Closed Bug 373628 Opened 17 years ago Closed 17 years ago

Crash [@ nsCharTraits::length] with unminimised testcase, long text and quotes

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smontagu)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 333659] post 1.8-branch)

Crash Data

Attachments

(1 file)

testcase
63.66 KB, text/html
Details
Attached file testcase 
See testcase, which usually crashes for me directly or after a few reloads (reloads automatically)

Talkback ID: TB30143067M
nsCharTraits<unsigned short>::length  [mozilla/dist/include/string/nschartraits.h, line 370]
nsBidiPresUtils::ProcessText  [mozilla/layout/base/nsbidipresutils.cpp, line 1515]
0x0012e60c
nsROCSSPrimitiveValue::GetCssText  [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]
0x68016a01

This regressed between 2007-03-04 and 2007-03-05:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+08&cvsroot=%2Fcvsroot
Regression from bug 370588, somehow?

The talkback stacktrace seems to indicate this is regression from roc:
[mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]
                        ^^^

Marking security sensitive for now, please open up if this is not necessary.
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
If you are not the right person to assign this to, please help us find someone that is.
Assignee: nobody → smontagu
I guess this could be fixed by bug 333659.
Depends on: 333659
(In reply to comment #0)
> The talkback stacktrace seems to indicate this is regression from roc:
> [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]

Um, is this intended as a joke? "ro" in that filename means read-only.
This does not crash with new textframe.
Indeed, doesn't seem to crash, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070620 Minefield/3.0a6pre
(which is a build after the new-text-frame patch landed)
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:dupe 333659] post 1.8-branch
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsCharTraits::length]
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/659d596caf43
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: