Last Comment Bug 667336 - children.item(-1) causes "ASSERTION: PopulateSelf left the list in a dirty (useless) state!"
: children.item(-1) causes "ASSERTION: PopulateSelf left the list in a dirty (u...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: x86 Mac OS X
: -- normal (vote)
: mozilla8
Assigned To: Boris Zbarsky [:bz] (Out June 25-July 6)
:
Mentors:
Depends on:
Blocks: 326633
  Show dependency treegraph
 
Reported: 2011-06-26 14:37 PDT by Jesse Ruderman
Modified: 2011-07-26 11:15 PDT (History)
3 users (show)
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (84 bytes, text/html)
2011-06-26 14:37 PDT, Jesse Ruderman
no flags Details
Make sure we don't overflow unsigned int on item(). (1.64 KB, patch)
2011-06-30 14:58 PDT, Boris Zbarsky [:bz] (Out June 25-July 6)
peterv: review+
Details | Diff | Review

Description Jesse Ruderman 2011-06-26 14:37:18 PDT
###!!! ASSERTION: PopulateSelf left the list in a dirty (useless) state!: '!mRootNode || mState != LIST_DIRTY', file content/base/src/nsContentList.cpp, line 534

>nsContentList::Item [content/base/src/nsContentList.cpp:536]
>nsContentList::GetNodeAt [content/base/src/nsContentList.cpp:632]
>nsIDOMNodeList_Item [dom_quickstubs.cpp:7869]

I think the problem is the "PopulateSelf(aIndex+1);" in nsContentList::Item. aIndex is PRUInt32(-1), so the call becomes PopulateSelf(0), which does nothing.

http://hg.mozilla.org/mozilla-central/annotate/38f69296b20c/content/base/src/nsContentList.cpp#l517
Comment 1 Jesse Ruderman 2011-06-26 14:37:49 PDT
Created attachment 542050 [details]
testcase
Comment 2 Boris Zbarsky [:bz] (Out June 25-July 6) 2011-06-30 14:58:26 PDT
Created attachment 543271 [details] [diff] [review]
Make sure we don't overflow unsigned int on item().
Comment 3 Peter Van der Beken [:peterv] 2011-07-25 01:45:44 PDT
Comment on attachment 543271 [details] [diff] [review]
Make sure we don't overflow unsigned int on item().

Review of attachment 543271 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/nsContentList.cpp
@@ +526,5 @@
>      }
>    }
>  
>    if (mState != LIST_UP_TO_DATE)
> +    PopulateSelf(NS_MIN(aIndex, PR_UINT32_MAX-1)+1);

Maybe add some spaces around operators?
Comment 4 Boris Zbarsky [:bz] (Out June 25-July 6) 2011-07-25 21:05:34 PDT
> Maybe add some spaces around operators?

Done.
Comment 5 :Ehsan Akhgari (out sick) 2011-07-26 11:09:36 PDT
http://hg.mozilla.org/mozilla-central/rev/55cb2f116089

Note You need to log in before you can comment on or make changes to this bug.