376627 - Crash [@ nsAString_internal::ToSubstring] with 

Status: RESOLVED DUPLICATE of bug 377053

(Core :: Graphics, defect)

Description

[Jesse Ruderman]

Attachment: tiny testcase that crashes Firefox when loaded

Tested in Mac trunk debug only.  This bug affects over 0.1% of URLs in http://random.yahoo.com/bin/ryl/.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000005

Thread 0 Crashed:
0   <<00000000>> 	0x3d3930de 0 + 1027158238
1   libxpcom_core.dylib      	0x0137ef9f nsAString_internal::ToSubstring() const + 23 (nsTAString.cpp:521)
2   libxpcom_core.dylib      	0x013775dd nsSubstring::Assign(nsAString_internal const&) + 73 (nsTSubstring.cpp:435)
3   libxpcom_core.dylib      	0x0139aa14 nsString::nsString[in-charge](nsAString_internal const&) + 28 (nsTString.h:100)
4   libthebes.dylib          	0x07b0b0c1 gfxFont::gfxFont[not-in-charge](nsAString_internal const&, gfxFontStyle const*) + 61 (gfxFont.cpp:147)
5   libthebes.dylib          	0x07b15e2c gfxAtsuiFont::gfxAtsuiFont[in-charge](unsigned long, nsAString_internal const&, gfxFontStyle const*) + 40 (gfxAtsuiFonts.cpp:79)
6   libthebes.dylib          	0x07b164c4 GetOrMakeFont(unsigned long, gfxFontStyle const*, nsTArray<nsRefPtr<gfxFont> >*) + 154 (gfxAtsuiFonts.cpp:290)
7   libthebes.dylib          	0x07b165e5 gfxAtsuiFontGroup::FindFontFor(unsigned long) + 125 (gfxAtsuiFonts.cpp:495)
8   libthebes.dylib          	0x07b16e08 gfxAtsuiFontGroup::InitTextRun(gfxTextRun*, unsigned short const*, unsigned, int) + 910 (gfxAtsuiFonts.cpp:892)
9   libthebes.dylib          	0x07b170eb gfxAtsuiFontGroup::MakeTextRunInternal(unsigned short const*, unsigned, int, gfxTextRunFactory::Parameters*) + 209 (gfxAtsuiFonts.cpp:433)
10  libthebes.dylib          	0x07b171f3 gfxAtsuiFontGroup::MakeTextRun(unsigned char const*, unsigned, gfxTextRunFactory::Parameters*) + 253 (gfxAtsuiFonts.cpp:478)
11  libthebes.dylib          	0x07b140c2 gfxTextRunCache::GetOrMakeTextRun(gfxContext*, gfxFontGroup*, char const*, unsigned, unsigned, int, int, int*) + 406 (gfxTextRunCache.cpp:242)
12  libgkgfxthebes.dylib     	0x30d1cd5f nsThebesFontMetrics::AutoTextRun::AutoTextRun[in-charge](nsThebesFontMetrics*, nsIRenderingContext*, char const*, int, int) + 155 (nsThebesFontMetrics.h:165)
13  libgkgfxthebes.dylib     	0x30d117e4 nsThebesFontMetrics::GetWidth(char const*, unsigned, int&, nsThebesRenderingContext*) + 178 (nsThebesFontMetrics.cpp:325)
14  libgkgfxthebes.dylib     	0x30d0f0b6 nsThebesRenderingContext::GetWidthInternal(char const*, unsigned, int&) + 86 (nsThebesRenderingContext.cpp:1083)
15  libgkgfxthebes.dylib     	0x30d12cf6 nsRenderingContextImpl::GetWidth(char const*, unsigned, int&) + 92 (nsRenderingContextImpl.cpp:500)
16  libgkgfxthebes.dylib     	0x30d1aa0d nsThebesRenderingContext::GetWidth(char const*, unsigned, int&) + 41 (nsThebesRenderingContext.h:150)
17  libgkgfxthebes.dylib     	0x30d0eff7 nsThebesRenderingContext::GetTextDimensionsInternal(char const*, unsigned, nsTextDimensions&) + 123 (nsThebesRenderingContext.cpp:1110)
18  libgkgfxthebes.dylib     	0x30d12e4a nsRenderingContextImpl::GetTextDimensions(char const*, unsigned, nsTextDimensions&) + 66 (nsRenderingContextImpl.cpp:540)
19  libgklayout.dylib        	0x1978f010 nsTextFrame::MeasureText(nsPresContext*, nsHTMLReflowState const&, nsTextTransformer&, nsTextStyle&, nsTextFrame::TextReflowData&) + 2326 (nsTextFrame.cpp:5326)
20  libgklayout.dylib        	0x19792aae nsTextFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 1546 (nsTextFrame.cpp:6114)
...

Comment 1

[Stuart Parmenter]

this sounds like a bug with our string code?

Comment 2

[Jesse Ruderman]

This also happens whenever I press Esc in e.g. a prompt().  Probably for the same reason: it's (incorrectly) trying to add an Esc character to the textbox, like it's been doing for months, and now gets confused while trying to find a font for that character.

Comment 4

[Bob Clary [:bc] (inactive)]

crash test landed
http://hg.mozilla.org/mozilla-central/rev/176c054aebad