Closed Bug 347304 Opened 18 years ago Closed 18 years ago

ASSERTION: yikes - we just overwrote memory: 'indexp <= aIndexBuffer->mBuffer + aIndexBuffer->mBufferLen', file /home/np/mozilla/layout/generic/nsTextFrame.cpp, line 2366

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 345071

People

(Reporter: jason.barnabe, Unassigned)

References

(
URL
)

Details

(Keywords: hang, Whiteboard: [sg:dupe 345071])

Attachments

(1 file)

stack of the assertion
10.26 KB, text/plain
Details 
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9a1) Gecko/20060803 Minefield/3.0a1

1. Load http://userstyles.org/style/show/210?raw , a 30KB CSS file with some very long lines
2. Scroll to the bottom
3. Reload
4. Keep reloading until you get a hang

Last few reload's output:

nsLineLayout: Text(3)@0x2315a08 metrics=511160,225!
Block(pre)(0)@0x2352510: line=0x23159c8 xmost=519575
nsLineLayout: Text(3)@0x2315a08 metrics=681803,225!
Block(pre)(0)@0x2352510: line=0x23159c8 xmost=690218
nsLineLayout: Text(3)@0x2315a08 metrics=785684,225!
Block(pre)(0)@0x2352510: line=0x23159c8 xmost=794099
Block(pre)(0)@0x2352510: WARNING: xmost:794099
++DOMWINDOW == 9
--DOMWINDOW == 8
nsLineLayout: Text(3)@0x22f9df8 metrics=511160,225!
Block(pre)(0)@0x259cb10: line=0x22f9db8 xmost=519575
nsLineLayout: Text(3)@0x22f9df8 metrics=681803,225!
Block(pre)(0)@0x259cb10: line=0x22f9db8 xmost=690218
nsLineLayout: Text(3)@0x22f9df8 metrics=785684,225!
Block(pre)(0)@0x259cb10: line=0x22f9db8 xmost=794099
Block(pre)(0)@0x259cb10: WARNING: xmost:794099
++DOMWINDOW == 9
--DOMWINDOW == 8
nsLineLayout: Text(3)@0x2368750 metrics=511026,225!
Block(pre)(0)@0x25b9570: line=0x2368710 xmost=578319
nsLineLayout: Text(3)@0x2368750 metrics=681458,225!
Block(pre)(0)@0x25b9570: line=0x2368710 xmost=748751
nsLineLayout: Text(3)@0x2368750 metrics=726806,225!
Block(pre)(0)@0x25b9570: line=0x2368710 xmost=794099
###!!! ASSERTION: yikes - we just overwrote memory: 'indexp <= aIndexBuffer->mBuffer + aIndexBuffer->mBufferLen', file /home/np/mozilla/layout/generic/nsTextFrame.cpp, line 2366

I've marked this as a security bug because "yikes - we just overwrote memory" doesn't sound too safe...
Attached file stack of the assertion 

    
    

    
  
bug 345071 describes a problem in nsTextFrame::PaintUnicodeText involving the same assertion and was recently (Aug 15) fixed on trunk. Has the problem been fixed in recent nightlies, or is it a different problem that just happens to hit the same assertion?
Whiteboard: [sg:critical?] dupe of bug 345071?

    
    

    
  
Doesn't happen any more with Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9a1) Gecko/20060907 Minefield/3.0a1

I'd mark it as a dupe but Bugzilla seems to not let me.

    
    

    
  
Thanks for the confirmation.

*** This bug has been marked as a duplicate of 345071 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?] dupe of bug 345071? → [sg:dupe 345071]

    
  
Status: RESOLVED → VERIFIED
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: