Closed Bug 667336 Opened 12 years ago Closed 12 years ago

children.item(-1) causes "ASSERTION: PopulateSelf left the list in a dirty (useless) state!"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: jruderman, Assigned: bzbarsky)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase
84 bytes, text/html
Details
Make sure we don't overflow unsigned int on item().
1.64 KB, patch
peterv
: review+
Details | Diff | Splinter Review 
###!!! ASSERTION: PopulateSelf left the list in a dirty (useless) state!: '!mRootNode || mState != LIST_DIRTY', file content/base/src/nsContentList.cpp, line 534

>nsContentList::Item [content/base/src/nsContentList.cpp:536]
>nsContentList::GetNodeAt [content/base/src/nsContentList.cpp:632]
>nsIDOMNodeList_Item [dom_quickstubs.cpp:7869]

I think the problem is the "PopulateSelf(aIndex+1);" in nsContentList::Item. aIndex is PRUInt32(-1), so the call becomes PopulateSelf(0), which does nothing.

http://hg.mozilla.org/mozilla-central/annotate/38f69296b20c/content/base/src/nsContentList.cpp#l517
Attached file testcase 

    
  
Keywords: assertion, 
          
            testcase

    
  
Assignee: nobody → bzbarsky
Whiteboard: [need review]

    
    

    
  
Comment on attachment 543271 [details] [diff] [review]
Make sure we don't overflow unsigned int on item().

Review of attachment 543271 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/nsContentList.cpp
@@ +526,5 @@
>      }
>    }
>  
>    if (mState != LIST_UP_TO_DATE)
> +    PopulateSelf(NS_MIN(aIndex, PR_UINT32_MAX-1)+1);

Maybe add some spaces around operators?

        Attachment #543271 -
        Flags: review?(peterv) → review+

    
    

    
  
> Maybe add some spaces around operators?

Done.
Whiteboard: [need review] → [need landing]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/55cb2f116089
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla8

    
  
Flags: in-testsuite+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.