507566 - Crash [@ GetAdvanceForGlyphs] with ireflow, RLM, selectAll

Status: RESOLVED FIXED

(Core :: Layout: Text and Fonts, defect, P2)

Description

[Jesse Ruderman]

Attachment: testcase (crashes with some ireflow settings)

To reproduce, run Firefox with these ireflow settings, and load the testcase.

export GECKO_REFLOW_INTERRUPT_MODE=counter
export GECKO_REFLOW_INTERRUPT_CHECKS_TO_SKIP=1
export GECKO_REFLOW_INTERRUPT_FREQUENCY=1

Result:

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/central/gfx/thebes/src/gfxSkipChars.cpp, line 92

###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/jruderman/central/gfx/thebes/src/gfxFont.cpp, line 2158

Crash [@ GetAdvanceForGlyphs]

If MallocScribble is off, Firefox crashes trying to read 0x00000004.  But if MallocScribble is on, Firefox crashes trying to read 0x55555559!

Comment 1

[Boris Zbarsky [:bzbarsky]]

Almost certainly the same issue as bug 478504, but I'll double-check on Monday.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Hmm.  It seems like I can't reproduce this at all.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Ah, nevermind.  I had some patches in my tree that made the INTERRUPT_* env vars not work.  I can in fact reproduce, and the patch for bug 478504 fixes this.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Fixed by checkin for bug 478504.  I guess we should keep this closed till be ship 1.9.2b1?

Comment 5

[Daniel Veditz [:dveditz]]

ireflow wasn't in 1.9.1

Comment 6

[Pulsebot]

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e80709fd8002
Add crashtest.  r=mats

Comment 7

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/e80709fd8002