Closed Bug 392923 Opened 17 years ago Closed 17 years ago

Crash with -moz-column-count and bidi

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: smontagu, Unassigned)

References

Details

(Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(2 files)

testcases (crashes!)
1.19 KB, text/html
Details
Reduced testcase
311 bytes, text/html
Details
Attached file testcases (crashes!) 
This test crashes with stack corruption in current builds. It's based on attachment 217143 [details], with the addition of -moz-column-count: 2
This is the top of the stack when entering nsTextFrameUtils::TransformText shortly before the crash. aLength is not happy.

#0  nsTextFrameUtils::TransformText (aText=0x24aaea0, aLength=4294966965, aOutput=0xbfff80ac, aCompressWhitespace=1, aIncomingWhitespace=0xbfff9413 "", aSkipChars=0xbfff7d60, aAnalysisFlags=0xbfff7f50) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameUtils.cpp:106
#1  0x189c5fbc in BuildTextRunsScanner::BuildTextRunForFrames (this=0xbfff90f0, aTextBuffer=0xbfff80ac) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameThebes.cpp:1616
#2  0x189c6b67 in BuildTextRunsScanner::FlushFrames (this=0xbfff90f0, aFlushLineBreaks=1) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameThebes.cpp:1268
#3  0x189c772c in BuildTextRuns (aRC=0x41e7a490, aForFrame=0x249c2c8, aLineContainer=0x249c218, aForFrameLine=0xbfff9f3c) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameThebes.cpp:1227
#4  0x189c780d in nsTextFrame::EnsureTextRun (this=0x249c2c8, aRC=0x41e7a490, aLineContainer=0x249c218, aLine=0xbfff9f3c, aFlowEndInTextRun=0xbfff9774) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameThebes.cpp:1982
#5  0x189c8492 in nsTextFrame::Reflow (this=0x249c2c8, aPresContext=0x41794c70, aMetrics=@0xbfff996c, aReflowState=@0xbfff98c0, aStatus=@0xbfff9ddc) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsTextFrameThebes.cpp:5331
#6  0x189942a2 in nsLineLayout::ReflowFrame (this=0xbfff9eec, aFrame=0x249c2c8, aReflowStatus=@0xbfff9ddc, aMetrics=0x0, aPushedFrame=@0xbfff9a6c) at /Users/simon/mozwork/debugtree/mozilla/layout/generic/nsLineLayout.cpp:891

Got a DEP violation in windows so does not seem to be Mac specific.
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
OS: Mac OS X → All
Whiteboard: [sg:critical] post 1.8-branch
Attached file Reduced testcase 
If this doesn't crash on first load, increase the text size so that it overflows to the next line.
Depends on: 382422
Component: GFX: Thebes → Layout: Fonts and Text
QA Contact: thebes → layout.fonts-and-text
Fixed by bug 382422
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: