Marking Security-Sensitive due to mentioning "Random Classes" fuzzer. Stuck in a loop that asserts: ###!!! ASSERTION: aPos out of range: '0 <= aPos && aPos < mCharacterCount', file ../../dist/include/thebes/gfxFont.h, line 556 STEPS TO REPRODUCE 1. load http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore 2. start "Random Classes 2.0" fuzzer (bug 331889) with args: 13, 32, 100, 400, 0, 0 ACTUAL RESULT Hangs after a few seconds with the console filling up with the assertions above. The stack doesn't grow uncontrollably but we never seem to finish the reflow somehow. PLATFORMS AND BUILDS TESTED Bug occurs in a Firefox trunk debug build on Linux (Ubuntu-feisty/x86_64)

Not sure if this helps any, I just typed CTRL+C in a debugger and this is the stack I got at that point...

BTW, sorry for using an old version of "Random Classes", I was triaging bug 369971 and just thought I should spawn this off as a new bug...

I simply forgot to update the index variable.

Unfortunately it's hard to test this right now with a small testcase because whether the testcase is triggered or not depends very much on what fonts you have installed.

If without the patch we assert in a loop, we will still assert once with it, right?

You're right! There is a deeper issue here with mismatch between DOM offsets and textrun offsets.

checked in

Since this involves Thebes am I right in assuming this is a 1.9-only bug? This was reading out of range, right, not writing?

Yeah, this is 1.9 only. Not sure of overall impact, but it doesn't really matter.