Closed
Bug 66856
Opened 24 years ago
Closed 24 years ago
ABR in nsTextFrame::PaintAsciiText(...) (causing crash)
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: bratell, Assigned: shanjian)
Details
(Keywords: crash)
I ran Mozilla (the news part mainly) under Purify and one of the bad looking
errors I got was an Array Bounds Read in nsTextFrame::PaintAsciiText(...) at
line 2536 which is the line with a '>' below.
} else {
text = frag->Get1b() + mContentOffset;
textLength = mContentLength;
// See if we should skip leading whitespace
if (0 != (mState & TEXT_SKIP_LEADING_WS)) {
while ((textLength > 0) && XP_IS_SPACE(*text)) {
text++;
textLength--;
}
}
// See if the text ends in a newline
> if ((textLength > 0) && (text[textLength - 1] == '\n')) {
textLength--;
}
NS_ASSERTION(textLength >= 0, "bad text length");
}
[E] ABR: Array bounds read in nsTextFrame::PaintAsciiText(nsIPresContext
*,nsIRenderingContext&,nsIStyleContext *,TextStyle::nsTextFrame&,int,int) {1
occurrence}
Reading 1 byte from 0x09baf281 (1 byte at 0x09baf281 illegal)
Address 0x09baf281 is 4 bytes past the end of a 22 byte block at
0x09baf268
Address 0x09baf281 points to a malloc'd block in heap 0x02ab0000
I wonder if this has anything to do with mContentOffset sometimes being read
without being initialized which I reported in another bug.
The top of the stack is:
nsTextFrame::PaintAsciiText(nsIPresContext
*,nsIRenderingContext&,nsIStyleContext *,TextStyle::nsTextFrame&,int,int)
[nsTextFrame.cpp:2536]
nsTextFrame::Paint(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsTextFrame.cpp:1262]
nsContainerFrame::PaintChild(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsIFrame *,nsFramePaintLayer) [nsContainerFrame.cpp:209]
nsBlockFrame::PaintChildren(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsBlockFrame.cpp:6407]
nsBlockFrame::Paint(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsBlockFrame.cpp:6284]
nsBoxFrame::PaintChild(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsIFrame *,nsFramePaintLayer) [nsBoxFrame.cpp:1373]
nsBoxFrame::PaintChildren(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsBoxFrame.cpp:1509]
nsBoxFrame::Paint(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsBoxFrame.cpp:1326]
nsBoxFrame::PaintChild(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsIFrame *,nsFramePaintLayer) [nsBoxFrame.cpp:1373]
nsBoxFrame::PaintChildren(nsIPresContext *,nsIRenderingContext&,nsRect
const&,nsFramePaintLayer) [nsBoxFrame.cpp:1509]
|
Reporter | |
Comment 2•24 years ago
|
||
I just crashed on this location so I will add crash keyword.
It happened while reading mails.
text = "netscape.public.mozilla.org"
textLength = mContentLength = 65 (much more than the real length of the
string)
mState = 0x40000434
Severity: normal → critical
Keywords: crash
Summary: ABR in nsTextFrame::PaintAsciiText(...) → ABR in nsTextFrame::PaintAsciiText(...) (causing crash)
|
Assignee | |
Comment 4•24 years ago
|
||
I took a look at this bug. It is hard to spot any problem. There is only one
place where mContentLength is assigned, From Daniel's comment, it seems
mContentLength is not correct. If that is true, the problem might be far away
from this block of code.
Please try to provide a reproducible test case.
|
|
Assignee | |
Comment 5•24 years ago
|
||
I believe this is a duplicate of 73291.
*** This bug has been marked as a duplicate of 73291 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•