Closed Bug 507566 Opened 10 years ago Closed 10 years ago

Crash [@ GetAdvanceForGlyphs] with ireflow, RLM, selectAll

Categories

(Core :: Layout: Text and Fonts, defect, P2, critical)

x86
macOS
defect

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

To reproduce, run Firefox with these ireflow settings, and load the testcase.

export GECKO_REFLOW_INTERRUPT_MODE=counter
export GECKO_REFLOW_INTERRUPT_CHECKS_TO_SKIP=1
export GECKO_REFLOW_INTERRUPT_FREQUENCY=1

Result:

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/central/gfx/thebes/src/gfxSkipChars.cpp, line 92

###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/jruderman/central/gfx/thebes/src/gfxFont.cpp, line 2158

Crash [@ GetAdvanceForGlyphs]

If MallocScribble is off, Firefox crashes trying to read 0x00000004.  But if MallocScribble is on, Firefox crashes trying to read 0x55555559!
Flags: blocking1.9.2?
Whiteboard: [sg:critical?]
Almost certainly the same issue as bug 478504, but I'll double-check on Monday.
Depends on: 478504
Hmm.  It seems like I can't reproduce this at all.
Ah, nevermind.  I had some patches in my tree that made the INTERRUPT_* env vars not work.  I can in fact reproduce, and the patch for bug 478504 fixes this.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Fixed by checkin for bug 478504.  I guess we should keep this closed till be ship 1.9.2b1?
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
ireflow wasn't in 1.9.1
Keywords: regression
Group: core-security
Crash Signature: [@ GetAdvanceForGlyphs]
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.