Last Comment Bug 698335 - "ASSERTION: Invalid offset" with bidi, -moz-column, :first-letter
: "ASSERTION: Invalid offset" with bidi, -moz-column, :first-letter
Status: RESOLVED FIXED
[qa+]
: assertion, hang, regression, testcase
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla12
Assigned To: Simon Montagu :smontagu
:
Mentors:
Depends on: CVE-2014-1536
Blocks: randomclasses textfuzzer 578977
  Show dependency treegraph
 
Reported: 2011-10-30 22:22 PDT by Jesse Ruderman
Modified: 2014-04-24 06:46 PDT (History)
8 users (show)
smontagu: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
affected
affected
verified
unaffected


Attachments
testcase (hangs Firefox) (200 bytes, text/html)
2011-10-30 22:22 PDT, Jesse Ruderman
no flags Details
stack traces (16.92 KB, text/plain)
2011-10-30 22:23 PDT, Jesse Ruderman
no flags Details
Patch (2.47 KB, patch)
2012-01-15 10:47 PST, Simon Montagu :smontagu
roc: review+
akeybl: approval‑mozilla‑aurora-
akeybl: approval‑mozilla‑beta-
Details | Diff | Review

Description Jesse Ruderman 2011-10-30 22:22:49 PDT
Created attachment 570608 [details]
testcase (hangs Firefox)

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92

###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 7109

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92

###!!! ASSERTION: unconstrained height on totally empty line: 'NS_UNCONSTRAINEDSIZE != aFloatAvailableSpace.mRect.height', file layout/generic/nsBlockFrame.cpp, line 3686

###!!! ASSERTION: redo line on totally empty line with non-empty band...: 'aFloatAvailableSpace.mHasFloats', file layout/generic/nsBlockFrame.cpp, line 3691
Comment 1 Jesse Ruderman 2011-10-30 22:23:22 PDT
Created attachment 570609 [details]
stack traces
Comment 2 Daniel Veditz [:dveditz] 2011-11-16 16:47:10 PST
Is this exploitable or just a DoS/hang? would more/fewer/different characters change the symptoms?
Comment 3 Tanvi Vyas - behind on reviews [:tanvi] 2012-01-11 18:19:57 PST
smontagu - any update here?
Comment 4 Simon Montagu :smontagu 2012-01-15 10:47:40 PST
Created attachment 588753 [details] [diff] [review]
Patch

This is apparently regression from making a preformatted newline a new bidi paragraph: we need to test whether there are any fluid continuations even beyond the current paragraph, but children of the same block element and convert them to non-fluid.
Comment 6 Simon Montagu :smontagu 2012-01-18 22:56:57 PST
https://hg.mozilla.org/mozilla-central/rev/60add44419ef
Comment 7 Daniel Veditz [:dveditz] 2012-01-24 18:52:47 PST
Do we need to land this on Aurora as a security bug or did it turn out benign and we can unhide the bug? If it really is a potentially sg:critical bug we maybe shouldn't have called it out in the Platform meeting, especially with a checked-in crashtest.
Comment 8 Simon Montagu :smontagu 2012-01-24 21:40:28 PST
Regression window is http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a666b4f809f0&tochange=953f9620f395, which is not what I expected: possibly bug 578977?
Comment 9 Simon Montagu :smontagu 2012-01-24 21:46:27 PST
Comment on attachment 588753 [details] [diff] [review]
Patch

This doesn't seem exploitable to me, but since we have a simple patch let's fix it on aurora and beta.

[Approval Request Comment]
Regression caused by (bug #): 578977(? see comment 8)
User impact if declined: hangs and possible crashes
Testing completed (on m-c, etc.): baked 6 days on m-c, has crashtest.
Risk to taking this patch (and alternatives if risky): minimal.
Comment 10 Mats Palmgren (:mats) 2012-01-25 07:25:07 PST
(In reply to Simon Montagu from comment #8)
> possibly bug 578977?

Confirmed by reverting bug 578977 in an Aurora debug build on Linux.
Bug 578977 did change some things that affects next-in-flows of first-letter
frames, so it makes sense.
Comment 11 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2012-01-25 15:00:30 PST
given comment 9 I think we can hold off on this given timing for 10. But we should be able to land this on Aurora, we can cover that in the next triage/channel mtg.
Comment 12 Alex Keybl [:akeybl] 2012-01-26 15:41:08 PST
Comment on attachment 588753 [details] [diff] [review]
Patch

[Triage Comment]
We don't have any evidence that this is exploitable or causing significant user pain - let's let this ride the train.
Comment 13 Virgil Dicu [:virgil] [QA] 2012-04-19 07:03:23 PDT
Verified using linux debug build on Ubuntu 11.10 with beta debug build (18.4.2012)- no hang/assertion when loading the test case from comment 0.

Note You need to log in before you can comment on or make changes to this bug.