Last Comment Bug 444452 - Crash with adding weird character into input
: Crash with adding weird character into input
Status: VERIFIED FIXED
: [sg:critical?][fixed by bug 445711]
: crash, regression, testcase, verified1.9.0.2, verified1.9.1
Product: Core
Classification: Components
Component: Graphics
: Trunk
: x86 Windows XP
: P1 critical (vote)
: ---
Assigned To: Simon Montagu
: thebes
:
:
: 378457
  Show dependency treegraph
 
Reported: 2008-07-09 14:59 PDT by Martijn Wargers [:mw22] (QA - IRC nick: mw22)
Modified: 2008-12-30 11:17 PST (History)
10 users (show)
vladimir: blocking1.9.1+
samuel.sidler+old: blocking1.9.0.2+
samuel.sidler+old: wanted1.9.0.x+
See Also:
Crash Signature:


Attachments
testcase (354 bytes, text/html)
2008-07-09 14:59 PDT, Martijn Wargers [:mw22] (QA - IRC nick: mw22)
no flags Details
backtrace from debug build (12.66 KB, text/plain)
2008-07-09 15:00 PDT, Martijn Wargers [:mw22] (QA - IRC nick: mw22)
no flags Details

Summon comment box

Description Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-07-09 14:59:01 PDT
Created attachment 328755 [details]
testcase

See testcase, which usually crashes within 10s after load.

I got this with the indic IME extension, when pressing the letter 'g' constantly, while Hindi language was selected and Inscript keyboard.

This regressed between 2007-08-28 and 2007-08-29:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+08&cvsroot=%2Fcvsroot
I think a regression from bug 378457.
Comment 1 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-07-09 15:00:51 PDT
Created attachment 328757 [details]
backtrace from debug build

VC express also complained about heap corruption, btw.

 	msvcr80d.dll!__free_dbg_nolock()  + 0x313 bytes	
 	msvcr80d.dll!__free_dbg()  + 0x4e bytes	
 	msvcr80d.dll!_free()  + 0xe bytes	
>	nspr4.dll!PR_Free(void * ptr=0x055740e8)  Line 536 + 0xa bytes	C
 	xpcom_core.dll!NS_Free_P(void * ptr=0x055740e8)  Line 303 + 0xa bytes	C++
 	xpcom_core.dll!nsTArray_base::ShrinkCapacity(unsigned int elemSize=2)  Line 130 + 0xb bytes	C++
 	xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0, unsigned int oldLen=137, unsigned int newLen=0, unsigned int elemSize=2)  Line 163	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::RemoveElementsAt(unsigned int start=0, unsigned int count=137)  Line 601	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::Clear()  Line 611	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::~nsTArray<tag_SCRIPT_VISATTR>()  Line 267 + 0xf bytes	C++
 	thebes.dll!nsAutoTArray<tag_SCRIPT_VISATTR,76>::~nsAutoTArray<tag_SCRIPT_VISATTR,76>()  + 0xf bytes	C++
 	thebes.dll!UniscribeItem::~UniscribeItem()  Line 1269 + 0x46 bytes	C++
 	thebes.dll!UniscribeItem::`scalar deleting destructor'()  + 0xf bytes	C++
 	thebes.dll!nsAutoPtr<UniscribeItem>::~nsAutoPtr<UniscribeItem>()  Line 104 + 0x1e bytes	C++
 	thebes.dll!gfxWindowsFontGroup::InitTextRunUniscribe(gfxContext * aContext=0x0566d1f0, gfxTextRun * aRun=0x053f8cf0, const unsigned short * aString=0x001298e4, unsigned int aLength=81)  Line 2229 + 0x8 bytes	C++
 	thebes.dll!gfxWindowsFontGroup::MakeTextRun(const unsigned short * aString=0x001298e4, unsigned int aLength=81, const gfxTextRunFactory::Parameters * aParams=0x00129e78, unsigned int aFlags=17826305)  Line 935	C++
 	thebes.dll!TextRunWordCache::MakeTextRun(const unsigned short * aText=0x0012b35c, unsigned int aLength=80, gfxFontGroup * aFontGroup=0x06176b70, const gfxTextRunFactory::Parameters * aParams=0x0012b2dc, unsigned int aFlags=17826304)  Line 532 + 0x31 bytes	C++
etc...
Comment 2 Jesse Ruderman 2008-07-10 23:07:08 PDT
Can you figure out what character was being inserted (e.g. using an oninput attribute) and then try to reproduce the bug without IME?
Comment 3 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-07-11 04:55:57 PDT
See testcase, it can be reproduced with the IME extension. The 'ु' character is being inserted.
I can imagine that some people are even using these kinds of characters, so request for blocking.
Comment 4 Vladimir Vukicevic (:vlad) 2008-07-15 13:06:43 PDT
Stuart, can you take a look at this?
Comment 5 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-07-19 15:13:31 PDT
This is probably the same bug as bug 445711.
Comment 6 Simon Montagu 2008-07-20 13:41:34 PDT
I don't think this is the same as bug 445711. The issue there is a buffer overrun triggered by the fact that the single character "ௌ" is rendered as three glyphs.
Comment 7 Simon Montagu 2008-07-20 14:28:54 PDT
That said, the patch from bug 445711 seems to fix this too, so what do I know?
Comment 8 Simon Montagu 2008-08-15 04:22:52 PDT
Should be fixed by bug 445711, please reopen if there is still a problem.
Comment 9 Marcia Knous [:marcia] 2008-08-21 15:37:54 PDT
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.2pre) Gecko/2008082105 GranParadiso/3.0.2pre. I verified using the testcase that was provided by martijn.
Comment 10 Carsten Book [:Tomcat] 2008-10-10 14:18:52 PDT
verified fixed on 1.9 Beta 1 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 and the testcase from martijn. No Crash on Testcase -> Verified fixed
Comment 11 Marcia Knous [:marcia] 2008-12-30 11:17:53 PST
Based on Comment 10 I am updating the 1.9.1 keyword to indicate this has been verified.

Note You need to log in before you can comment on or make changes to this bug.