Closed Bug 97516 Opened 23 years ago Closed 23 years ago

crash in nsRenderingContextWin::GetWidth() in certain situation

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: shanjian, Assigned: shanjian)

Details

(Keywords: crash)

Attachments

(3 files)

proposed patch
1.21 KB, patch
Details | Diff | Splinter Review
update patch as suggested by brendan
484 bytes, patch
Details | Diff | Splinter Review
The patch that fix the real problem
527 bytes, patch
waterson
: superreview+
asa
: approval+
Details | Diff | Splinter Review 
This bug was sprawn from bugscape 8832. It is reproducible an embed product. I 
believe this problem also happens in certain situation with other mozilla based 
product. 

In following code, 
      nsFontWin** end = &metrics->mLoadedFonts[metrics->mLoadedFontsCount];
      while (font < end) {
        if (FONT_HAS_GLYPH((*font)->mMap, c)) {
          currFont = *font;
          goto FoundFont; // for speed -- avoid "if" statement
        }
mLoadedFontsCount is not initiated. In certain situation, (font < end) is true, 
but *font is null or invalide value, that will lead to a crash.
Attached patch proposed patchSplinter Review 

    
    

    
  
confirming

Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash

    
    

    
  
accepting

Status: NEW → ASSIGNED

    
    

    
  
roy review the patch in bugscape 8832.

    
    

    
  
Looks ok to me, but I'd like r=yokoyama on this latest patch only, recorded
here, and then one of the SRs cc'd can sr= this patch, too.

/be

    
    

    
  
Interesting, the nsFontMetricsWin class has 
NS_DECL_AND_IMPL_ZEROING_OPERATOR_NEW, defined in
http://lxr.mozilla.org/seamonkey/source/xpcom/ds/nsCRT.h#51

Isn't this supposed to zero everything, including therefore mLoadedFontsCount?


    
    

    
  
Let's ask scc!

/be

    
    

    
  
I finally reproduce the problem with a testcase found in bugscape 9036. The real 
problem is that sometimes null pointer is assigned to mLoadedFonts array. The 
previous patch (attachment 45784 [details]) does not fix any problem. 

    
    

    
  
FYI, I still could not reproduce the problem with trunk build, but I believe the 
problem exist. We only do not know how to make it happen. I also checked all 
places where mLoadedFonts array is assigned, and everything seems fine except 
the problematic pointer as shown in my patch. 

    
    

    
  
Yep, that patch looks more sensible to me. A fall-through error code path
that wasn't accounted for. I had this corrected in my font changes.

r=rbs


    
    

    
  
Comment on attachment 48340 [details] [diff] [review]
The patch that fix the real problem

sr=waterson

        Attachment #48340 -
        Flags: superreview+

    
    

    
  
fix checked in to trunk. 

    
    

    
  
Comment on attachment 48340 [details] [diff] [review]
The patch that fix the real problem

a=asa for checkin to 0.9.4 branch

        Attachment #48340 -
        Flags: approval+

    
    

    
  
fix checked in  to 0.9.4 branch. 
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Marking verified per last comments.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: