Closed
Bug 732696
Opened 13 years ago
Closed 13 years ago
Invalid write in gfxShapedWord::SetupClusterBoundaries with U+1112C
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 732330
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:critical])
Attachments
(1 file)
55 bytes,
text/html
|
Details |
The testcase crashes Firefox trunk at random within a few seconds. It's more deterministic (and less crashy) under Valgrind:
> Invalid write of size 4
> at 0xA696696: gfxShapedWord::SetupClusterBoundaries(gfxShapedWord::CompressedGlyph*, unsigned short const*, unsigned int) (gfxFont.cpp:3806)
> by 0xA6A2286: void gfxFontGroup::InitScriptRun<unsigned short>(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int) (gfxFont.cpp:3240)
> by 0xA69E7B6: void gfxFontGroup::InitTextRun<unsigned short>(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int) (gfxFont.cpp:3171)
> by 0xA694E47: gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) (gfxFont.cpp:3076)
> by 0x89ACC44: gfxTextRun* MakeTextRun<unsigned short>(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) (nsTextFrameThebes.cpp:559)
> by 0x8993764: BuildTextRunsScanner::BuildTextRunForFrames(void*) (nsTextFrameThebes.cpp:1972)
> by 0x8991B40: BuildTextRunsScanner::FlushFrames(bool, bool) (nsTextFrameThebes.cpp:1397)
> by 0x89964C9: BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType, float) (nsTextFrameThebes.cpp:1325)
> by 0x89955C3: nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, float, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) (nsTextFrameThebes.cpp:2390)
> by 0x89A7C6B: nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) (nsTextFrameThebes.cpp:7375)
> by 0x895B26D: nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) (nsLineLayout.cpp:870)
> by 0x88CA500: nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) (nsBlockFrame.cpp:3837)
> Address 0x1032926f0 is 0 bytes after a block of size 128 alloc'd
> at 0xC743: malloc (vg_replace_malloc.c:266)
> by 0x7E1C784: moz_malloc (mozalloc.cpp:113)
> by 0xA696E64: gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) (gfxFont.cpp:3977)
> by 0xA69423F: gfxTextRun::Create(gfxTextRunFactory::Parameters const*, void const*, unsigned int, gfxFontGroup*, unsigned int) (gfxFont.cpp:3994)
> by 0xA694E0C: gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) (gfxFont.cpp:3070)
> by 0x89ACC44: gfxTextRun* MakeTextRun<unsigned short>(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) (nsTextFrameThebes.cpp:559)
> by 0x8993764: BuildTextRunsScanner::BuildTextRunForFrames(void*) (nsTextFrameThebes.cpp:1972)
> by 0x8991B40: BuildTextRunsScanner::FlushFrames(bool, bool) (nsTextFrameThebes.cpp:1397)
> by 0x89964C9: BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType, float) (nsTextFrameThebes.cpp:1325)
> by 0x89955C3: nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, float, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) (nsTextFrameThebes.cpp:2390)
> by 0x89A7C6B: nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) (nsTextFrameThebes.cpp:7375)
> by 0x895B26D: nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) (nsLineLayout.cpp:870)
Seems to be a regression from the last few days.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [sg:critical]
Comment 1•13 years ago
|
||
This is the same issue as jdaggett encountered in bug 732330, and is already fixed on mozilla-inbound by bug 732443.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•