Closed
Bug 428633
Opened 16 years ago
Closed 16 years ago
Crash [@ FillInMorphRunContextForRun] with astral, thai and chinese character
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gkw, Assigned: roc)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Crash Data
Attachments
(1 file)
103 bytes,
text/html
|
Details |
On 10.5.2 only (doesn't occur in 10.4), latest Minefield nightly crashes when viewing the attached testcase. Crashes [@ OTL::GCommon::GetLookups] or [@ FillInMorphRunContextForRun], called through gfxAtsuiFontGroup::InitTextRun. Sometimes, instead of crashing, it triggers firefox-bin(3464,0xa08fdfa0) malloc: *** error for object 0x10a65050: incorrect checksum for freed object - object was probably modified after being freed. Jesse Ruderman helped make the reduced testcase.
Flags: blocking1.9?
Updated•16 years ago
|
Blocks: textfuzzer
Reporter | ||
Comment 1•16 years ago
|
||
My crash report is here: http://crash-stats.mozilla.com/report/index/43e80638-084f-11dd-bf19-001cc45a2ce4 Apparently there was an identical crash in 10.5.2 on build id 2008030317 when searched in Mozilla Crash Reports: http://crash-stats.mozilla.com/report/index/31b384b5-fa9a-11dc-b9fe-001a4bd43ed6
Comment 2•16 years ago
|
||
Roc, blocking and assigning to you based on the fact that this will hit a lot of international users and there's a nice, small testcase.
Assignee: nobody → roc
Flags: blocking1.9? → blocking1.9+
Comment 3•16 years ago
|
||
I don't think this bug would affect many users (aside from being a potential security hole). It's not very likely that such a combination of characters would occur in a text run, even on a Thai or Chinese page. Breakpad shows only one crash report for FillInMorphRunContextForRun other than Gary's in the last 3 months (see comment 1 for links). There were 196 reports of OTL::GCommon::GetLookups crashes, which is substantial but not quite a topcrash. (Those crashes aren't necessarily due to this bug, but do match one of this bug's crash signatures.)
Comment 4•16 years ago
|
||
Jesse corrected me in my thinking - the characters need to be combined to result in a crash. Roc, please re-plus it if you think this should block, but for now it doesn't.
Flags: wanted-next+
Flags: blocking1.9-
Flags: blocking1.9+
Reporter | ||
Comment 5•16 years ago
|
||
Should this be wanted1.9.0.x instead of wanted‑next?
Assignee | ||
Updated•16 years ago
|
Flags: wanted-next+ → wanted1.9.0.x+
Comment 6•16 years ago
|
||
Hmmm, possible duplicate of of 428633, crash in that case also shows OTL::GCommon::GetLookups. With 10.5.3 and RC3, the testcase WFM, I don't see a crash or any message on the console. Gary, do you still experience this?
Comment 7•16 years ago
|
||
(In reply to comment #6) > Hmmm, possible duplicate of of 428633, crash in that case also shows > OTL::GCommon::GetLookups. Oops, I meant to write a duplicate of bug 436663...
Comment 8•16 years ago
|
||
WFM with Firefox trunk (debug+mallocscribble) on Leopard.
Reporter | ||
Comment 9•16 years ago
|
||
Resolving WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a2pre) Gecko/20080816113032 Minefield/3.1a2pre
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite?
Updated•16 years ago
|
Flags: wanted1.9.0.x+ → wanted1.9.0.x?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical]
Updated•13 years ago
|
Crash Signature: [@ FillInMorphRunContextForRun]
Comment 10•9 years ago
|
||
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/a5f9ee46616a
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•