Crash [@ TextRunWordCache::MakeTextRun]

RESOLVED FIXED

Status

()

Core
Layout: Text
P2
normal
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: smaug, Assigned: mats)

Tracking

({crash, fixed1.9.1})

Trunk
x86
Linux
crash, fixed1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
wanted1.9.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
Created attachment 361155 [details]
stack

I got the crash when running mochitest. The crash happened with the test for
bug 441782.

No idea if this is security sensitive.
(Reporter)

Comment 1

9 years ago
Something strange happening
(gdb) p length
$1 = 11
(gdb) p j
$2 = 0
(gdb) p wordStart
$3 = 16
(gdb) p i
$4 = 27

That means that wordStart+j > 0 is true, so numString[j-1] is evaluated.
And j-1 is pretty huge number because j is unsigned and its value is 0.
(Reporter)

Updated

9 years ago
Blocks: 441782
(Reporter)

Comment 2

9 years ago
Perhaps this is a regression from Bug 467672?
(Assignee)

Comment 3

9 years ago
Created attachment 361161 [details] [diff] [review]
Patch

I think it's a regression from bug 441782.  I needed a workaround to run
mochitest and this seems to work...
(Assignee)

Updated

9 years ago
Flags: blocking1.9.1?

Comment 4

9 years ago
Comment on attachment 361161 [details] [diff] [review]
Patch

This seems like the correct fix.  Requesting review from roc.
Attachment #361161 - Flags: superreview?(roc)
Attachment #361161 - Flags: review?(roc)

Updated

9 years ago
Attachment #361161 - Attachment description: fwiw → Patch

Updated

9 years ago
Assignee: nobody → mats.palmgren
Keywords: crash
Attachment #361161 - Flags: superreview?(roc)
Attachment #361161 - Flags: superreview+
Attachment #361161 - Flags: review?(roc)
Attachment #361161 - Flags: review+
(Reporter)

Comment 5

9 years ago
I pushed this.
http://hg.mozilla.org/mozilla-central/rev/5f349409c9d5

Thanks Mats!
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
(Reporter)

Updated

9 years ago
Keywords: fixed1.9.1

Comment 6

9 years ago
The 1.9.1 landing: <http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7272f7e838d2>
Group: core-security
Flags: wanted1.9.0.x-
Crash Signature: [@ TextRunWordCache::MakeTextRun]
You need to log in before you can comment on or make changes to this bug.