Closed Bug 399951 Opened 17 years ago Closed 17 years ago

Crash [@ nsTextFrameUtils::TransformText] with rtl, pre

Categories

(Core :: Layout: Text and Fonts, defect, P3)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: smontagu)

References

Details

(4 keywords, Whiteboard: [sg:critical?][dbaron-1.9:RsCt])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
(deleted), text/html
Details
Loading the testcase triggers: ###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 66 Crash [@ nsTextFrameUtils::TransformText] with cut-off stack trace. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xc0000000 Thread 0 Crashed: 0 nsTextFrameUtils::TransformText(unsigned char const*, unsigned, unsigned char*, int, unsigned char*, gfxSkipCharsBuilder*, unsigned*) + 116 (nsTextFrameUtils.cpp:202) 1 BuildTextRunsScanner::BuildTextRunForFrames(void*) + 1553 (nsTextFrameThebes.cpp:1437) 2 BuildTextRunsScanner::FlushFrames(int) + 393 (nsTextFrameThebes.cpp:1035) [end of stack]
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Simon, more invariant-violating fun: Block(div)(1)@0x271fae4 next=0x271fbb4 {0,0,72540,4608} [state=00000401] sc=0x2720340(i=4,b=0)< line 0x271fb8c: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x5000] {72540,0,0,1152} < Text(0)@0x271fa58[0,12,T] next=0x271ff50 next-continuation=0x271ff50 {72540,96,0,960} [state=00220601] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< "\n.i\n h\n f\n" > > line 0x271ff94: count=2 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x9100] {72033,1152,507,1152} ca={0,1152,72540,1152} < Text(0)@0x271ff50[12,-10,F] next=0x271fec8 prev-continuation=0x271fa58 next-continuation=0x271fec8 {72300,1248,240,960} [state=00220204] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< "" > Text(0)@0x271fec8[2,2,F] next=0x271ffbc prev-continuation=0x271ff50 next-continuation=0x271ffbc {72033,1248,267,960} [state=00420204] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< "i\n" > > line 0x2720000: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x5100] {71580,2304,960,1152} ca={0,2304,72540,1152} < Text(0)@0x271ffbc[4,4,F] next=0x2720028 prev-continuation=0x271fec8 next-continuation=0x2720028 {71580,2400,960,960} [state=00620204] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< " h\n" > > line 0x272006c: count=2 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x9100] {71740,3456,800,1152} ca={0,3456,72540,1152} < Text(0)@0x2720028[8,3,F] next=0x271ff0c prev-continuation=0x271ffbc next-continuation=0x271ff0c {71740,3552,800,960} [state=00620204] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< " f" > Text(0)@0x271ff0c[11,1,T] prev-continuation=0x2720028 {71740,3552,0,960} [state=00020204] SELECTED [content=0x3e541200] sc=0x27203b4 pst=:-moz-non-element< "\n" > > > >
Flags: blocking1.9? → blocking1.9+
Assignee: nobody → smontagu
Depends on: 397961
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:RsCt]
FIXED by bug 397961
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008011009 Firefox/3.0b3pre ID:2008011009 and jesse's testcase. No assertion and no crash on testcase -> Verified fixed
Status: RESOLVED → VERIFIED
No assertions/crashes on branch.
Group: security
Flags: wanted1.8.1.x-
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
Crash Signature: [@ nsTextFrameUtils::TransformText]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: