Last Comment Bug 736210 - "ASSERTION: Don't know how to merge this stuff" with astral char, ß text-transformed to SS
: "ASSERTION: Don't know how to merge this stuff" with astral char, ß text-tran...
Status: RESOLVED FIXED
: assertion, regression, testcase
Product: Core
Classification: Components
Component: Layout: Text (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- normal (vote)
: mozilla14
Assigned To: Jonathan Kew (:jfkthame)
:
Mentors:
Depends on:
Blocks: randomstyles textfuzzer 605021
  Show dependency treegraph
 
Reported: 2012-03-15 12:16 PDT by Jesse Ruderman
Modified: 2012-04-02 15:51 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed


Attachments
testcase (69 bytes, text/html)
2012-03-15 12:16 PDT, Jesse Ruderman
no flags Details
stack traces (22.30 KB, text/plain)
2012-03-15 12:16 PDT, Jesse Ruderman
no flags Details
patch, don't set 'true' in charsToMerge array for surrogates (937 bytes, patch)
2012-03-16 11:43 PDT, Jonathan Kew (:jfkthame)
smontagu: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2012-03-15 12:16:21 PDT
Created attachment 606319 [details]
testcase

###!!! ASSERTION: Don't know how to merge this stuff: 'mergeRunStart == k || (g.IsClusterStart() && g.IsLigatureGroupStart())', file layout/generic/nsTextRunTransformations.cpp, line 212

###!!! ASSERTION: Bad offset calculations: 'offset == aDest->GetLength()', file layout/generic/nsTextRunTransformations.cpp, line 236

I'm guessing this is a regression from bug 605021.

The first assertion is not the same as the one in bug 536242, fwiw.
Comment 1 Jesse Ruderman 2012-03-15 12:16:41 PDT
Created attachment 606320 [details]
stack traces
Comment 2 Jonathan Kew (:jfkthame) 2012-03-16 11:43:52 PDT
Created attachment 606657 [details] [diff] [review]
patch, don't set 'true' in charsToMerge array for surrogates
Comment 3 Daniel Veditz [:dveditz] 2012-03-21 10:54:54 PDT
I can't tell from the patch whether this is actually a security bug or not -- what does that change do?
Comment 4 Jonathan Kew (:jfkthame) 2012-03-23 05:18:33 PDT
AFAICT, this doesn't actually constitute a security problem. The error means that the association between underlying text characters and displayed glyphs is incorrect, because of an indexing error when reconstructing the transformed textrun, but it doesn't cause us to overrun a buffer or anything dangerous like that; the "offset" that's used as an index into the new run ends up short of the end of the run, not beyond it.

(To see an effect of the bug, try
  data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo
Comment 5 Jonathan Kew (:jfkthame) 2012-03-23 05:20:53 PDT
(In reply to Jonathan Kew (:jfkthame) from comment #4)
> (To see an effect of the bug, try
>   data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo

Excuse the truncated comment; apparently something (my browser? bugzilla?) didn't like the supplementary-plane character!
Comment 6 Jonathan Kew (:jfkthame) 2012-03-23 05:51:22 PDT
FTR, filed bug 738609 regarding the inability to include supplementary-plane text in a bugzilla comment.
Comment 8 Ed Morley [:emorley] 2012-03-24 14:14:47 PDT
https://hg.mozilla.org/mozilla-central/rev/23cf3da09191

Note You need to log in before you can comment on or make changes to this bug.