Closed Bug 387358 Opened 17 years ago Closed 17 years ago

Stuck in a reflow loop that asserts: ###!!! ASSERTION: aPos out of range: '0 <= aPos && aPos < mCharacterCount', file ../../dist/include/thebes/gfxFont.h, line 556

Categories

(Core :: Layout, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: MatsPalmgren_bugz, Assigned: roc)

References

()

Details

(Keywords: assertion, hang, Whiteboard: [sg:low?])

Attachments

(3 files)

Marking Security-Sensitive due to mentioning "Random Classes" fuzzer.

Stuck in a loop that asserts:  ###!!! ASSERTION: aPos out of range: '0 <= aPos && aPos < mCharacterCount', file ../../dist/include/thebes/gfxFont.h, line 556

STEPS TO REPRODUCE
1. load http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore
2. start "Random Classes 2.0" fuzzer (bug 331889) with args:
   13, 32, 100, 400, 0, 0

ACTUAL RESULT
Hangs after a few seconds with the console filling up with the assertions
above.  The stack doesn't grow uncontrollably but we never seem to finish
the reflow somehow. 

PLATFORMS AND BUILDS TESTED
Bug occurs in a Firefox trunk debug build on Linux (Ubuntu-feisty/x86_64)
Flags: blocking1.9?
Attached file stack
Not sure if this helps any, I just typed CTRL+C in a debugger and this
is the stack I got at that point...
BTW, sorry for using an old version of "Random Classes", I was triaging
bug 369971 and just thought I should spawn this off as a new bug...
Attached patch fixSplinter Review
I simply forgot to update the index variable.
Assignee: nobody → roc
Status: NEW → ASSIGNED
Attachment #271933 - Flags: review?
Unfortunately it's hard to test this right now with a small testcase because whether the testcase is triggered or not depends very much on what fonts you have installed.
Attachment #271933 - Flags: review? → review?(smontagu)
Attachment #271933 - Flags: review?(smontagu) → review+
If without the patch we assert in a loop, we will still assert once with it, right?
Attached patch updated fixSplinter Review
You're right! There is a deeper issue here with mismatch between DOM offsets and textrun offsets.
Attachment #271965 - Flags: review?(smontagu)
Attachment #271965 - Flags: review?(smontagu) → review+
checked in
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Since this involves Thebes am I right in assuming this is a 1.9-only bug?

This was reading out of range, right, not writing?
Whiteboard: [sg:low?]
Yeah, this is 1.9 only. Not sure of overall impact, but it doesn't really matter.
Flags: blocking1.9?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: