Closed Bug 416721 Opened 16 years ago Closed 16 years ago

Crash [@nsTArray_base::ShiftData] with Thai string

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: smontagu, Assigned: smontagu)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

minimized testcase
545 bytes, text/html
Details
Patch
1.09 KB, patch
masayuki
: review+
shaver
: superreview+
mconnor
: approval1.9+
Details | Diff | Splinter Review
Attached file minimized testcase 
This was reported on Michael Kaplan's blog at http://blogs.msdn.com/michkap/archive/2008/02/09/7566284.aspx
Another blog entry of his, http://blogs.msdn.com/michkap/archive/2005/09/22/473049.aspx crashes on Firefox trunk. It seems to be a Windows-only crash.

Top of the stack:
xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0x00000000, unsigned int oldLen=0xec558d51, unsigned int newLen=0x00000000, unsigned int elemSize=0x00000008)  Line 161 + 0x12 bytes
i18n.dll!nsTArray<tag_SCRIPT_ITEM>::RemoveElementsAt(unsigned int start=0x00000000, unsigned int count=0xec558d51)  Line 571
i18n.dll!nsTArray<tag_SCRIPT_ITEM>::Clear()  Line 581
i18n.dll!nsTArray<tag_SCRIPT_ITEM>::~nsTArray<tag_SCRIPT_ITEM>()  Line 267 + 0xf bytes
i18n.dll!nsAutoTArray<tag_SCRIPT_ITEM,64>::~nsAutoTArray<tag_SCRIPT_ITEM,64>()  + 0xf bytes
i18n.dll!NS_GetComplexLineBreaks(const unsigned short * aText=0x0012c848, unsigned int aLength=0x00000056, unsigned char * aBreakBefore=0x0012a624)  Line 88 + 0xb bytes
i18n.dll!nsJISx4051LineBreaker::GetJISx4051Breaks(const unsigned short * aChars=0x0012c848, unsigned int aLength=0x00000056, unsigned char * aBreakBefore=0x0012a624)  Line 836 + 0x1d bytes
gklayout.dll!nsLineBreaker::FlushCurrentWord()  Line 92
gklayout.dll!nsLineBreaker::Reset(int * aTrailingBreak=0x0012b608)  Line 411 + 0x8 bytes
gklayout.dll!BuildTextRunsScanner::FlushFrames(int aFlushLineBreaks=0x00000001, int aSuppressTrailingBreak=0x00000000)  Line 1058 + 0x18 bytes
gklayout.dll!BuildTextRuns(gfxContext * aContext=0x04cb7280, nsTextFrame * aForFrame=0x04e0276c, nsIFrame * aLineContainer=0x04e0282c, const nsLineList_iterator * aForFrameLine=0x0012d060)  Line 993
gklayout.dll!nsTextFrame::EnsureTextRun(gfxContext * aReferenceContext=0x04cb7280, nsIFrame * aLineContainer=0x04e0282c, const nsLineList_iterator * aLine=0x0012d060, unsigned int * aFlowEndInTextRun=0x0012cc10)  Line 1799 + 0x1a bytes
gklayout.dll!nsTextFrame::Reflow(nsPresContext * aPresContext=0x04d2e948, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x04e0276c)  Line 5325
Flags: blocking1.9?
Severity: normal → critical
No crash on Mac.  (I tried both the testcase and the URL in a debug build.)
Attached patch PatchSplinter Review 
The offset and length passed to ScriptBreak need to refer to the item, not the whole text.
Assignee: nobody → smontagu
Status: NEW → ASSIGNED
Attachment #302570 - Flags: review?
Attachment #302570 - Flags: review? → review?(masayuki)
Attachment #302570 - Flags: review?(masayuki) → review+
Component: Layout: Fonts and Text → Internationalization
QA Contact: layout.fonts-and-text → i18n
Comment on attachment 302570 [details] [diff] [review]
Patch

a=mconnor, straightforward crash fix.
Attachment #302570 - Flags: approval1.9+
Checked in with the testcase as crashtest.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Component: Internationalization → Layout: Fonts and Text
Flags: blocking1.9? → in-testsuite+
Resolution: --- → FIXED
Crash Signature: [@nsTArray_base::ShiftData]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: