Subject: Re: patch#3: intermittent crasher bug
From: Patrick Lam (firstname.lastname@example.org)
Date: Tue Apr 10 2001 - 00:49:50 CDT
On Mon, 9 Apr 2001, Dom Lachowicz wrote:
> I'm hesitant to commit this code. I've pasted large amounts of formatted
> text into my doc repeatedly and can't reproduce this.
> Can you do one/more of the following for me:
> 1) Tell me how to reproduce the bug more accurately/in more depth
> 2) Provide a backtrace of say the last 10 commands
I can't reproduce this bug anymore.
However, if you set a breakpoint at IE_Exp::copyToBuffer just before it
returns but after it's written the document, you will see that the buffer
m_pByteBuf has a certain m_iSize; say it is 6 (our buffer contains
"Hello\0"). Then buffer[m_iSize-1] should equal 0, because the valid part
of the buffer should be from 0 through m_iSize-1. Instead, you'll see
that in the code, buffer[m_iSize] is 0. This is an off-by-one error. It
should almost never get triggered, because the size allocated is almost
always bigger than the size used. But somehow it triggered efence for me
consistently the other day.
This archive was generated by hypermail 2b25 : Tue Apr 10 2001 - 00:53:12 CDT