Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] with -moz-column, pre-wrap, font-size-adjust, multiple text runs

RESOLVED FIXED

Status

()

defect
P2
critical
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: jruderman, Assigned: smontagu)

Tracking

(Blocks 2 bugs, 5 keywords)

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 +
wanted1.9.0.x -
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta2-fixed, blocking1.9.1 .6+, status1.9.1 .6-fixed)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(3 attachments)

Reporter

Description

10 years ago
###!!! ASSERTION: Flag set that should never be set! (memory safety error?): '!(mTextRun->GetFlags() & (gfxTextRunWordCache::TEXT_UNUSED_FLAGS | nsTextFrameUtils::TEXT_UNUSED_FLAG))', file /Users/jruderman/central/layout/generic/nsTextFrameThebes.cpp, line 766

or

Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] touching random a memory location.
Reporter

Updated

10 years ago
Whiteboard: [sg:critical?]
Reporter

Comment 1

10 years ago
Still crashes on mozilla-central.
Assignee

Comment 2

10 years ago
I can only reproduce the crash in debug builds. It turns out that it doesn't depend on bidi but rather on having multiple text runs in the same line, as this variation on the testcase shows.
Assignee

Updated

10 years ago
OS: Mac OS X → All
Hardware: x86 → All
Summary: Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] with -moz-column, pre-wrap, font-size-adjust, bidi → Debug-only crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] with -moz-column, pre-wrap, font-size-adjust, multiple text runs
Assignee

Comment 3

10 years ago
Interestingly, this is debug-only on Linux, but not on OS X.
It's a regression from bug 465928, and I think I have a patch.
Assignee: nobody → smontagu
Blocks: 465928
blocking1.9.1: --- → ?
Flags: blocking1.9.2?
Summary: Debug-only crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] with -moz-column, pre-wrap, font-size-adjust, multiple text runs → Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] with -moz-column, pre-wrap, font-size-adjust, multiple text runs
Assignee

Comment 4

10 years ago
Posted patch PatchSplinter Review
This passed unit tests on tryserver.
Attachment #405854 - Flags: superreview?(roc)
Attachment #405854 - Flags: review?(roc)
Attachment #405854 - Flags: superreview?(roc)
Attachment #405854 - Flags: superreview+
Attachment #405854 - Flags: review?(roc)
Attachment #405854 - Flags: review+
Whiteboard: [sg:critical?] → [sg:critical?][needs landing]
Assignee

Comment 6

10 years ago
http://hg.mozilla.org/mozilla-central/rev/28ac205d2563
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?][needs landing] → [sg:critical?]
Does this bug affect 1.9.0?
blocking1.9.1: ? → .5+
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.16?
Assignee

Comment 8

10 years ago
(In reply to comment #7)
> Does this bug affect 1.9.0?

No, the code that caused the regression was never checked in to 1.9.0, and neither test case crashes there.
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.16?
Flags: wanted1.9.0.x-
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Simon, is this patch ready for 1.9.1? If so (and assuming it applies), please request approval on it. Code freeze for 1.9.1.6 is November 10 at 11:59pm.
Assignee

Comment 11

10 years ago
Comment on attachment 405854 [details] [diff] [review]
Patch

Requesting approval for 1.9.1.6.

This fixes a regression from bug 465928, which is one of the dependencies of performance bug 430332. I don't see any regression in performance in the test case there with this patch.
Attachment #405854 - Flags: approval1.9.1.6?
Comment on attachment 405854 [details] [diff] [review]
Patch

Approved for 1.9.1.6, a=dveditz for release-drivers
Attachment #405854 - Flags: approval1.9.1.6? → approval1.9.1.6+
Verified on OS X with attached testcase. Crashes in 1.9.1.5 but not in the nightly 1.9.1.6 build, Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6pre) Gecko/20091110 Shiretoko/3.5.6pre.
Keywords: verified1.9.1
Group: core-security
Reporter

Updated

9 years ago
Flags: in-testsuite+
Crash Signature: [@ BuildTextRunsScanner::BreakSink::SetBreaks]
You need to log in before you can comment on or make changes to this bug.