Closed Bug 1221904 Opened 6 years ago Closed 6 years ago
"ASSERTION: Invalid offset" with bidi text change
###!!! ASSERTION: Invalid offset: 'uint32_t(aOffset) <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 23 ###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrame.cpp, line 8480
It's possible the code after the asserts handles this condition in which case the security severity I'm assigning is overstated. Please let us know after this is analyzed.
The testcase WFM in trunk, but I can reproduce it in Aurora. Bisecting when it was first fixed gives this rev: https://hg.mozilla.org/integration/mozilla-inbound/rev/a675fc80caa9 i.e. bug 1216096, which makes sense looking at the changes. Maybe there *is* a bug here though and that the backout in bug 1216096 merely wallpapers it and that it will come back and bite us again? I don't know. Seems like we should uplift bug 1216096 to the affected branches though. [Tracking Requested - why for this release]: sec-high (possibly)
Has Regression Range: --- → yes
Has STR: --- → yes
Depends on: 1216096
Whiteboard: [fixed on trunk (45) by bug 1216096]
(In reply to Mats Palmgren (:mats) from comment #3) > Maybe there *is* a bug here though and that the backout in bug 1216096 merely > wallpapers it and that it will come back and bite us again? I don't know. I can't swear to it, but I think it's more likely that bug 1164963 caused the bug and the backout fixed it. > > Seems like we should uplift bug 1216096 to the affected branches though. See bug 1216096 comment 11. I would very much have liked to uplift bug 1216096, but that won't be possible unless we can fix the regression on Aurora.
OK, thanks. "Bug 1164963 - Hi-res search icons for localized search plugins" doesn't seem like the right bug though. It doesn't have any patches so it seems unlikely to have caused the regression. Resolving as WFM for mozilla45 -- fixed by the backout in bug 1216096. I'm guesssing 43/44 are wontfix based on comment 4, but I'll leave that for others to decide.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Bug 1164693 is probably the right bug number for the bug that originally regressed it.
Should be fixed43 and fixed44 by the uplift of bug 1216096, but I don't have debug branch builds to confirm that.
WFM in my local beta and aurora trees on Linux64.
Jesse, could you please confirm that this issue is fixed as expected on a latest Nightly build? Thanks!
Did this affect Firefox 42 or ESR38?
(In reply to Al Billings [:abillings] from comment #11) > Did this affect Firefox 42 or ESR38? AFAICS, bug 1164693 landed for FF42, so that will be affected, but not ESR38.
Confirmed WFM on mozilla-central :)
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba2c446c8f31 Add crashtest. r=mats
You need to log in before you can comment on or make changes to this bug.