Closed Bug 633322 Opened 13 years ago Closed 13 years ago

"ASSERTION: detailed glyph record missing!" uppercasing ß, followed by zwsp

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: jruderman, Assigned: jfkthame)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(4 files)

testcase
109 bytes, text/html
Details
stack trace
8.59 KB, text/plain
Details
patch, ensure GetDetailedGlyphs is not called when glyph count is zero
3.96 KB, patch
roc
: review+
Details | Diff | Splinter Review
patch, add the testcase to gfx/tests/crashtests
695 bytes, patch
roc
: review+
Details | Diff | Splinter Review
Attached file testcase 
###!!! ASSERTION: detailed glyph record missing!: 'mLastUsed != nsTArray<DGRec>::NoIndex', file gfxFont.h, line 2105

###!!! ASSERTION: invalid array index: 'i < Length()', file nsTArray.h, line 455

Seems to be a regression from bug 631035.  Security-sensitive because it's using nsTArray's ElementAt (not SafeElementAt).

It seems to be important that the second character is ß (which uppercases to SS) and the third character is non-rendered (U+200B ZWSP or U+2061 FUNCTION APPLICATION).  I don't know what the deal with the first character is; on my machine it's a hexbox.
Group: core-security
Attached file stack trace 

    
  
blocking2.0: --- → ?

    
    

    
  
Yes, this is certainly a regression from bug 631035; I'll dig into it ASAP. Thanks for the testcase!

This probably accounts for the crashes reported in bug 633453.
Assignee: nobody → jfkthame

    
    

    
  


  
The DetailedGlyphStore is not intended to be called for character indexes that don't have any detailed glyphs; callers are expected to check this before trying to retrieve the DetailedGlyphs pointer. I missed one in MergeCharactersInTextRun().

So the real change here is just to check GetGlyphCount() in MergeCharactersInTextRun(). I've checked that all other current callers of GetDetailedGlyphs look correct, but I've also added extra comments and assertion checks at GetDetailedGlyphs, to help us catch any future issues quickly.

We should add this example to crashtests, too.

        Attachment #511675 -
        Flags: review?(roc)

    
    

    
  
Moving this to Graphics, as it's a gfx bug rather than layout.

(In reply to comment #2)
> This probably accounts for the crashes reported in bug 633453.
FTR, that turned out to be a separate error, though they're both regressions from 631035.
Component: Layout: Text → Graphics
QA Contact: layout.fonts-and-text → thebes

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/fcf6c9b3bd7d (patch)
http://hg.mozilla.org/mozilla-central/rev/f36e81d4d60d (crashtest)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: