Closed
Bug 300122
Opened 19 years ago
Closed 19 years ago
Crash [@ ConvertUnicharToUCS4]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bastiaan, Assigned: bastiaan)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
|
8.83 KB,
text/plain
|
Details | |
|
1.07 KB,
patch
|
Details | Diff | Splinter Review |
This crash is triggered by testcases 3 and 4 in bug 252970. However, that bug has been declared a windows-only problem and the stacktrace is different, so I've started a new bug. This crash seems to originate in nsTextFrame::GetPointFromOffset(), which sometimes calls nsRenderingContextGTK::GetWidth() with an invalid aLength parameter, as you can see in frame 5 in the stacktrace.
|
Assignee | |
Comment 1•19 years ago
|
||
|
|
Assignee | |
Comment 2•19 years ago
|
||
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/generic/nsTextFrame.cpp&mark=4193,4213#4180 The problem is that ip[inOffset] contains a rather large number, which causes ConvertUnicharToUCS4() to overflow the buffer. The attached patch checks for that and corrects if necessary. The next step is to determine _why_ ip[inOffset] contains such a large number.
|
||
Comment 3•19 years ago
|
||
Some thunderbird stack traces (mentioned in bug 252970) go through GetPointFromOffset so that it may prevent TB from crashing.
re: gdb stacktrace #4 nsRenderingContextGTK::GetWidth (... aLength=142683648 ...) #5 nsTextFrame::GetPointFromOffset (... inOffset=1 ) It all looks very fishy. How can a simple inOffset=1 lead to such a huge length. It is not even that inOffset is big (implying that some other code/loop kicks in and messes things up). It gives the impression that no code (or little code) is reached, leaving things uninitialized by the time we get there.
|
||
Comment 5•19 years ago
|
||
I get a lot of UMRs with valgrind starting with:
Conditional jump or move depends on uninitialised value(s)
nsTextFrame::PrepareUnicodeText(nsTextTransformer&, nsAutoIndexBuffer*,
nsAutoTextBuffer*, int*, int, int*) (nsTextFrame.cpp:1900)
nsTextFrame::GetPointFromOffset(nsPresContext*, nsIRenderingContext*, int,
nsPoint*) (nsTextFrame.cpp:4171)
nsTypedSelection::GetPointFromOffset(nsIFrame*, int, nsPoint*)
(nsSelection.cpp:6734)
nsTypedSelection::GetCachedFrameOffset(nsIFrame*, int, nsPoint&)
(nsSelection.cpp:5086)
nsTextFrame.cpp:1900 is
if ((ip[mContentLength] - mContentOffset) < textLength) {
ip[mContentLength] was the uninitialized part.|
|
||
Comment 6•19 years ago
|
||
I forgot to mention this sems to be gtk1-only. And nightly builds seem immune to the crash.
Keywords: testcase
|
|
Assignee | |
Comment 7•19 years ago
|
||
This occurs in my gtk2 build.
|
|
Assignee | |
Comment 8•19 years ago
|
||
The fixes for bug 252970 seem to have fixed this bug as well. If you can reproduce the crash and you're seeing the stacktrace in attachment 188693 [details], please reopen.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Summary: Crash @ [ConvertUnicharToUCS4] → Crash [@ ConvertUnicharToUCS4]
|
||
Comment 9•19 years ago
|
||
*** Bug 312782 has been marked as a duplicate of this bug. ***
|
|
||
Comment 10•19 years ago
|
||
Reopening based on the stack in bug 312782.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 11•19 years ago
|
||
This is probably not happening again on the trunk and RC1 - because they have the fix from bug 307875 which protects against such crashes once for all.
|
||
Comment 12•19 years ago
|
||
Adam, generally, same or similar stack does not necessarily mean same bug, esp. if the testcases in one bug are fixed...
|
|
||
Comment 13•19 years ago
|
||
Sorry for the trouble. I should have verified this myself in the latest builds before reopening.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ ConvertUnicharToUCS4]
You need to log in
before you can comment on or make changes to this bug.
Description
•