Last Comment Bug 664955 - "ASSERTION: parser should have rejected negative length"
: "ASSERTION: parser should have rejected negative length"
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: CSS Parsing and Computation (show other bugs)
: Trunk
: x86 Mac OS X
: -- normal (vote)
: mozilla7
Assigned To: arno renevier
:
Mentors:
Depends on:
Blocks: randomstyles
  Show dependency treegraph
 
Reported: 2011-06-17 01:28 PDT by Jesse Ruderman
Modified: 2011-07-04 11:17 PDT (History)
2 users (show)
dao+bmo: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (163 bytes, text/html)
2011-06-17 01:28 PDT, Jesse Ruderman
no flags Details
patch v1 (4.27 KB, patch)
2011-06-18 05:19 PDT, arno renevier
no flags Details | Diff | Review
patch v2 (4.23 KB, patch)
2011-06-30 13:39 PDT, arno renevier
no flags Details | Diff | Review
patch v2 (5.63 KB, patch)
2011-06-30 14:39 PDT, arno renevier
no flags Details | Diff | Review
patch v2.1 (6.41 KB, patch)
2011-06-30 23:37 PDT, arno renevier
bzbarsky: review+
Details | Diff | Review

Description Jesse Ruderman 2011-06-17 01:28:36 PDT
Created attachment 540012 [details]
testcase

###!!! ASSERTION: FindNextLargerFontSize failed: '*aSize > parentSize', file layout/style/nsRuleNode.cpp, line 2538
(bug 427322)

###!!! ASSERTION: parser should have rejected negative length: 'widthValue.IsCalcUnit()', file layout/style/nsRuleNode.cpp, line 6283
Comment 1 arno renevier 2011-06-18 05:19:54 PDT
Created attachment 540231 [details] [diff] [review]
patch v1

This is because nsStyleUtil::FindNextLargerFontSize returns a negative value (because of PRInt32 overflow).
Maybe it can be fixed by checking that returned value is positive (and also, below or equal nscoord_MAX).
Comment 2 Boris Zbarsky [:bz] 2011-06-22 15:14:37 PDT
Comment on attachment 540231 [details] [diff] [review]
patch v1

Should FindNextLargerFontSize be using the saturating computation functions?
Comment 3 arno renevier 2011-06-30 13:39:21 PDT
Created attachment 543231 [details] [diff] [review]
patch v2
Comment 4 Boris Zbarsky [:bz] 2011-06-30 14:26:56 PDT
That looks identical to v1 to me.  What about my question from comment 2?
Comment 5 arno renevier 2011-06-30 14:39:27 PDT
Created attachment 543266 [details] [diff] [review]
patch v2

Sorry, wrong file attached. I should have checked more.
Comment 6 Boris Zbarsky [:bz] 2011-06-30 15:18:36 PDT
>+      largerSize = indexFontSize + NSCoordSaturatingNonnegativeMultiply(largerIndexFontSize - indexFontSize, relativePosition);

Should that be a saturating add?
Comment 7 arno renevier 2011-06-30 23:37:21 PDT
Created attachment 543360 [details] [diff] [review]
patch v2.1
Comment 8 Boris Zbarsky [:bz] 2011-07-01 09:02:50 PDT
Comment on attachment 543360 [details] [diff] [review]
patch v2.1

r=me.  Thank you!
Comment 9 Dão Gottwald [:dao] 2011-07-04 11:17:02 PDT
http://hg.mozilla.org/mozilla-central/rev/7281d9de99eb

Note You need to log in before you can comment on or make changes to this bug.