Closed
Bug 390417
Opened 17 years ago
Closed 17 years ago
Crash [@ gfxSkipCharsIterator::SetOffsets ] with div:first-line {}, many lines of text, and empty line at end
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dholbert, Unassigned)
References
Details
(Whiteboard: [sg:critical] post 1.8-branch)
Attachments
(1 file)
|
532 bytes,
text/html
|
Details |
Crashing on gfxSkipChars.cpp:129, which is:
PRInt32 currentRunLength = mSkipChars->mList[mListPrefixLength];
In my current instance, mListPrefixLength is 3260547140, which makes me think it's coming from uninitialized memory or something.
I also get a few of these assertions before the crash:
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /scratch/work/builds/trunk.07-07-31.09-38/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92
Also, if there's enough text to create a vertical scrollbar, the crash doesn't happen.
Right now, it looks like I only get a crash when there's 5+ lines of text... but that could just be circumstantial.
Also, if I make my browser window wide enough before triggering the test case, I don't get the crash (presumably because there are fewer lines)
Found this crash while modifying testcases for bug 387512
|
Reporter | |
Comment 1•17 years ago
|
||
How old is your tree? Before roc's backout yesterday?
|
|
Reporter | |
Comment 3•17 years ago
|
||
The tree I tested was from 9am on 7-31.
Checking out a new tree now... in the meantime, tested these nightlies:
2007-07-30-04-trunk: No Crash
2007-08-01-04-trunk: **Crash**
|
|
Reporter | |
Comment 4•17 years ago
|
||
Getting a crash with this morning's tree as well.
|
|
Reporter | |
Comment 5•17 years ago
|
||
Reproduced on WinXP using latest nightly.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007080105 Minefield/3.0a7pre
OS: Linux → All
|
|
Reporter | |
Comment 6•17 years ago
|
||
Resolving as duplicate of 386584.
(Based on crash location and the fact that both bugs seem triggered by back-out of 385270)
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
||
Comment 7•17 years ago
|
||
Because this crash looks potentially exploitable and does not require the user interaction (changing text size) of bug 386584 it's better to leave this open for separate QA verification. We can make it depend on that one instead, although given the handy simple testcase here it might be easier to go the other way.
Status: RESOLVED → REOPENED
Depends on: 386584
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Flags: blocking1.9?
Resolution: DUPLICATE → ---
Whiteboard: [sg:critical] post 1.8-branch
|
|
Reporter | |
Comment 8•17 years ago
|
||
Testcase seems to be fixed by checkin for Bug 385270.
|
|
||
Updated•17 years ago
|
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Comment 9•17 years ago
|
||
Should this bug's security flag be removed?
|
||
Updated•17 years ago
|
Group: security
|
||
Comment 10•6 years ago
|
||
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b458fde98c51
Add crashtest. r=mats
|
||
Updated•6 years ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•