Bug 682650 - Use an unsigned 32-bit integer as the container of offsets inside text nodes; r=roc
authorEhsan Akhgari <ehsan@mozilla.com>
Thu, 08 Sep 2011 11:35:33 -0400
changeset 76774 daa5e76d7f13d2ed0c41cce743dc02ee9abe5408
parent 76773 5aa439407de852dd886dfb5f1cec6319a62d78af
child 76775 6b728c38e6c6bed446e514563050ae2a5f9f2ce7
push id1816
push usereakhgari@mozilla.com
push dateThu, 08 Sep 2011 22:07:46 +0000
treeherdermozilla-inbound@daa5e76d7f13 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs682650, 65535
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 682650 - Use an unsigned 32-bit integer as the container of offsets inside text nodes; r=roc (I bet that there are text nodes on the web which have more than 65535 characters on the Web!)
editor/libeditor/html/crashtests/682650-1.html
editor/libeditor/html/crashtests/crashtests.list
editor/libeditor/html/nsWSRunObject.h
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/682650-1.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function repeatChar(s, n)
+{
+  while (s.length < n)
+    s += s;
+  return s.substr(0, n);
+}
+
+function boom()
+{
+  document.documentElement.contentEditable = "true";
+  document.execCommand("inserthtml", false, "<button><\/button>");
+  document.execCommand("inserthtml", false, repeatChar("i", 34646));
+  document.execCommand("contentReadOnly", false, null);
+  document.execCommand("removeformat", false, null);
+  document.execCommand("hilitecolor", false, "red");
+  document.execCommand("inserthtml", false, "a");
+  document.execCommand("delete", false, null);
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+
+</html>
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -17,8 +17,9 @@ load 503709-1.xhtml
 load 513375-1.xhtml
 load 535632-1.xhtml
 load 574558-1.xhtml
 load 582138-1.xhtml
 load 612565-1.html
 asserts(0-6) load 615015-1.html # Bug 439258
 load 615450-1.html
 load 643786-1.html
+load 682650-1.html
--- a/editor/libeditor/html/nsWSRunObject.h
+++ b/editor/libeditor/html/nsWSRunObject.h
@@ -224,19 +224,19 @@ class NS_STACK_CLASS nsWSRunObject
     // WSPoint struct ------------------------------------------------------------
     // A WSPoint struct represents a unique location within the ws run.  It is 
     // always within a textnode that is one of the nodes stored in the list
     // in the wsRunObject.  For convenience, the character at that point is also 
     // stored in the struct.
     struct NS_STACK_CLASS WSPoint
     {
       nsCOMPtr<nsIContent> mTextNode;
-      PRInt16 mOffset;
+      PRUint32 mOffset;
       PRUnichar mChar;
-      
+
       WSPoint() : mTextNode(0),mOffset(0),mChar(0) {}
       WSPoint(nsIDOMNode *aNode, PRInt32 aOffset, PRUnichar aChar) : 
                      mTextNode(do_QueryInterface(aNode)),mOffset(aOffset),mChar(aChar)
       {
         if (!mTextNode->IsNodeOfType(nsINode::eDATA_NODE)) {
           // Not sure if this is needed, but it'll maintain the same
           // functionality
           mTextNode = nsnull;