Closed
Bug 110242
Opened 23 years ago
Closed 23 years ago
textNode.SubstringData() crash...
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla0.9.6
People
(Reporter: jst, Assigned: jst)
References
Details
(Keywords: crash, regression, Whiteboard: [FIXED ON TRUNK AND 096] [PDT+])
Attachments
(3 files)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
jst
:
review+
vidur
:
superreview+
|
Details | Diff | Splinter Review |
(deleted),
text/html
|
Details |
If a positive number is passed as the start of the substring and -1 (or MAX_INT) is passed as the length mozilla crahses when trying to allocate close to MAX_INT bytes of storage for the new string. Patch coming up.
Assignee | ||
Comment 1•23 years ago
|
||
Btw, this bug causes mozilla to crash when loading the official (soon to be released) W3C DOM test suite.
Assignee | ||
Comment 2•23 years ago
|
||
Assignee | ||
Updated•23 years ago
|
Assignee | ||
Comment 3•23 years ago
|
||
Comment 4•23 years ago
|
||
r=rayw
Updated•23 years ago
|
Attachment #57987 -
Flags: superreview+
Comment 5•23 years ago
|
||
Comment on attachment 57987 [details] [diff] [review] Same as above, but a bit cleaner... sr=vidur
Assignee | ||
Updated•23 years ago
|
Attachment #57987 -
Flags: review+
Comment 6•23 years ago
|
||
This has been checked into the 0.9.6 branch.
Blocks: 104864
Keywords: mozilla0.9.6 → mozilla0.9.6+
Comment 7•23 years ago
|
||
Adding PDT for tracking and 6.2 branch review purposes.
Whiteboard: [HAVE FIX] → [HAVE FIX] [PDT]
Assignee | ||
Comment 8•23 years ago
|
||
This was checked in on the trunk as well, leaving open for possibly landing on the 6.2 branch...
Whiteboard: [HAVE FIX] [PDT] → [FIXED ON TRUNK AND 096] [PDT]
Comment 9•23 years ago
|
||
Pls check this one into the 6.2 branch before 9 am PST = PDT+
Whiteboard: [FIXED ON TRUNK AND 096] [PDT] → [FIXED ON TRUNK AND 096] [PDT+]
Comment 10•23 years ago
|
||
In johnny's absence, who feels comfortable checking this into the 6.2 branch?
Assignee | ||
Comment 11•23 years ago
|
||
I just got back, I'll land this on the branch ASAP.
Assignee | ||
Comment 12•23 years ago
|
||
Fixed on the 6.2 branch. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 13•23 years ago
|
||
Thanks Johnny.
Comment 14•23 years ago
|
||
Does not crash on both linux and win2k (2001-11-21-10). Should we throw the "INDEX_SIZE_ERR" exception instead of returning till the end of the string, like how we are doing if the offset is -1. Adding the keyword vbranch
Keywords: vbranch
Assignee | ||
Comment 15•23 years ago
|
||
XPConnect should throw an error when a negative value is passed to a method that takes unsigned values, and there's a bug on that, but no, we should not throw an error if the numbers of characters requested is higher than the number of characters available. That's how the DOM spec defines this method.
Comment 16•23 years ago
|
||
Comment 17•23 years ago
|
||
verified on the four platforms build 2001-11-26-6.2.1
Status: RESOLVED → VERIFIED
Comment 18•23 years ago
|
||
reopening bug, Does not crash anymore. Returns the substring from the offset to the end of the string for negative data. comment # 16 has testcase. Should throw INDEX_SIZE_ERR. This bug is a regression.
Assignee | ||
Comment 19•23 years ago
|
||
See comment #15. This bug is FIXED.
Status: REOPENED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Comment 20•23 years ago
|
||
agree, INDEX_SIZE_ERR is another bug. Marking Verified
Status: RESOLVED → VERIFIED
Component: DOM: Core → DOM: Core & HTML
QA Contact: stummala → general
You need to log in
before you can comment on or make changes to this bug.
Description
•