Closed
Bug 401534
Opened 18 years ago
Closed 18 years ago
Crash in Thebes/ATSUI (@gfxAtsuiFontGroup::InitTextRun)
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jag+mozilla, Assigned: jtd)
References
()
Details
(Keywords: crash)
http://crash-stats.mozilla.com/report/list?range_unit=months&query_search=signature&query_type=contains&platform=mac&signature=gfxAtsuiFontGroup%3A%3AInitTextRun%28gfxTextRun%2A%2C+unsigned+short+const%2A%2C+unsigned+int%2C+int%2C+unsigned+int%2C+unsigned+int%29&date=2007-10-29+00%3A00%3A00&query=InitTextRun&range_value=1
The "guilty" line is:
PRUint32 unicodeRange = FindCharUnicodeRange(aString[j+runStart]);
|
Assignee | |
Comment 1•18 years ago
|
||
This part of the font matching loop is a bit opaque. I think what must be happening is that somehow there's a sequence of conditions which leads to runStart getting updated, so that j+runStart accesses pass the end of the array. I'll see if I can dig up a testcase that causes this.
This crash appears in the crash logs a couple times everyday.
Assignee: nobody → jdaggett
|
|
Assignee | |
Comment 2•18 years ago
|
||
This keeps showing up among Mac crashers. Wish there was a way to get the actual address that was accessed, not just the address of the instruction that caused the problem (registers and current instruction would be nice too!).
The two possible causes I can imagine for this are (1) out-of-bounds array reference by accessing aString[j+runStart], (2) the string has been trashed and we're referencing unmapped memory by accessing aString[j+runStart] or (2) there are specific values for which an out-of-bounds access will occur within FindCharUnicodeRange. My wild-assed guess is that it's (3), since this crash always occurs in a place where the attempts to read the location will already have occurred and I don't see an obvious way by which an out-of-bounds reference could occur.
To do: write a quick test that manually verifies all address calculations within FindCharUnicodeRange stay within the bounds of the two static data arrays referenced. Insert assertions for the following four addr calculations:
gUnicodeSubrangeTable[0][ch >> 12];
gUnicodeSubrangeTable[range - kRangeTableBase][(ch & 0x0f00) >> 8];
gUnicodeSubrangeTable[range - kRangeTableBase][(ch & 0x00f0) >> 4];
gUnicodeTertiaryRangeTable[(ch - 0x0700) >> 7];
|
|
Assignee | |
Comment 3•18 years ago
|
||
Marking this as WFM, since the underlying code has been trimmed with the changes for bug 396137.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•