Bug 1291082 part.3 ContentCache::TextRectArray::GetUnionRectAsFarAsPossible() should avoid crash by itself r=m_kato
authorMasayuki Nakano <masayuki@d-toybox.com>
Wed, 17 Aug 2016 00:15:44 +0900
changeset 310168 c127bdf8186fa2de85aa0bb54fd46c45074d66c6
parent 310167 10ca767648a511eaaee798ec22dbda768407973e
child 310169 3172e3fa6e24252c7622bc02b46195c6cc569a07
push id80791
push usermasayuki@d-toybox.com
push dateFri, 19 Aug 2016 08:55:15 +0000
treeherdermozilla-inbound@c127bdf8186f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersm_kato
bugs1291082
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1291082 part.3 ContentCache::TextRectArray::GetUnionRectAsFarAsPossible() should avoid crash by itself r=m_kato ContentCache::TextRectArray::GetUnionRectAsFarAsPossible() should avoid crash by itself even if it's caller's bug. This makes parent process more stable, that is what one of the purpose of e10s is. MozReview-Commit-ID: qKAfvm6eZw
widget/ContentCache.cpp
--- a/widget/ContentCache.cpp
+++ b/widget/ContentCache.cpp
@@ -1306,29 +1306,31 @@ ContentCache::TextRectArray::GetUnionRec
 }
 
 LayoutDeviceIntRect
 ContentCache::TextRectArray::GetUnionRectAsFarAsPossible(
                                uint32_t aOffset,
                                uint32_t aLength,
                                bool aRoundToExistingOffset) const
 {
-  MOZ_ASSERT(HasRects());
-
   LayoutDeviceIntRect rect;
-  if (!aRoundToExistingOffset && !IsOverlappingWith(aOffset, aLength)) {
+  if (!HasRects() ||
+      (!aRoundToExistingOffset && !IsOverlappingWith(aOffset, aLength))) {
     return rect;
   }
   uint32_t startOffset = std::max(aOffset, mStart);
   if (aRoundToExistingOffset && startOffset >= EndOffset()) {
     startOffset = EndOffset() - 1;
   }
   uint32_t endOffset = std::min(aOffset + aLength, EndOffset());
   if (aRoundToExistingOffset && endOffset < mStart + 1) {
     endOffset = mStart + 1;
   }
+  if (NS_WARN_IF(endOffset < startOffset)) {
+    return rect;
+  }
   for (uint32_t i = 0; i < endOffset - startOffset; i++) {
     rect = rect.Union(mRects[startOffset - mStart + i]);
   }
   return rect;
 }
 
 } // namespace mozilla