Closed Bug 226623 Opened 21 years ago Closed 21 years ago

XFT crashes on PLHashRawAdd

Categories

(Core Graveyard :: GFX: Gtk, defect)

Product:
Core Graveyard
Component:
GFX: Gtk
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: charles.fenwick, Assigned: bryner)

References

Details

(Keywords: crash, regression)

Attachments

(7 files, 2 obsolete files)

backtrace of crash
11.14 KB, text/plain
Details
possible fix
901 bytes, patch
Details | Diff | Splinter Review
patch to add some hashtable logging
921 bytes, patch
Details | Diff | Splinter Review
hashtable log
45.55 KB, text/plain
Details
condensed hashtable log
1.78 KB, text/plain
Details
anohter hash log
2.17 KB, text/plain
Details
an updated patch per bsmedberg's comment
12.13 KB, patch
benjamin
: review+
bryner
: superreview+
tor
: approval1.6+
Details | Diff | Splinter Review
After updating tonight (after being away from Linux for a few days,) my GTK2+XFT build now crashes at various sites. Haven't found a 100% way to reproduce the crash, but the sequence of logging into Yahoo Mail, going to the Inbox, and clicking on a message can trigger the crash (sometimes).
Attached file backtrace of crash
backtrace
Well, I did cvs update -j1.35 -j1.34 gfx/src/gtk/nsFontMetricsXft.cpp and still got the crash. But, after doing cvs update -j1.34 -j1.33 gfx/src/gtk/nsFontMetricsXft.cpp cvs update -j1.10 -j1.9 gfx/src/gtk/nsFontMetricsXft.h it *seems* that the crash no longer occurs (and the lizard runs happier in general). It looks like this is a regression from bug 223813.
Assignee: blizzard → bryner
Keywords: regression
Does this happen on a particular URL?
Sorrry, should have read closer. Investigating.
What version of fontconfig and Xft do you have on your system?
Attached patch possible fixSplinter Review
This is my best guess at a fix from looking at the stack. It ensures that if we loaded a best-match font, and then later load all fonts, we don't add the best-match font to the hashtable again (which I think is what NSPR is complaining about).
This patch improves the situation significantly. I've done about 45 minutes of testing and it appears that the browser doesn't crash during routine browsing. However, I can still make it crash if I try hard enough. Opening a few different websites in tabs simultaneously can do the trick as can going to my spam folder on Yahoo Mail and going through spam mails in rapid sequence. I don't consider either case to be routine browsing (for me anyhow).
If you could apply this patch and attach the log output (if it's not too large) that would really be helpful. Just redirect stdout to a file, i.e. ./mozilla > xft.log
Attached file hashtable log
by request...
Something is certainly amuck given how many times we add Arial to the hashtable (in theory we should have already checked to see if it was there).
I'm not able to reproduce any behavior like that with a reduced testcase using PLHashTable. I add Times New Roman, Verdana, and Arial, and it subsequently finds Arial on a lookup. What compiler version and configure options are you using? I guess another possibility is heap corruption causing the hashtable to become confused...
about:buildconfig Build platform target i686-pc-linux-gnu Build tools Compiler Version Compiler flags gcc gcc version 3.3.1 (SuSE Linux) -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe c++ gcc version 3.3.1 (SuSE Linux) -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include Configure arguments --enable-default-toolkit=gtk2 --enable-crypto --enable-xft
*** Bug 226969 has been marked as a duplicate of this bug. ***
I just experienced a crash. My build was compiled with g++ 3.2.2 (20030222) on Redhat 9.0 (with gtk1 instead of gtk2) It happended only a few seconds into my session, but I didn't apply attachment 136353 [details] [diff] [review], yet. I'll try to gather more information.
Attached file anohter hash log
I applied attachment 136342 [details] [diff] [review] and 136353 and got the following hash log. It didn't take me long to get Mozilla to crash. It crashed just a couple of minutes into the session.
It also happens on Gtk1 + Xft. So, it's not gtk2 specific. I'm changing the summary line.
Summary: GTK2+XFT crashes → XFT crashes on PLHashRawAdd
First a insigth ;-) *I* find the plhash.c unsecure at best. There are no (or no way) to ASSERT( ) incoming data in any of the functions. So If we are feeding those functions with garbage we are sure to 1) to never detect where it happens, 2) Damage the heap (as all but the const functions actually does write). Secondly a question about nsFontMetricsXft.cpp, on line 2998 you happily assume that PL_Hash...( ) never returns null (or garbage). But on line 3031 you check for null. So which is it, can PL_HashTableLookup...( ) return null or not?
Attached patch patch with nsClassHashTable (obsolete) — Splinter Review
When I fixed bug 176290, I wanted to use nsClassHashTable (then, brand-new), but somehow I couldn't manage to compile it so that I fell back to PLHash. I just tried once more and this time it worked and seems to have fixed this bug. With or without attachment 136342 [details] [diff] [review], Mozilla doesn't crash while without any patch (or attachment 136342 [details] [diff] [review] alone), it crashes only after a couple of site visits.
Comment on attachment 136946 [details] [diff] [review] patch with nsClassHashTable asking for r/sr.
Attachment #136946 - Flags: superreview?(blizzard)
Attachment #136946 - Flags: review?(bryner)
