173204 - xft build gets X error loading url [hangs or crashes on some URLs] [badrequest, badlength]

Status: RESOLVED WORKSFORME

(Core :: XUL, defect)

Description

[Christopher Blizzard (:blizzard)]

Load the above url and you will see an X error.

Comment 1

[Christopher Blizzard (:blizzard)]

Hmm.  This doesn't crash for me anymore.  dbaron?  How about you?

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Still crashes for me after clicking "Show Full Log" and starting to scroll down.

Comment 3

[Christopher Blizzard (:blizzard)]

I see it now, too.

Gdk-ERROR **: BadRequest (invalid request code or no such operation)
  serial 991482 error_code 1 request_code 207 minor_code 0
Gdk-ERROR **: BadRequest (invalid request code or no such operation)
  serial 991483 error_code 1 request_code 179 minor_code 0

Keith, I'm worried about this one.

Comment 4

[keithp]

The above URL shows only a single comma for me in the log; switching from brief
to full has no effect.

However, this is likely a bug in the Xrender library, or possibly in the X server
itself, although that's much less likely.  One relatively easy way to diagnose
this would be to run mozilla through xscope and analyse the output.  Xscope can
be found in my CVS (linked from http://keithp.com), run it as:

$ xhost +
$ xscope -v4 -i27 >& mozilla.xscope < /dev/null &
$ export DISPLAY=localhost:27
$ mozilla
$ kill %1

Send me a URL pointing at the resulting mozilla.xscope and we'll see where the
problem is.

Comment 5

[Christopher Blizzard (:blizzard)]

http://tinderbox.mozilla.org/showlog.cgi?log=SeaMonkey-Ports/1034699820.10427.gz&fulltext=1

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

http://www.people.fas.harvard.edu/~dbaron/tmp/mozilla.xscope.bz2

Comment 7

[Christopher Blizzard (:blizzard)]

and another one as well:

http://people.redhat.com/blizzard/tmp/mozilla.xscope.bz2

Comment 8

[Aleksey Nogin]

I am getting 100% reproducible Mozilla hang on
http://www.cs.cornell.edu/home/wkiri/Writing/goodkind-wizardsfirstrule.html

I've reduced that page to a smaller example (which was pretty hard - there does
not seem to be any "logic" as to which changes will keep the bug and which will
hide it). I'll attach the small example in a second. With the small example,
Mozilla hangs most of the times, but sometimes it crashes. Here is one example
of a crash:

Program received signal SIGPIPE, Broken pipe.
[Switching to Thread 8192 (LWP 8371)]
0x420cdb84 in write () from /lib/i686/libc.so.6
(gdb) bt
#0  0x420cdb84 in write () from /lib/i686/libc.so.6
#1  0x40239b44 in __JCR_LIST__ () from /lib/i686/libpthread.so.0
#2  0x40481810 in XUnlockDisplay () from /usr/X11R6/lib/libX11.so.6
#3  0x4048246f in _X11TransWrite () from /usr/X11R6/lib/libX11.so.6
#4  0x40462532 in _XFlush () from /usr/X11R6/lib/libX11.so.6
#5  0x404623b9 in _XFlush () from /usr/X11R6/lib/libX11.so.6
#6  0x40e5db65 in XRenderCompositeText8 () from /usr/X11R6/lib/libXrender.so.1
#7  0x415127bc in XftGlyphFontSpecRender () from /usr/lib/libXft.so.2
#8  0x4150ccf7 in XftDrawGlyphFontSpec () from /usr/lib/libXft.so.2
#9  0x4150cf1f in XftDrawCharFontSpec () from /usr/lib/libXft.so.2
#10 0x414e7e2d in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgfx_gtk.so
#11 0x414c6789 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgfx_gtk.so
#12 0x414c67e3 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgfx_gtk.so
#13 0x41d2819e in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#14 0x41d27e79 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#15 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#16 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#17 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#18 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#19 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#20 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#21 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#22 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#23 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#24 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#25 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#26 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#27 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#28 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#29 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#30 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#31 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#32 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#33 0x41d3318d in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#34 0x41d33317 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#35 0x41d32de7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#36 0x41c22088 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#37 0x41c21f42 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#38 0x41c21ee7 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#39 0x41c6de2e in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libgklayout.so
#40 0x41dfd072 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#41 0x41e07baa in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#42 0x41e07589 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#43 0x41e0603f in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#44 0x41e08c43 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#45 0x41dfc7c6 in NSGetModule () from /usr/lib/mozilla-1.2b/components/libgkview.so
#46 0x40e32705 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#47 0x40e325a3 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#48 0x40e35cce in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#49 0x40e35dba in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#50 0x40e35afd in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#51 0x40406adf in g_idle_dispatch () from /usr/lib/libglib-1.2.so.0
#52 0x4040597e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#53 0x40405e59 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#54 0x404060f4 in g_main_run () from /usr/lib/libglib-1.2.so.0
#55 0x403056df in gtk_main () from /usr/lib/libgtk-1.2.so.0
#56 0x40e21866 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libwidget_gtk.so
#57 0x40e052d4 in NSGetModule () from
/usr/lib/mozilla-1.2b/components/libnsappshell.so
#58 0x08052a71 in getCountry(nsAString const&, nsAString&) ()
#59 0x080533b0 in main ()
#60 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

I am running BuildID 2002101418 on Red Hat Linux 8.0

Comment 9

[Aleksey Nogin]

Attachment: hang/crash example

Forgot to say - with this example it does not appear to hang or crash when I
have sidebar enabled. As soon as I hide the sidebar, Mozilla hangs. I have not
tried loading it with a smaller window size...

