Crash [@ nsCharTraits::length] with unminimised testcase, long text and quotes

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
12 years ago
7 years ago

People

(Reporter: martijn.martijn, Assigned: smontagu)

Tracking

({crash, regression, testcase})

Trunk
x86
Windows XP
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
wanted1.8.1.x -
wanted1.8.0.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 333659] post 1.8-branch, crash signature)

Attachments

(1 attachment)

Reporter

Description

12 years ago
Posted file testcase
See testcase, which usually crashes for me directly or after a few reloads (reloads automatically)

Talkback ID: TB30143067M
nsCharTraits<unsigned short>::length  [mozilla/dist/include/string/nschartraits.h, line 370]
nsBidiPresUtils::ProcessText  [mozilla/layout/base/nsbidipresutils.cpp, line 1515]
0x0012e60c
nsROCSSPrimitiveValue::GetCssText  [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]
0x68016a01

This regressed between 2007-03-04 and 2007-03-05:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+08&cvsroot=%2Fcvsroot
Regression from bug 370588, somehow?

The talkback stacktrace seems to indicate this is regression from roc:
[mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]
                        ^^^

Marking security sensitive for now, please open up if this is not necessary.
Reporter

Updated

12 years ago
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+

Comment 1

12 years ago
If you are not the right person to assign this to, please help us find someone that is.
Assignee: nobody → smontagu
Reporter

Comment 2

12 years ago
I guess this could be fixed by bug 333659.
Depends on: 333659
Assignee

Comment 3

12 years ago
(In reply to comment #0)
> The talkback stacktrace seems to indicate this is regression from roc:
> [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199]

Um, is this intended as a joke? "ro" in that filename means read-only.
This does not crash with new textframe.
Reporter

Comment 5

12 years ago
Indeed, doesn't seem to crash, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070620 Minefield/3.0a6pre
(which is a build after the new-text-frame patch landed)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:dupe 333659] post 1.8-branch
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsCharTraits::length]

Comment 6

7 years ago
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/659d596caf43
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.