Closed Bug 88486 Opened 24 years ago Closed 24 years ago

Some pages cause crash in font code [@nsFontGTKNormal::GetWidth]

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.3

People

(Reporter: matt, Assigned: ftang)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Stack trace for the bug
17.86 KB, text/plain
Details
patch; test for non-null pointer
905 bytes, patch
Details | Diff | Splinter Review
Build 20010629, Linux 2.4.5-ac17 i686, RedHat 6.1, XFree86 4.1.0 This bug seems to have popped up between the build from the 27th and the build from the 29th. Certain pages cause a crash at nsFontMetricsGTK.cpp:2005. The cause of the crash is a SIGSEGV. The offending line is: ENCODER_BUFFER_ALLOC_IF_NEEDED(p, mCharSetInfo->mConverter, aString, aLength, buf, sizeof(buf), bufLen); The object instance causing the crash looks like: (gdb) p *this $9 = {<nsFontGTK> = {mMap = 0x89c5358, mCharSetInfo = 0x416291c0, mName = 0x42092fc0 "-adobe-helvetica-medium-r-normal--12-120-75-75-p-67-iso10646-1", mUserDefinedFont = 0x0, mSize = 12, mBaselineAdjust = 0, mFont = 0x898b498, mAlreadyCalledLoadFont = 1, _vptr. = 0x4162a660}, <No data fields>} All the adresses seem readable, except that mCharSetInfo->mConverter is NULL. mCharSetInfo looks like: (gdb) p *mCharSetInfo $11 = {mCharSet = 0x0, Convert = 0x4160abc8 <ISO10646Convert(nsFontCharSetInfo *, XFontStruct *, unsigned short const *, int, char *, int)>, mSpecialUnderline = 1 '\001', mMap = 0x0, mConverter = 0x0, mLangGroup = 0x0, mInitedSizeInfo = 1, mOutlineScaleMin = 6, mBitmapScaleMin = 12, mBitmapOversize = 1.2, mBitmapUndersize = 0.80000000000000004} The fonts that I'm using are: urw-fonts-2.0-3mdk chkfontpath-1.4.1-1 ghostscript-fonts-6.0-2 XFree86-75dpi-fonts-4.1.0-1mdk mozilla-fonts-20000310-8mdk XFree86-100dpi-fonts-4.1.0-4mdk freefont-0.10 This looks very simmillar to bug 86436, but I think it is different, because I was unable to duplicate that bug with either a build from the 27th or from the 29th. Also, that bug was filed 11 days ago, and this bug showed up in the past 2 days. This bug might be related to bug 88444, as there were a bunch of these assertions before the crash (and that bug showed up in around the same time frame as this bug): ###!!! ASSERTION: unexpected number of nodes: '(nodes.Count() == 1)', file nsFontMetricsGTK.cpp, line 3421 ###!!! Break: at file nsFontMetricsGTK.cpp, line 3421
looks like layout to me.
Assignee: trudelle → karnaze
Component: XP Toolkit/Widgets → Layout
QA Contact: aegis → petersen
->Internationalization (font code)
Assignee: karnaze → nhotta
Component: Layout → Internationalization
QA Contact: petersen → andreasb
Reassign to bstell, dup of bug 88752?
Assignee: nhotta → bstell
Keywords: crash, nsBranch
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.3
I've done some more digging, and the problem with the page that I've referred to seems to be caused by this tag: <font face="arial,helvetica" size="-1"> More specifically, the very last <font> tag in the page; the rest don't seem to cause any problem. It might have the same root problem as for the bug with the utf-8 encoded page, since the crash happens in a macro from intl/uconv/public/nsIUnicodeEncoder.h, but the ZDNet page is not UTF-8, nor does it even have anything to change its charset from the default one. As far as I can tell, the crash happens because the macro ENCODER_BUFFER_ALLOC_IF_NEEDED