Comment on attachment 136946 [details] [diff] [review] patch with nsClassHashTable >+typedef nsClassHashtable<nsDepCharHashKey, nsFontXftInfo> nsFontXftInfoHash; I'm not convinced that it's safe to use nsDepCharHashKey here. By doing so, you assert that the string lifetime is at least as long as the hashtable entry's. The string is owned by the pattern. In DoMatch(), we release our reference to the font set (and therefore the patterns in it) after calling GetFontXftInfo(). I think it's possible that this will cause the keys to point to freed storage. So we probably need to copy the strings. I don't think there's a template hashtable key type that manages freeing a raw char* for you. I'd say your options are to either use nsCStrings in your hash table (and take the extra bloat that would come from doing so), or switch to using PLDHashTable directly, which would allow you to use raw char* pointers and free them when the entry goes away. I guess another option would be to add a new key type in nsHashKeys.h which frees its string in the dtor. Now I'm wondering if this is the actual cause of the problem with PLHashTable as well...
bryner, thanks for bringing that up. I'm too preoccupied with the fact that I should not free it to realize that it could be freed behind our back. Using CStringKey would be easiest (I've already made a patch and tested it) but it doesn't come free as you wrote. After removing PLHash-related lines, I'm a bit reluctant to go back to PLDHash (which I guess needs similar auxiliary functions, etc). I can try adding a new keytype to nsHashKeys.h. Anyway, which way do you prefer?
PLDHashTable already contains stub structs and functions that I think do everything we need here. Something like this: class nsFontXftInfo : public PLHashEntryStub { ... }; static const PLDHashTableOps fontHashOps = { PL_DHashAllocTable, PL_DHashFreeTable, PL_DHashGetKeyStub, PL_DHashStringKey, PL_DHashMatchStringKey, PL_DHashMoveEntryStub, PL_DHashFreeStringKey, PL_DHashFinalizeStub, NULL }; Then where you want to add an entry, just do: entry->key = strdup(family); after determining that the entry was not already in the table. I think I'd prefer doing it this way because we don't really gain anything from using nsCString here. Using a new key class in nsHashKeys.h should work exactly the same though, so if you like the C++ interface I'm fine with doing it that way.
bryner, thanks for help. I added a new KeyType to nsHashKey.h Can you take a look? When calling 'Get', I have to cast away 'const' because I use 'char *' as a key in a new hashkey type. An alternative is to use 'const char *' as a key and cast away const when calling free() in dtor (of a new HashKey class) A third way might be to change the function signature of Get in nsClassHashTable to nsClassHashtable<KeyClass,T>::Get(const KeyType aKey, T** retVal) const from nsClassHashtable<KeyClass,T>::Get(KeyType aKey, T** retVal) const But, I'm not sure that's allowed. What's the effect of 'double const' modifiers (like const const sometype)?
Attachment #136946 - Attachment is obsolete: true
Attachment #136946 - Flags: superreview?(blizzard)
Attachment #136946 - Flags: review?(bryner)
bsmedberg should review the hashtable changes
Comment on attachment 136968 [details] [diff] [review] a new patch with a new nsHashKey type This needs a little cleanup. >+ if (!gFontXftMaps.IsInitialized()) >+ gFontXftMaps.Init(INITIAL_FONT_MAP_SIZE); >+ if (!gFontXftMaps.IsInitialized()) { // error checking > FreeGlobals(); > return NS_ERROR_OUT_OF_MEMORY; > } This is cleaner thus: if (!gFontXftMaps.IsInitialized() || gFontXftMaps.Init(INITIAL_FONT_MAP_SIZE)) { // etc >+ // cached entry found. >+ if (gFontXftMaps.Get(NS_CONST_CAST(char *, family), &info)) See below, you should make the KeyType a const char* and avoid the cast here. >+ gFontXftMaps.Put(nsCRT::strdup(family), info); The "transfer ownership on construction" model is not good. Let's just construct the class with a const char* and do a strdup in the constructor? >+class NS_COM nsCharPtrHashKey : public PLDHashEntryHdr >+{ >+public: >+ typedef char* KeyType; Use const char*? You don't ever manipulate the string. >+ typedef const char* KeyTypePointer; >+ >+ nsCharPtrHashKey(const char* aKey) : mKey(NS_CONST_CAST(char *, aKey)) { } >+ nsCharPtrHashKey(const nsCharPtrHashKey& toCopy) : >+ mKey(nsCRT::strdup(toCopy.mKey)) { } nsCRT::strdup is deprecated, use plain strdup >+ ~nsCharPtrHashKey() { CRTFREEIF(mKey); } and use if (mKey) free(mKey) here. >+ >+ const char* GetKey() const { return mKey; } >+ const char* GetKeyPointer() const { return mKey; } >+ PRBool KeyEquals(KeyTypePointer aKey) const >+ { >+ return !strcmp(mKey, aKey); >+ } >+ >+ static KeyTypePointer KeyToPointer(KeyType aKey) { return aKey; } >+ static PLDHashNumber HashKey(KeyTypePointer aKey) { return nsCRT::HashCode(aKey); } >+ >+ enum { ALLOW_MEMMOVE = PR_TRUE }; >+ >+private: >+ char* mKey; const char* here also (you can delete a const *) >+}; >+ > #endif // nsTHashKeys_h__
Attachment #136968 - Flags: review-
I switched KeyType to const char *. I still have to cast away const when calling free() in dtor because the buffer is allocated by strdup so that I can't use |delete|.
Attachment #136968 - Attachment is obsolete: true
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment Oh yeah, free() doesn't take const pointers like delete does... grr. r=me
Attachment #137061 - Flags: review+
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment thanks for r. asking for sr.
Attachment #137061 - Flags: superreview?(bryner)
Attachment #137061 - Flags: superreview?(bryner) → superreview+
Attachment #137061 - Flags: approval1.6?
Comment on attachment 137061 [details] [diff] [review] an updated patch per bsmedberg's comment a=tor for 1.6 checkin.
Attachment #137061 - Flags: approval1.6? → approval1.6+
Fix got landed. Thank you all.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: