This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 16757 - Should cellIndex return -1 if the cell has no parent tr?
Summary: Should cellIndex return -1 if the cell has no parent tr?
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
Depends on:
Reported: 2012-04-17 07:58 UTC by contributor
Modified: 2013-08-15 00:33 UTC (History)
4 users (show)

See Also:


Description contributor 2012-04-17 07:58:38 UTC

Should cellIndex return -1 if the cell has no parent tr?

Posted from: by
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120108 Firefox/12.0a1
Comment 1 Ms2ger 2012-04-17 07:58:52 UTC
See <>
Comment 2 Ms2ger 2012-04-17 08:01:38 UTC
In particular, it seems strange that 0 can mean both "first cell" and "cell in the wrong place". -1 is more common for indexOf-style APIs, IME.
Comment 3 contributor 2012-07-18 17:20:27 UTC
This bug was cloned to create bug 18118 as part of operation convergence.
Comment 4 Ian 'Hixie' Hickson 2012-07-19 23:00:33 UTC
What do browsers do?
Comment 5 Ms2ger 2012-07-20 10:50:55 UTC

Gecko: -1
Chrome: 0
Opera: undefined (but does support the attribute for cells with a parent tr)
IE: semi-random numbers
Comment 6 Ian 'Hixie' Hickson 2012-07-20 16:59:52 UTC

Ok, I'll look into making it -1.
Comment 7 contributor 2012-08-10 19:49:50 UTC
Checked in as WHATWG revision r7243.
Check-in comment: All the browsers disagree, so we'll reward the one that makes the most sense. Today's winner: Firefox!
Comment 8 Ms2ger 2012-08-10 20:05:30 UTC
Filed DSK-371875, <>.
Comment 10 Yuhong Bao 2013-03-20 00:29:38 UTC
(In reply to comment #5)
> IE: semi-random numbers
Playing around with WinDbg, these "semi-random numbers" seems to be addresses. This can probably be used as an address leak to defeat ASLR in IE9. IE10 fixed this and matches the spec.
Comment 11 Yuhong Bao 2013-03-20 00:38:23 UTC
This information leak is due to MSHTML!CTableCell::get_cellIndex not writing the address provided for the return value that is passed as part of COM calling conventions, which is a stack local variable that happens to be set to the address when the function was called.
Comment 12 Yuhong Bao 2013-03-20 00:40:02 UTC
*the address of the object that is passed in the first parameter
Comment 13 Yuhong Bao 2013-07-11 01:55:23 UTC
Fixed in the July Cumulative Update, it now returns -1.
Comment 14 Yuhong Bao 2013-08-15 00:33:32 UTC
For IE9.