Closed Bug 898951 Opened 11 years ago Closed 11 years ago

SVG text crash [@ mozilla::CharIterator::GetOriginalGlyphOffsets]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: jruderman, Assigned: heycam)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
112 bytes, image/svg+xml
Details
stacks
26.78 KB, text/plain
Details
patch
9.15 KB, patch
jwatt
: review+
Details | Diff | Splinter Review
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 61 ###!!! ASSERTION: aPos out of range: 'aPos < GetLength()', file gfxFont.h, line 2673 Crash [@ mozilla::CharIterator::GetOriginalGlyphOffsets] bp-fd40aa3a-c8bd-43ca-b718-754162130729
Attached file stacks
With the undisplayed character in the middle of the ligature, we're not passing in the right values to mTextRun->GetAdvanceWidth in CharIterator::GetGlyphPartialAdvance. We'll need to interpret aPartOffset and aPartLength as values that include those undisplayed characters, converting them into skipped offsets to pass in to GetAdvanceWidth.
Attached patch patchSplinter Review
It turned out to be easier to keep aPartLength not counting undisplayed characters, and to fix up the value in the caller of GetGlyphPartialAdvance. I removed aPartOffset since we were only ever calling it with 0, and it made it easier to track the undisplayed characters within the glyph in CharIterator if we assumed we'd always want the number of undisplayed characters from the beginning of the glyph. Note that nsSVGTextFrame2::DoTextPathLayout doesn't need fixing up, since the indexes it is using are indexes into mPositions, which already does not include undisplayed characters.
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #782419 - Flags: review?(jwatt)
No crash on Windows for me. (In reply to Jesse Ruderman from comment #0) > bp-fd40aa3a-c8bd-43ca-b718-754162130729 Build ID 20130723030205 Does it happen with the latest Nightly?
Crash Signature: [@ mozilla::CharIterator::GetOriginalGlyphOffsets] → [@ mozilla::CharIterator::GetOriginalGlyphOffsets(unsigned int&, unsigned int&) const]
Yes, it happens in a newer Nightly. bp-6c654d68-c77b-4f7a-ac63-368c52130729
Attachment #782419 - Flags: review?(jwatt) → review+
https://hg.mozilla.org/mozilla-central/rev/29ac72d08730
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: