Closed
Bug 660416
Opened 13 years ago
Closed 13 years ago
"ASSERTION: Invalid offset" with bidi, -moz-column
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
FIXED
mozilla7
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | unaffected |
| firefox6 | + | fixed |
| firefox7 | --- | fixed |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: smontagu)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][qa-])
Attachments
(3 files, 2 obsolete files)
|
314 bytes,
text/html
|
Details | |
|
3.24 KB,
text/plain
|
Details | |
|
3.25 KB,
patch
|
roc
:
review+
asa
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 6792 ###!!! ASSERTION: redo line on totally empty line with non-empty band...: 'aFloatAvailableSpace.mHasFloats', file layout/generic/nsBlockFrame.cpp, line 3710
|
Reporter | |
Comment 1•13 years ago
|
||
|
Assignee | |
Comment 2•13 years ago
|
||
Regression from bug 566066.
|
|
Assignee | |
Updated•13 years ago
|
status-firefox6:
--- → affected
tracking-firefox6:
--- → ?
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #535940 -
Flags: review?(roc)
Can you explain in more detail why this is needed?
|
|
Assignee | |
Comment 5•13 years ago
|
||
On initial reflow the <span id="a">x‮</span> is split into two frames by bidi resolution. The onload handler then changes the text of this span to "", so both frames are now empty, and then changes the text to "z". The loop at the top of nsTextFrame::CharacterDataChanged skips over the first empty frame, so the new text goes into the second frame. The result is that we now have a frame with contentOffset=0 and contentEnd=0 which has a fixed continuation with contentOffset=0 and contentEnd=1. So the correct results of GetInFlowContentLength are 0 for the first frame (the offset of its fixed continuation) and 1 for the second (the content length). However, when we call GetInFlowContentLength on the first frame after caching the result from the second frame, flowLength->mStartOffset is 0 (== mContentOffset) and flowLength->mEndFlowOffset is 1 (> mContentOffset), so we end up using the cached result for the first frame.
|
|
Assignee | |
Comment 6•13 years ago
|
||
Having said all that, maybe a better solution would be for bidi resolution to make the continuation of the empty frame into a fluid continuation. Let me try that and get back to you :)
Comment on attachment 535940 [details] [diff] [review] Patch Review of attachment 535940 [details] [diff] [review]: ----------------------------------------------------------------- ::: layout/generic/nsTextFrameThebes.cpp @@ +634,5 @@ > + if (flowLength) { > + /** > + * Bidi resolution combined with dynamic changes to content can leave empty > + * text frames in the frame tree. If this frame is empty, don't use the > + * cached in-flow length Let's say * This frame must start inside the cached flow. If the flow starts at mContentOffset but this frame is empty, logically it might be before the start of the cached flow. @@ +639,5 @@ > + */ > + GetOffsets(start, end); > + if (flowLength->mStartOffset <= mContentOffset && > + flowLength->mEndFlowOffset > mContentOffset && > + end > start) { So this should probably be if ((flowLength->mStartOffset < mContentOffset || (flowLength->mStartOffset == mContentOffset && GetContendEnd() > mContentOffset)) && flowLength->mEndFlowOffset > mContentOffset) I'd prefer explicit calls to GetContentEnd instead of using GetOffsets, which uses horrible out-parameters :-)
Attachment #535940 -
Flags: review?(roc) → review+
(In reply to comment #6) > Having said all that, maybe a better solution would be for bidi resolution > to make the continuation of the empty frame into a fluid continuation. Let > me try that and get back to you :) That might make sense but I still think this patch is a good change.
|
|
Assignee | |
Comment 9•13 years ago
|
||
I'd like you to check this version over as well, if you wouldn't mind. I removed the other calls to GetOffsets and tightened the code up a bit.
Attachment #535940 -
Attachment is obsolete: true
Attachment #536014 -
Flags: review?(roc)
Isn't this the same as the previous version?
|
|
Assignee | |
Comment 11•13 years ago
|
||
remembered to qrefresh this time around
Attachment #536014 -
Attachment is obsolete: true
Attachment #536014 -
Flags: review?(roc)
Attachment #536022 -
Flags: review?(roc)
Comment on attachment 536022 [details] [diff] [review] Patch v.2 Review of attachment 536022 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #536022 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 13•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/188979b60337
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
||
Comment 14•13 years ago
|
||
Is this exploitable or just a DoS?
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → unaffected
status-firefox7:
--- → unaffected
Keywords: regression
|
||
Comment 15•13 years ago
|
||
This is a regression from 5 so tracking this for 6. If this patch applies to aurora, please request approval for it.
Summary: "ASSERTION: Invalid offset" wit bidi, -moz-column → "ASSERTION: Invalid offset" with bidi, -moz-column
Comment on attachment 536022 [details] [diff] [review] Patch v.2 Should be good for Aurora.
Attachment #536022 -
Flags: approval-mozilla-aurora?
But we could also back out bug 566066 on Aurora --- drivers' call really.
|
||
Comment 18•13 years ago
|
||
ROC, what's the risk of taking the patch? The regressing change has been in the code for a while so I'm concerned about risk of backing out as well.
The risk is very low. The patch disables an optimization in one particular edge case.
|
|
||
Updated•13 years ago
|
Attachment #536022 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [needs landing]
|
|
Assignee | |
Comment 20•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/ca882c8f7be4
status1.9.1:
unaffected → ---
status1.9.2:
unaffected → ---
status-firefox5:
unaffected → ---
status-firefox7:
fixed → ---
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: [needs landing]
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
(In reply to Daniel Veditz from comment #14) > Is this exploitable or just a DoS? It's unclear. Given we have a fix, we may as well treat it conservatively as exploitable.
|
|
||
Comment 22•13 years ago
|
||
According to comment 13 this was checked into mozilla-central in the Firefox7 time frame.
status-firefox5:
--- → unaffected
status-firefox7:
--- → fixed
Whiteboard: [sg:critical?]
Target Milestone: --- → mozilla7
|
||
Comment 23•13 years ago
|
||
qa+ for verification in Firefox 7 using attached testcase.
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
|
|
||
Comment 24•13 years ago
|
||
Changing to qa- as this is an assertion.
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa-]
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•