keywords: verified1.9.1
Comment 22•15 years ago
|
||
Verified using the same testcase on 1.9.0 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729) and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.16pre) Gecko/2009111916 GranParadiso/3.0.16pre.
Keywords: fixed1.9.0.16 → verified1.9.0.16
Updated•15 years ago
|
Group: core-security
Assignee | ||
Comment 23•15 years ago
|
||
Added crashtest to 1.9.1, 1.9.2, and mozilla-central.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/976ec8c4d911
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/914ae05fe0a2
http://hg.mozilla.org/mozilla-central/rev/260d768e55f4
Flags: in-testsuite? → in-testsuite+
Updated•14 years ago
|
Crash Signature: [@ nsTreeContentView::InsertRow]
Comment 24•7 years ago
|
||
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
You need to log in
before you can comment on or make changes to this bug.
Description
•