Crash with getStartPositionOfChar, svg.text.css-frames.enabled

RESOLVED FIXED in mozilla22

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jruderman, Assigned: longsonr)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla22
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments)

Posted image testcase
With:
  user_pref("svg.text.css-frames.enabled", true);

Crash [@ gfxSkipCharsIterator::SetOffsets]
Posted file stack
On Windows: bp-a59c21b6-9b55-4b17-8d91-7c8652130311.
Crash Signature: [@ gfxSkipCharsIterator::SetOffsets(unsigned int, bool) ]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → longsonr
Posted patch patchSplinter Review
Bug 843072 was almost right but not quite. We need to check we're at the end before calling Next(chars)
Attachment #724061 - Flags: review?(dholbert)
Attachment #724061 - Attachment is patch: true
The kid stuff is unused code and never gets hit.
Comment on attachment 724061 [details] [diff] [review]
patch

r=me, but this also means that Next() is buggy (or at least doesn't hold up to its documentation)

It's currently documented as follows:
> 2037   /**
> 2038    * Advances ahead aCount matching characters.  Returns true if there were
> 2039    * enough characters to advance past, and false otherwise.
> 2040    */
> 2041   bool Next(uint32_t aCount);
which implies that it should just return false (not crash) if we're at the end & try to advance.

Could you file a followup on fixing that?  Not sure if it'll still be possible to trigger that behavior after this bug's fixed, but it's a footgun waiting to be loaded when someone adds a Next() call elsewhere and trusts its documentation to be accurate. :)
Attachment #724061 - Flags: review?(dholbert) → review+
Created bug 655877 per cooment 5
(In reply to Robert Longson from comment #8)
> Created bug 655877 per cooment 5

looks like a mis-paste?
yeah, comment 7 meant to say "bug 850655"
can't type comment either :-(
https://hg.mozilla.org/mozilla-central/rev/bbde2235d308
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.