assumes that the encoder argument (the second argument) will be non-NULL. However, the code that sets up the nsFontCharSetInfo struct assumes that the mConverter member of the struct (which is of type nsIUnicodeEncoder*) might be NULL: static void SetUpFontCharSetInfo(nsFontCharSetInfo* aSelf) { . . . nsIUnicodeEncoder* converter = nsnull; res = gCharSetManager->GetUnicodeEncoder(charset, &converter); if (NS_SUCCEEDED(res)) { aSelf->mConverter = converter; Also, some of the static functions in nsFontMetricsGTK.cpp assume that mConverter might be NULL, like DoubleByteConvert() and SingleByteConvert(). I stuck a different version of ENCODER_BUFFER_ALLOC_IF_NEEDED into the file nsFontMetricsGTK.cpp, that checks to see if the encoder argument is NULL, and the example ZDNet then renders fine without any crashes: #undef ENCODER_BUFFER_ALLOC_IF_NEEDED #define ENCODER_BUFFER_ALLOC_IF_NEEDED(p,e,s,l,sb,sbl,al) \ PR_BEGIN_MACRO \ if (e \ && NS_SUCCEEDED((e)->GetMaxLength((s), (l), &(al))) \ && ((al) > (PRInt32)(sbl)) \ && (nsnull!=((p)=(char*)nsMemory::Alloc((al)+1))) \ ) { \ } \ else { \ (p) = (char*)(sb); \ (al) = (sbl); \ } \ PR_END_MACRO
QA Contact: andreasb → ylong
*** Bug 88752 has been marked as a duplicate of this bug. ***
r=pavlov
*** Bug 88927 has been marked as a duplicate of this bug. ***
Yay, this might fix xlib bug 88695...
Blocks: 88695
Macro hell! sr=blizzard
CC:'ing mkaply@us.ibm.com for checkin to get this in _quick_ ... :-)
Fix checked in
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
thanks to everyone for getting this in! It was so weird / cool: I got up the morning and I knew I had to get this one in and I could not find it in my list of open bugs!
reopen so we won't forget to land it into m92 branch.
Status: RESOLVED → REOPENED
Keywords: vtrunk
Resolution: FIXED → ---
reassign to ftang for m92 branch landing
Assignee: bstell → ftang
Status: REOPENED → NEW
*** Bug 88473 has been marked as a duplicate of this bug. ***
*** Bug 88546 has been marked as a duplicate of this bug. ***
*** Bug 88548 has been marked as a duplicate of this bug. ***
*** Bug 88823 has been marked as a duplicate of this bug. ***
the change add additional null checking, which should be safe. add vtrunk+ to the status whiteboard
Whiteboard: vtrunk+
Status: NEW → ASSIGNED
*** Bug 88750 has been marked as a duplicate of this bug. ***
Whiteboard: vtrunk+ → nsbranch+
*** Bug 89201 has been marked as a duplicate of this bug. ***
pdt+ per pdt meting. Land it today
Whiteboard: nsbranch+ → nsbranch+,pdt+
Sorry, this does not make sense to nsbranch at all. The crashing code is only in the trunk but not in the branch. remove nsBranch, vtrunk, nsbrach+ and pdt+ and mark it fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Keywords: nsBranch, vtrunk
Resolution: --- → FIXED
Whiteboard: nsbranch+,pdt+
are you sure? what about bug 89358
Summary: Some pages cause crash in font code → Some pages cause crash in font code [@nsFontGTKNormal::GetWidth]
*** Bug 89358 has been marked as a duplicate of this bug. ***
this code is not on the branch
Adding mostfreq for completness/correctness (whatever) at 10 dups.
Keywords: mostfreq
Verified it doesn't crash on 08-22 trunk build. However, if click by URL of bug 89358 still crash, I'll re-open that one.
Status: RESOLVED → VERIFIED
Crash Signature: [@nsFontGTKNormal::GetWidth]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: