Created attachment 328755 [details] testcase See testcase, which usually crashes within 10s after load. I got this with the indic IME extension, when pressing the letter 'g' constantly, while Hindi language was selected and Inscript keyboard. This regressed between 2007-08-28 and 2007-08-29: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+08&cvsroot=%2Fcvsroot I think a regression from bug 378457.
Created attachment 328757 [details] backtrace from debug build VC express also complained about heap corruption, btw. msvcr80d.dll!__free_dbg_nolock() + 0x313 bytes msvcr80d.dll!__free_dbg() + 0x4e bytes msvcr80d.dll!_free() + 0xe bytes > nspr4.dll!PR_Free(void * ptr=0x055740e8) Line 536 + 0xa bytes C xpcom_core.dll!NS_Free_P(void * ptr=0x055740e8) Line 303 + 0xa bytes C++ xpcom_core.dll!nsTArray_base::ShrinkCapacity(unsigned int elemSize=2) Line 130 + 0xb bytes C++ xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0, unsigned int oldLen=137, unsigned int newLen=0, unsigned int elemSize=2) Line 163 C++ thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::RemoveElementsAt(unsigned int start=0, unsigned int count=137) Line 601 C++ thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::Clear() Line 611 C++ thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::~nsTArray<tag_SCRIPT_VISATTR>() Line 267 + 0xf bytes C++ thebes.dll!nsAutoTArray<tag_SCRIPT_VISATTR,76>::~nsAutoTArray<tag_SCRIPT_VISATTR,76>() + 0xf bytes C++ thebes.dll!UniscribeItem::~UniscribeItem() Line 1269 + 0x46 bytes C++ thebes.dll!UniscribeItem::`scalar deleting destructor'() + 0xf bytes C++ thebes.dll!nsAutoPtr<UniscribeItem>::~nsAutoPtr<UniscribeItem>() Line 104 + 0x1e bytes C++ thebes.dll!gfxWindowsFontGroup::InitTextRunUniscribe(gfxContext * aContext=0x0566d1f0, gfxTextRun * aRun=0x053f8cf0, const unsigned short * aString=0x001298e4, unsigned int aLength=81) Line 2229 + 0x8 bytes C++ thebes.dll!gfxWindowsFontGroup::MakeTextRun(const unsigned short * aString=0x001298e4, unsigned int aLength=81, const gfxTextRunFactory::Parameters * aParams=0x00129e78, unsigned int aFlags=17826305) Line 935 C++ thebes.dll!TextRunWordCache::MakeTextRun(const unsigned short * aText=0x0012b35c, unsigned int aLength=80, gfxFontGroup * aFontGroup=0x06176b70, const gfxTextRunFactory::Parameters * aParams=0x0012b2dc, unsigned int aFlags=17826304) Line 532 + 0x31 bytes C++ etc...
Can you figure out what character was being inserted (e.g. using an oninput attribute) and then try to reproduce the bug without IME?
See testcase, it can be reproduced with the IME extension. The 'ु' character is being inserted. I can imagine that some people are even using these kinds of characters, so request for blocking.
Stuart, can you take a look at this?
This is probably the same bug as bug 445711.
I don't think this is the same as bug 445711. The issue there is a buffer overrun triggered by the fact that the single character "ௌ" is rendered as three glyphs.
That said, the patch from bug 445711 seems to fix this too, so what do I know?
Should be fixed by bug 445711, please reopen if there is still a problem.
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199pre) Gecko/2008082105 GranParadiso/3.0.2pre. I verified using the testcase that was provided by martijn.
verified fixed on 1.9 Beta 1 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 and the testcase from martijn. No Crash on Testcase -> Verified fixed
Based on Comment 10 I am updating the 1.9.1 keyword to indicate this has been verified.