Closed
Bug 226623
Opened 21 years ago
Closed 21 years ago
XFT crashes on PLHashRawAdd
Categories
(Core Graveyard :: GFX: Gtk, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: charles.fenwick, Assigned: bryner)
References
Details
(Keywords: crash, regression)
Attachments
(7 files, 2 obsolete files)
11.14 KB,
text/plain
|
Details | |
901 bytes,
patch
|
Details | Diff | Splinter Review | |
921 bytes,
patch
|
Details | Diff | Splinter Review | |
45.55 KB,
text/plain
|
Details | |
1.78 KB,
text/plain
|
Details | |
2.17 KB,
text/plain
|
Details | |
12.13 KB,
patch
|
benjamin
:
review+
bryner
:
superreview+
tor
:
approval1.6+
|
Details | Diff | Splinter Review |
After updating tonight (after being away from Linux for a few days,) my GTK2+XFT build now crashes at various sites. Haven't found a 100% way to reproduce the crash, but the sequence of logging into Yahoo Mail, going to the Inbox, and clicking on a message can trigger the crash (sometimes).
Reporter | ||
Comment 1•21 years ago
|
||
backtrace
Reporter | ||
Comment 2•21 years ago
|
||
Well, I did cvs update -j1.35 -j1.34 gfx/src/gtk/nsFontMetricsXft.cpp and still got the crash. But, after doing cvs update -j1.34 -j1.33 gfx/src/gtk/nsFontMetricsXft.cpp cvs update -j1.10 -j1.9 gfx/src/gtk/nsFontMetricsXft.h it *seems* that the crash no longer occurs (and the lizard runs happier in general). It looks like this is a regression from bug 223813.
Assignee: blizzard → bryner
Keywords: regression
Assignee | ||
Comment 3•21 years ago
|
||
Does this happen on a particular URL?
Assignee | ||
Comment 4•21 years ago
|
||
Sorrry, should have read closer. Investigating.
Assignee | ||
Comment 5•21 years ago
|
||
What version of fontconfig and Xft do you have on your system?
Assignee | ||
Comment 6•21 years ago
|
||
This is my best guess at a fix from looking at the stack. It ensures that if we loaded a best-match font, and then later load all fonts, we don't add the best-match font to the hashtable again (which I think is what NSPR is complaining about).
Reporter | ||
Comment 7•21 years ago
|
||
This patch improves the situation significantly. I've done about 45 minutes of testing and it appears that the browser doesn't crash during routine browsing. However, I can still make it crash if I try hard enough. Opening a few different websites in tabs simultaneously can do the trick as can going to my spam folder on Yahoo Mail and going through spam mails in rapid sequence. I don't consider either case to be routine browsing (for me anyhow).
Assignee | ||
Comment 8•21 years ago
|
||
If you could apply this patch and attach the log output (if it's not too large) that would really be helpful. Just redirect stdout to a file, i.e. ./mozilla > xft.log
Reporter | ||
Comment 9•21 years ago
|
||
by request...
Assignee | ||
Comment 10•21 years ago
|
||
Something is certainly amuck given how many times we add Arial to the hashtable (in theory we should have already checked to see if it was there).
Assignee | ||
Comment 11•21 years ago
|
||
I'm not able to reproduce any behavior like that with a reduced testcase using PLHashTable. I add Times New Roman, Verdana, and Arial, and it subsequently finds Arial on a lookup. What compiler version and configure options are you using? I guess another possibility is heap corruption causing the hashtable to become confused...
Reporter | ||
Comment 12•21 years ago
|
||
about:buildconfig Build platform target i686-pc-linux-gnu Build tools Compiler Version Compiler flags gcc gcc version 3.3.1 (SuSE Linux) -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe c++ gcc version 3.3.1 (SuSE Linux) -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include Configure arguments --enable-default-toolkit=gtk2 --enable-crypto --enable-xft
Reporter | ||
Comment 13•21 years ago
|
||
*** Bug 226969 has been marked as a duplicate of this bug. ***
Comment 14•21 years ago
|
||
I just experienced a crash. My build was compiled with g++ 3.2.2 (20030222) on Redhat 9.0 (with gtk1 instead of gtk2) It happended only a few seconds into my session, but I didn't apply attachment 136353 [details] [diff] [review], yet. I'll try to gather more information.
Comment 15•21 years ago
|
||
I applied attachment 136342 [details] [diff] [review] and 136353 and got the following hash log. It didn't take me long to get Mozilla to crash. It crashed just a couple of minutes into the session.
Comment 16•21 years ago
|
||
It also happens on Gtk1 + Xft. So, it's not gtk2 specific. I'm changing the summary line.
Summary: GTK2+XFT crashes → XFT crashes on PLHashRawAdd
Comment 17•21 years ago
|
||
First a insigth ;-) *I* find the plhash.c unsecure at best. There are no (or no way) to ASSERT( ) incoming data in any of the functions. So If we are feeding those functions with garbage we are sure to 1) to never detect where it happens, 2) Damage the heap (as all but the const functions actually does write). Secondly a question about nsFontMetricsXft.cpp, on line 2998 you happily assume that PL_Hash...( ) never returns null (or garbage). But on line 3031 you check for null. So which is it, can PL_HashTableLookup...( ) return null or not?
Comment 18•21 years ago
|
||
When I fixed bug 176290, I wanted to use nsClassHashTable (then, brand-new), but somehow I couldn't manage to compile it so that I fell back to PLHash. I just tried once more and this time it worked and seems to have fixed this bug. With or without attachment 136342 [details] [diff] [review], Mozilla doesn't crash while without any patch (or attachment 136342 [details] [diff] [review] alone), it crashes only after a couple of site visits.
Comment 19•21 years ago
|
||
Comment on attachment 136946 [details] [diff] [review] patch with nsClassHashTable asking for r/sr.
Attachment #136946 -
Flags: superreview?(blizzard)
Attachment #136946 -
Flags: review?(bryner)
Assignee | ||
Comment 20•21 years ago
|
||
Comment on attachment 136946 [details] [diff] [review] patch with nsClassHashTable >+typedef nsClassHashtable<nsDepCharHashKey, nsFontXftInfo> nsFontXftInfoHash; I'm not convinced that it's safe to use nsDepCharHashKey here. By doing so, you assert that the string lifetime is at least as long as the hashtable entry's. The string is owned by the pattern. In DoMatch(), we release our reference to the font set (and therefore the patterns in it) after calling GetFontXftInfo(). I think it's possible that this will cause the keys to point to freed storage. So we probably need to copy the strings. I don't think there's a template hashtable key type that manages freeing a raw char* for you. I'd say your options are to either use nsCStrings in your hash table (and take the extra bloat that would come from doing so), or switch to using PLDHashTable directly, which would allow you to use raw char* pointers and free them when the entry goes away. I guess another option would be to add a new key type in nsHashKeys.h which frees its string in the dtor. Now I'm wondering if this is the actual cause of the problem with PLHashTable as well...
Comment 21•21 years ago
|
||
bryner, thanks for bringing that up. I'm too preoccupied with the fact that I should not free it to realize that it could be freed behind our back. Using CStringKey would be easiest (I've already made a patch and tested it) but it doesn't come free as you wrote. After removing PLHash-related lines, I'm a bit reluctant to go back to PLDHash (which I guess needs similar auxiliary functions, etc). I can try adding a new keytype to nsHashKeys.h. Anyway, which way do you prefer?
Assignee | ||
Comment 22•21 years ago
|
||
PLDHashTable already contains stub structs and functions that I think do everything we need here. Something like this: class nsFontXftInfo : public PLHashEntryStub { ... }; static const PLDHashTableOps fontHashOps = { PL_DHashAllocTable, PL_DHashFreeTable, PL_DHashGetKeyStub, PL_DHashStringKey, PL_DHashMatchStringKey, PL_DHashMoveEntryStub, PL_DHashFreeStringKey, PL_DHashFinalizeStub, NULL }; Then where you want to add an entry, just do: entry->key = strdup(family); after determining that the entry was not already in the table. I think I'd prefer doing it this way because we don't really gain anything from using nsCString here. Using a new key class in nsHashKeys.h should work exactly the same though, so if you like the C++ interface I'm fine with doing it that way.
