Closed
Bug 595423
Opened 14 years ago
Closed 12 years ago
"Assertion failed: (_cairo_status_is_error (status))"
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: jruderman, Assigned: jtd)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:nse][keep private while bug 624198 is private])
Attachments
(3 files)
In a debug build: Assertion failed: (_cairo_status_is_error (status)), function _cairo_error, file gfx/cairo/cairo/src/cairo.c, line 93. In an opt build: Usually nothing happens, but sometimes it crashes in a scary way.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 3•14 years ago
|
||
I still see this on trunk (using Mac OS X 10.5).
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → final+
Comment 4•14 years ago
|
||
So it looks like the status that goes into _cairo_status_is_error (status) is invalid. Valgrind with track-origins should be able to help here.
Reporter | ||
Comment 5•14 years ago
|
||
I don't get anything from Valgrind on this testcase (other than the stuff I always get while starting Firefox, such as bug 602733).
Comment 6•14 years ago
|
||
It looks like the following happens when this fails: ] <Error>: GCGetGlyphIdealMetrics failed: error 1. We are calling with glyph index of 588
Comment 7•14 years ago
|
||
#include <ApplicationServices/ApplicationServices.h> #include <dlfcn.h> #include <stdio.h> int main() { CGFontRef font = CGFontCreateWithFontName(CFSTR("Comic Sans MS")); printf("%x\n", font); CGGlyph glyph = 588; int advance; bool ret = CGFontGetGlyphAdvances(font, &glyph, 1, &advance); printf("ret:%d\n", ret); } This program shows the same problem. So it looks like we shouldn't be asking for glyph 588. I'll assign this over to John to figure out why we're asking for glyph 588.
Assignee: jmuizelaar → jdaggett
OS: Mac OS X → Windows 7
Comment 8•14 years ago
|
||
jdagget, any updates here?
Comment 9•14 years ago
|
||
jdaggett, ping?
Assignee | ||
Comment 10•14 years ago
|
||
Can't reproduce this on either Win7 or 10.6 but can on 10.5: ++DOMWINDOW == 16 (0x2671b5f4) [serial = 18] [outer = 0x22de4690] Wed Dec 1 17:20:11 itspmpro1.orrice.mozilla.or.jp firefox-bin[18516] <Error>: GCGetGlyphIdealMetrics failed: error 1. ###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!: 'Error', file /builds/mozcentral/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 779 ###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!: 'Error', file /builds/mozcentral/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 779 ###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!: 'Error', file /builds/mozcentral/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 779 ###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!: 'Error', file /builds/mozcentral/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 779 Wed Dec 1 17:20:11 itspmpro1.orrice.mozilla.or.jp firefox-bin[18516] <Error>: GCGetGlyphIdealMetrics failed: error 1. Assertion failed: (_cairo_status_is_error (status)), function _cairo_error, file /builds/mozcentral/gfx/cairo/cairo/src/cairo.c, line 93. This calls through to abort. Jesse, what are the "crashes in a scary way" in the description?
Assignee | ||
Comment 11•14 years ago
|
||
Note: tests run with latest security update (2010-007, 22-nov-2010). ProductName: Mac OS X ProductVersion: 10.5.8 BuildVersion: 9L30
Reporter | ||
Updated•14 years ago
|
OS: Windows 7 → Mac OS X
Reporter | ||
Comment 12•14 years ago
|
||
I can't reproduce the opt crash easily, sorry.
Comment 13•14 years ago
|
||
Does this still look like a sg:critical bug?
blocking2.0: final+ → ---
Whiteboard: [sg:critical?] → [sg:needinfo]
Reporter | ||
Comment 14•14 years ago
|
||
I get the scary opt crash reliably now (rev c83c130ce23f, loading the testcase from the command line). The stack is totally corrupt, according to both the Mac crash reporter and gdb.
Whiteboard: [sg:needinfo] → [sg:critical]
Comment 15•14 years ago
|
||
It's CAIRO_INT_STATUS_UNSUPPORTED that triggers the assert. It comes from 'CGFontGetGlyphAdvancesPtr' returning false here: http://hg.mozilla.org/mozilla-central/annotate/4a3866321a14/gfx/cairo/cairo/src/cairo-quartz-font.c#l622 In an Opt build I suspect this propagates up to 'cairo_gstate_show_text_glyphs' and hits the crash in bug 624198. Regarding the 588 glyph index, it comes from the CMAP for code point #x0301. But "CGFontGetNumberOfGlyphs(font)" returns 587 so 588 seems like an invalid index? maybe the data in the CMAP is wrong or we misinterpret it somehow? Anyway, I think the crash fix in bug 624198 will fix the scary part of this bug. Jesse, could you try that fix in your Opt build and see if it fixes the crash you're seeing?
Reporter | ||
Comment 16•14 years ago
|
||
Now I can't reproduce the opt crash (unpatched mozilla-central).
Updated•14 years ago
|
blocking2.0: --- → -
Reporter | ||
Comment 17•14 years ago
|
||
The opt crash is gone, so downgrading to [sg:nse]. But leaving security-sensitive because I guess this testcase reveals bug 624198. I still get the fatal assertion (in this bug's summary) in debug builds.
Whiteboard: [sg:critical] → [sg:nse][keep private while bug 624198 is private]
Comment 18•12 years ago
|
||
Jesse, can you still reproduce this? (it WFM in a debug build on OSX)
Reporter | ||
Comment 19•12 years ago
|
||
WFM with Firefox trunk on Mac OS X 10.7.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•