Closed Bug 428633 Opened 12 years ago Closed 11 years ago

Crash [@ FillInMorphRunContextForRun] with astral, thai and chinese character

Categories

(Core :: Graphics, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: gkw, Assigned: roc)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(1 file)

Attached file testcase
On 10.5.2 only (doesn't occur in 10.4), latest Minefield nightly crashes when viewing the attached testcase.

Crashes [@ OTL::GCommon::GetLookups] or [@ FillInMorphRunContextForRun], called through gfxAtsuiFontGroup::InitTextRun.  Sometimes, instead of crashing, it triggers

firefox-bin(3464,0xa08fdfa0) malloc: *** error for object 0x10a65050: incorrect checksum for freed object - object was probably modified after being freed.

Jesse Ruderman helped make the reduced testcase.
Flags: blocking1.9?
Blocks: textfuzzer
My crash report is here:

http://crash-stats.mozilla.com/report/index/43e80638-084f-11dd-bf19-001cc45a2ce4

Apparently there was an identical crash in 10.5.2 on build id 2008030317 when searched in Mozilla Crash Reports:

http://crash-stats.mozilla.com/report/index/31b384b5-fa9a-11dc-b9fe-001a4bd43ed6
Roc, blocking and assigning to you based on the fact that this will hit a lot of international users and there's a nice, small testcase.
Assignee: nobody → roc
Flags: blocking1.9? → blocking1.9+
I don't think this bug would affect many users (aside from being a potential security hole).  It's not very likely that such a combination of characters would occur in a text run, even on a Thai or Chinese page.

Breakpad shows only one crash report for FillInMorphRunContextForRun other than Gary's in the last 3 months (see comment 1 for links).  There were 196 reports of OTL::GCommon::GetLookups crashes, which is substantial but not quite a topcrash.  (Those crashes aren't necessarily due to this bug, but do match one of this bug's crash signatures.)
Jesse corrected me in my thinking - the characters need to be combined to result in a crash. Roc, please re-plus it if you think this should block, but for now it doesn't.
Flags: wanted-next+
Flags: blocking1.9-
Flags: blocking1.9+
Should this be wanted1.9.0.x instead of wanted‑next?
Flags: wanted-next+ → wanted1.9.0.x+
Hmmm, possible duplicate of of 428633, crash in that case also shows OTL::GCommon::GetLookups.

With 10.5.3 and RC3, the testcase WFM, I don't see a crash or any message on the console.  Gary, do you still experience this?
(In reply to comment #6)
> Hmmm, possible duplicate of of 428633, crash in that case also shows
> OTL::GCommon::GetLookups.

Oops, I meant to write a duplicate of bug 436663...
WFM with Firefox trunk (debug+mallocscribble) on Leopard.
Resolving WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a2pre) Gecko/20080816113032 Minefield/3.1a2pre
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Flags: wanted1.9.0.x+ → wanted1.9.0.x?
Whiteboard: [sg:critical]
Crash Signature: [@ FillInMorphRunContextForRun]
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a5f9ee46616a
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.