Comment 10

[keithp]

Oops. There's a bug in the Xrender library which miscomputes the length of
CompositeGlyph16 and CompositeGlyph32 requests when the number of glyphs is
between a multiple of 252 and 254.

A trivial work around is to limit calls to fewer than 252 glyphs.

I'll attach a patch for Xrender/Glyph.c so that people can verify the fix.

Comment 11

[keithp]

Attachment: Xrender library patch to fix XRenderCompositeString16/XRenderCompositeString32 length computation

Comment 12

[Christopher Blizzard (:blizzard)]

Now opened as:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=76154

Comment 13

[Peter Bowen]

Is there anyway that the Xrender bug could be worked around in mozilla, even if
it is a only a temporary hack?  I haven't seen this bug show up in other Xft
apps, but mozilla seems to hit it fairly often.

Comment 14

[Sean A]

I get this problem frequently when using XMMS

Comment 15

[Aleksey Nogin]

As suggested by https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=76154 ,
I've upgraded to XFree86-4.2.1-9 and now this WFM.

Comment 16

[Christopher Blizzard (:blizzard)]

*** Bug 183006 has been marked as a duplicate of this bug. ***

Comment 17

[Christopher Blizzard (:blizzard)]

*** Bug 183750 has been marked as a duplicate of this bug. ***

Comment 18

[Christopher Blizzard (:blizzard)]

*** Bug 186210 has been marked as a duplicate of this bug. ***

Comment 19

[Christopher Blizzard (:blizzard)]

*** Bug 187621 has been marked as a duplicate of this bug. ***

Comment 20

[Andrew Schultz]

*** Bug 188624 has been marked as a duplicate of this bug. ***

Comment 21

[Christopher Blizzard (:blizzard)]

*** Bug 190005 has been marked as a duplicate of this bug. ***

Comment 22

[Christopher Blizzard (:blizzard)]

*** Bug 182575 has been marked as a duplicate of this bug. ***

Comment 23

[Bradley Baetz (:bbaetz)]

*** Bug 192388 has been marked as a duplicate of this bug. ***

Comment 24

[Christopher Blizzard (:blizzard)]

*** Bug 196367 has been marked as a duplicate of this bug. ***

Comment 25

[Christopher Blizzard (:blizzard)]

*** Bug 198015 has been marked as a duplicate of this bug. ***

Comment 26

[Antonio M. D'souza]

Attachment: stack trace from visiting http://www-106.ibm.com/developerworks/library/l-jfs.html

Anytime I try to view http://www-106.ibm.com/developerworks/library/l-jfs.html
with a GTK2 moz1.3 build, the browser crashes. I ran it with --sync to retrieve
this backtrace.

Comment 27

[Christopher Blizzard (:blizzard)]

*** Bug 200052 has been marked as a duplicate of this bug. ***

Comment 28

[Mike Vanecek]

Backtrace added to 

http://bugzilla.mozilla.org/show_bug.cgi?id=200052

which is been classifed as duplicate of this bug.

Comment 29

[Andrew Schultz]

*** Bug 201813 has been marked as a duplicate of this bug. ***

Comment 30

[Vincent Lefevre]

This seems to be the same bug...

  http://www.expansys.com/product.asp?code=SL-5000D&asource=

gives:

Gdk-ERROR **: BadLength (poly request too large or internal Xlib length erro
  serial 41637 error_code 16 request_code 1 minor_code 0
Gdk-ERROR **: BadRequest (invalid request code or no such operation)
  serial 41638 error_code 1 request_code 0 minor_code 0
zsh: exit 1     mozilla

when scrolling downwards. This occurs on a Mac under Linux.

Comment 31

[Christopher Blizzard (:blizzard)]

*** Bug 203164 has been marked as a duplicate of this bug. ***

Comment 32

[Andrew Schultz]

*** Bug 204101 has been marked as a duplicate of this bug. ***

Comment 33

[Nicolas Bouillon]

I don't know if it is the same bug, but it looks like.
Opening http://www.lebars.org/sec/tcpa-faq.html crashes Mozilla every time on
Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.3) Gecko/20030430 Debian/1.3-5

Comment 34

[Jo Hermans]

*** Bug 205141 has been marked as a duplicate of this bug. ***

Comment 35

[Christopher Blizzard (:blizzard)]

*** Bug 208510 has been marked as a duplicate of this bug. ***

Comment 36

[Christopher Blizzard (:blizzard)]

*** Bug 209192 has been marked as a duplicate of this bug. ***

Comment 37

[Asa Dotzler [:asa]]

*** Bug 215098 has been marked as a duplicate of this bug. ***

Comment 38

[Karl Tomlinson (:karlt)]

WFM based on https://bugzilla.redhat.com/show_bug.cgi?id=76154#c1
(and that Mozilla doesn't use Xft anymore, though cairo may use similar XRender functions).