Comment 23•21 years ago
|
||
bryner, thanks for help. I added a new KeyType to nsHashKey.h Can you take a look? When calling 'Get', I have to cast away 'const' because I use 'char *' as a key in a new hashkey type. An alternative is to use 'const char *' as a key and cast away const when calling free() in dtor (of a new HashKey class) A third way might be to change the function signature of Get in nsClassHashTable to nsClassHashtable<KeyClass,T>::Get(const KeyType aKey, T** retVal) const from nsClassHashtable<KeyClass,T>::Get(KeyType aKey, T** retVal) const But, I'm not sure that's allowed. What's the effect of 'double const' modifiers (like const const sometype)?
Updated•21 years ago
|
Attachment #136946 -
Attachment is obsolete: true
Updated•21 years ago
|
Attachment #136946 -
Flags: superreview?(blizzard)
Attachment #136946 -
Flags: review?(bryner)
Assignee | ||
Comment 24•21 years ago
|
||
bsmedberg should review the hashtable changes
Comment 25•21 years ago
|
||
Comment on attachment 136968 [details] [diff] [review] a new patch with a new nsHashKey type This needs a little cleanup. >+ if (!gFontXftMaps.IsInitialized()) >+ gFontXftMaps.Init(INITIAL_FONT_MAP_SIZE); >+ if (!gFontXftMaps.IsInitialized()) { // error checking > FreeGlobals(); > return NS_ERROR_OUT_OF_MEMORY; > } This is cleaner thus: if (!gFontXftMaps.IsInitialized() || gFontXftMaps.Init(INITIAL_FONT_MAP_SIZE)) { // etc >+ // cached entry found. >+ if (gFontXftMaps.Get(NS_CONST_CAST(char *, family), &info)) See below, you should make the KeyType a const char* and avoid the cast here. >+ gFontXftMaps.Put(nsCRT::strdup(family), info); The "transfer ownership on construction" model is not good. Let's just construct the class with a const char* and do a strdup in the constructor? >+class NS_COM nsCharPtrHashKey : public PLDHashEntryHdr >+{ >+public: >+ typedef char* KeyType; Use const char*? You don't ever manipulate the string. >+ typedef const char* KeyTypePointer; >+ >+ nsCharPtrHashKey(const char* aKey) : mKey(NS_CONST_CAST(char *, aKey)) { } >+ nsCharPtrHashKey(const nsCharPtrHashKey& toCopy) : >+ mKey(nsCRT::strdup(toCopy.mKey)) { } nsCRT::strdup is deprecated, use plain strdup >+ ~nsCharPtrHashKey() { CRTFREEIF(mKey); } and use if (mKey) free(mKey) here. >+ >+ const char* GetKey() const { return mKey; } >+ const char* GetKeyPointer() const { return mKey; } >+ PRBool KeyEquals(KeyTypePointer aKey) const >+ { >+ return !strcmp(mKey, aKey); >+ } >+ >+ static KeyTypePointer KeyToPointer(KeyType aKey) { return aKey; } >+ static PLDHashNumber HashKey(KeyTypePointer aKey) { return nsCRT::HashCode(aKey); } >+ >+ enum { ALLOW_MEMMOVE = PR_TRUE }; >+ >+private: >+ char* mKey; const char* here also (you can delete a const *) >+}; >+ > #endif // nsTHashKeys_h__
Attachment #136968 -
Flags: review-
Comment 26•21 years ago
|
||
I switched KeyType to const char *. I still have to cast away const when calling free() in dtor because the buffer is allocated by strdup so that I can't use |delete|.
Attachment #136968 -
Attachment is obsolete: true
Comment 27•21 years ago
|
||
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment Oh yeah, free() doesn't take const pointers like delete does... grr. r=me
Attachment #137061 -
Flags: review+
Comment 28•21 years ago
|
||
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment thanks for r. asking for sr.
Attachment #137061 -
Flags: superreview?(bryner)
Assignee | ||
Updated•21 years ago
|
Attachment #137061 -
Flags: superreview?(bryner) → superreview+
Updated•21 years ago
|
Attachment #137061 -
Flags: approval1.6?
Comment 29•21 years ago
|
||
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment a=tor for 1.6 checkin.
Attachment #137061 -
Flags: approval1.6? → approval1.6+
Comment 30•21 years ago
|
||
Fix got landed. Thank you all.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•