Closed Bug 97516 Opened 24 years ago Closed 24 years ago

crash in nsRenderingContextWin::GetWidth() in certain situation

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: shanjian, Assigned: shanjian)

Details

(Keywords: crash)

Attachments

(3 files)

proposed patch
1.21 KB, patch
Details | Diff | Splinter Review
update patch as suggested by brendan
484 bytes, patch
Details | Diff | Splinter Review
The patch that fix the real problem
527 bytes, patch
waterson
: superreview+
asa
: approval+
Details | Diff | Splinter Review
This bug was sprawn from bugscape 8832. It is reproducible an embed product. I believe this problem also happens in certain situation with other mozilla based product. In following code, nsFontWin** end = &metrics->mLoadedFonts[metrics->mLoadedFontsCount]; while (font < end) { if (FONT_HAS_GLYPH((*font)->mMap, c)) { currFont = *font; goto FoundFont; // for speed -- avoid "if" statement } mLoadedFontsCount is not initiated. In certain situation, (font < end) is true, but *font is null or invalide value, that will lead to a crash.
Attached patch proposed patchSplinter Review
confirming
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
accepting
Status: NEW → ASSIGNED
roy review the patch in bugscape 8832.
Looks ok to me, but I'd like r=yokoyama on this latest patch only, recorded here, and then one of the SRs cc'd can sr= this patch, too. /be
Interesting, the nsFontMetricsWin class has NS_DECL_AND_IMPL_ZEROING_OPERATOR_NEW, defined in http://lxr.mozilla.org/seamonkey/source/xpcom/ds/nsCRT.h#51 Isn't this supposed to zero everything, including therefore mLoadedFontsCount?
Let's ask scc! /be
I finally reproduce the problem with a testcase found in bugscape 9036. The real problem is that sometimes null pointer is assigned to mLoadedFonts array. The previous patch (attachment 45784 [details]) does not fix any problem.
FYI, I still could not reproduce the problem with trunk build, but I believe the problem exist. We only do not know how to make it happen. I also checked all places where mLoadedFonts array is assigned, and everything seems fine except the problematic pointer as shown in my patch.
Yep, that patch looks more sensible to me. A fall-through error code path that wasn't accounted for. I had this corrected in my font changes. r=rbs
Comment on attachment 48340 [details] [diff] [review] The patch that fix the real problem sr=waterson
Attachment #48340 - Flags: superreview+
fix checked in to trunk.
Comment on attachment 48340 [details] [diff] [review] The patch that fix the real problem a=asa for checkin to 0.9.4 branch
Attachment #48340 - Flags: approval+
fix checked in to 0.9.4 branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking verified per last comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: