Closed Bug 213390 Opened 21 years ago Closed 21 years ago

Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth][@ nsRenderingContextWin::GetTextDimensions][@ 0x00616e61 ]

Categories

(Core Graveyard :: GFX: Win32, defect, P1)

Product:
Core Graveyard
Component:
GFX: Win32
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: goi, Assigned: rbs)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(6 files)

stacktrace from a 4h old win2k cvs build
20.29 KB, text/plain
Details
another Stack Trace
21.57 KB, text/plain
Details
testcase
423 bytes, text/html
Details
another testcase
348 bytes, text/html
Details
another test case
809 bytes, text/html
Details
patch
2.56 KB, patch
roc
: review+
roc
: superreview+
asa
: approval1.5b+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030721 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030721 Mozilla Firebird/0.6

When loading some websites on Mozilla/Mozilla Firebird 0718 onwards, I get
semi-reproducible crashes. It doesn't crash 100% of the time, but most of the
time it does.

Reproducible: Sometimes

Steps to Reproduce:
1. Load the above website
Actual Results:  
The program crashes with the standard "mozilla.exe has generated errors and will
be closed by Windows. You will need to restart the program. An error log has
been created." message.

Expected Results:  
Load the page as per normal.
I could reproduce it only once
-> Layout
Assignee: general → other
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: crash
QA Contact: general → ian
Summary: Random crashes when loading some websites since 0718 build → Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth]
Component: Layout → GFX: Win32
Caused by bug 212723?

There are two stack traces that started showing up at the same time:

Incident ID 22095369
Stack Signature 	nsRenderingContextWin::GetTextDimensions 68cf5f95
Email Address 	
Product ID 	MozillaTrunk
Build ID 	2003072104
Trigger Time 	2003-07-22 02:31:53
Platform 	Win32
Operating System 	Windows NT 5.1 build 2600
Module 	gkgfxwin.dll
URL visited 	
User Comments 	
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/gfx/src/windows/nsRenderingContextWin.cpp
Trigger Line No. 	1658
Stack Trace 	
nsRenderingContextWin::GetTextDimensions
[c:/builds/seamonkey/mozilla/gfx/src/windows/nsRenderingContextWin.cpp, line 1658]
nsTextFrame::MeasureText
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsTextFrame.cpp, line 4953]
nsTextFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsTextFrame.cpp, line 5439]
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1028]
nsBlockFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3747] 



Incident ID 22084050
Stack Signature 	nsRenderingContextWin::GetWidth d2987b4f
Email Address 	
Product ID 	MozillaTrunk
Build ID 	2003072104
Trigger Time 	2003-07-21 16:11:12
Platform 	Win32
Operating System 	Windows NT 5.0 build 2195
Module 	gkgfxwin.dll
URL visited 	
User Comments 	
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/gfx/src/windows/nsRenderingContextWin.cpp
Trigger Line No. 	1519
Stack Trace 	
nsRenderingContextWin::GetWidth
[c:/builds/seamonkey/mozilla/gfx/src/windows/nsRenderingContextWin.cpp, line 1519]
nsRenderingContextWin::GetTextDimensions
[c:/builds/seamonkey/mozilla/gfx/src/windows/nsRenderingContextWin.cpp, line 2155]
nsTextFrame::MeasureText
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsTextFrame.cpp, line 4887]
nsTextFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsTextFrame.cpp, line 5439]
Assignee: other → kmcclusk
Summary: Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth] → Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth][@ nsRenderingContextWin::GetTextDimensions]
Looking at one of the two talkback reports above in more detail, in ID 22084050,
it looks like mCurrFontWin is garbage (in particular, the pointer is non-null,
but the vtable pointer in the object is null).  In a report similar to the first
(in most of them the dissasembly didn't make sense, but in one it did), it looks
like the vtable pointer in the object is garbage.
Sites that crash Firebird include:

www.citybus.com.hk
www.starhub.com.sg
www.mlb.com
*** Bug 213453 has been marked as a duplicate of this bug. ***
> Caused by bug 212723?

Seems so. Which would then mean that it exposed a weirdness (e.g., a dead object
being used -- per comment 4). All calls of GetTextDimensions/GetWidth are
preceded by a SetupFontAndColors() which should have ensured that things are in
sync.
Re: comment 5

Is anyone seeing this bug with SeaMonkey? I am using SeaMonkey but it hasn't yet
crashed on me due to this bug.
Re: comment 8

See the dup'ed bug in comment 6.  mlb.com has been seen to crash in Seamonkey.
Still no crash for me (Win2K). I could fix the bug If I can reproduce.

Not being able to reproduce makes things hard. It would help if somebody
summarizes the steps that they do to get the crash.
There is dump information in <a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=213390#c3">Comment #3</a>.

Also, just judging from the area of the code where this occurs, it could also be
screen resolution and/or video driver dependent.  I run in 1280x1024 mode at
work and at home, and run Win2K at work and WinXP SP1 at home, and it happens
consistently for me, every time, on the mlb.com site.
www.starhub.net.sg crashes for me almost 100% of the time with this bug. I just
need to load the website, and before it completes rendering, the error popup
dialog will appear. I don't know if this makes a difference, but I'm using the
Phoenity Neo theme, and I have the following extensions installed
TBE V1.8.2003070201
Text Links
AiO Gestures 0.8.0
User Agent Switcher 0.23

These are probably not important since people have reported that the bug appears
on a new profile, and I have reproduced the bug on Mozilla on my same
system(diff profile obviously) as well as Firebird on another system(also on
Win2K SP4). On all 3 installations, the crash is immediate, and happens almost
100% of the time.
Changed my resolution to 1280x1024, installed Flash, but still no crash I am afraid.
It has nothing to do with Flash - it has crashed my Mozilla Firebird every time
I've tried www.redsox.com so far - and I don't have Flash installed.
WFM so far. Any clue as to what is common between those of you see the bug?!?
Attached file another Stack Trace 
I get this crash every 2 minutes today on the www.heise.de Forum

Using : win2k, 1024x768, flash6 R60

Steps to reproduce :
load www.heise.de (sorry, german) click on a News message (use an older message
where people already added comments), click on the big "Kommentare:" link,
click on a message with a few replys (message with a +") and click on the link
">>" next to "Beitrag".
This cause very frequently a crash on my system...

rbs: Can I help with my debug build ? (note: I don't know c++, c or anything
else :-) )
Sure, your debug build might help...

nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x00000000, ...)
[line 94 -- @see view-source on the attachment goto line (Ctrl+L) 94]

seems that the stack trace is out of sync. (Otherwise the crash would have
happened here due to the fact that the nsIBox pointer is null.) Also, the
various null |ns[]Frame * const 0x00000000| and |nsRenderingContextWin * const
0x00000000| mean that something weird is going on.

Do you see any assertion before heading to the crash?
*** Bug 213906 has been marked as a duplicate of this bug. ***
Keywords: regression
This is probably beating a dead horse, but I'll say it anyway.  You will NOT see
this bug if you use a 1.5a build.  This occurs only on trunk builds using the
1.5b Gecko codebase.

(Yeah, I'm a belt AND suspenders kinda guy).
Crashes every time on http://www.torontobluejays.com.

Talkback incident #TB22240225X with latest 2003072704 nightly build.
Also occurs when opening Address Book.

Talkback incident id # TB22246383Y

matti, with your debug build, do you crash where others have reported their
crash, e.g.,
 http://www.torontobluejays.com
 http://www.starhub.net.sg
 http://www.redsox.com

(I crash nowhere with my debug build, not even with the steps in comment 16.)
The latest build (2003072813) still crashes on http://www.torontobluejays.com. 
This is reproducible every single time.

BTW - At least it doesn't crash on startup like this morning's build...

Here's the error:

Unhandled exception in mozilla.exe (GKGFXWIN.DLL): 0xC0000005: Access Violation.

Re: comment 23
I get a crash with my build of today, but that seems unrelated to this (font)
crash. The crash instead comes from recent JS changes (bug 208030). Below is a
stack trace of what I get.

_free_dbg_lk(void * 0x02e4ef50, int 1) line 1066 + 60 bytes
_free_dbg(void * 0x02e4ef50, int 1) line 1001 + 13 bytes
free(void * 0x02e4ef50) line 956 + 11 bytes
JS_free(JSContext * 0x02c24fd8, void * 0x02e4ef50) line 1452 + 10 bytes
js_DestroyScript(JSContext * 0x02c24fd8, JSScript * 0x02e4ef50) line 1109 + 13 bytes
JS_DestroyScript(JSContext * 0x02c24fd8, JSScript * 0x02e4ef50) line 3185 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x02c24fd8, JSObject * 0x03281850,
JSPrincipals * 0x0327ceb8, const unsigned short * 0x037c3928, unsigned int 6613,
const char * 0x0012f650, unsigned int 1, long * 0x0012f538) line 3489 + 13 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x03420408, const nsAString &
{...}, void * 0x03281850, nsIPrincipal * 0x0327ceb0, const char * 0x0012f650,
unsigned int 1, const char * 0x010b96ac, nsAString & {...}, int * 0x0012f59c)
line 875 + 85 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x0375c4e0, const
nsAFlatString & {...}) line 642
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x0375c4e0) line 555 + 22 bytes
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x0372fe7c,
nsIStreamLoader * 0x037ae078, nsISupports * 0x0375c4e0, unsigned int 0, unsigned
int 4294967295, const char * 0x037bf89e) line 898
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x037ae07c, nsIRequest *
0x037a7a58, nsISupports * 0x0375c4e0, unsigned int 0) line 144
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x037a8ed0,
nsIRequest * 0x037a7a58, nsISupports * 0x0375c4e0, unsigned int 0) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x037a7a60, nsIRequest *
0x037ae7d0, nsISupports * 0x00000000, unsigned int 0) line 3252
nsInputStreamPump::OnStateStop() line 484
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x037ae7d4,
nsIAsyncInputStream * 0x037ae584) line 324 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x037aec3c) line 117
PL_HandleEvent(PLEvent * 0x037aec3c) line 671 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00e23e08) line 606 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x04770296, unsigned int 49390, unsigned int 0,
long 14827016) line 1412 + 9 bytes
USER32! 77e3a244()
USER32! 77e145e5()
USER32! 77e1a792()
nsAppShellService::Run(nsAppShellService * const 0x0144b9f0) line 478
main1(int 1, char * * 0x00262698, nsISupports * 0x00dd40b8) line 1290 + 32 bytes
main(int 1, char * * 0x00262698) line 1669 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77ea847c()

---------------------
I still need a way to reproduce the original (font) bug, or some feedback from
people like matti who have a debug build and can reproduce.
Well, I filed a bug for the crash (bug 213906) but matti marked it as a
duplicate of this one.  Can someone undo it?


It indeed looks like a dup. Let's just not confuse with the other fluctuations
that are happening on the trunk.
Another site that crashes: http://www.geocaching.com/

This one has been causing crashes on both trunk and 1.5a.  There's a discussion
concerning it on mozillazine, and I verfiied it using my 1.5a nightly.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030728 Mozilla
Firebird/0.6.1
False alarm on the geocaching.com bug.  Using a build from the 7/31 codebase
(and creating a new profile), the geocaching.com bug went away, although
http://minnesota.twins.mlb.com continues to crash consistently.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030731 Mozilla
Firebird/0.6.1
The geocaching.com bug should no longer be considered part of this crash. 
Turning off JavaScript causes the geocaching.com crash to go away (yes, it's
still there, but less often).  Going to minnesota.twins.mlb.com consistently
crashes on the 7/31 codebase, with JavaScript on or off.
Another possible website that causes the crash -
http://www.sol.no/underholdning/tvguiden
I got that one to crash, but it wasn't a font crash:
 	gklayout.dll!nsXULElement::SetAttr(nsINodeInfo * aNodeInfo=0x02ceead0, const
nsAString & aValue={...}, int aNotify=1)  Line 2405 + 0x20	C++
crash in nsXULElement::SetAttr is bug 210269
Is a developer looking into this bug?  It's been about 3 weeks that we have had
to live with this major crash bug.

I'm sure they are, but as it isn't an easily reproducible bug(it is afterall
random as the bug summary states) it isn't easy to debug. Every time something
like this pops up its gonna take a while. The last random crash bug(the infamous
Autocomplete Crash bug) took a hell of a lot longer than this bug has so far
existed...have patience. Use 0.6.1 in the mean time as its not affected.
Okay but I would not call this a random crash bug.  I can reproduce it 100% of
the time on *every* single nightly build since 7/18.  So perhaps, it is my
settings or even my environment (Windows 2000).  

I realize that these bugs can be hard to track down.  If I were the developer, I
would compare the source from 7/17 to 7/18 (or whatever the time period was) to
see what files changed in that specific module.  There are also stack traces and
talkback files to help too.  If there's something I can do to help the
developer, please send me instructions.  I'll see if I can get another stack
trace or something...


>If there's something I can do to help the developer, please send me instructions. 

Can you build a debug build? The stack traces are not proving really helpful in
this situation. If someone with a debug build can reproduce, then we can start
from there. Often, the reason why such a bug might hang around is because the
interested developer (with their debug build) cannot reproduce. I am interested
in fixing this bug, but as I said I cannot reproduce. As the saying goes, it WFM...
By a debug build, do you mean one with debug symbols?  If so, is there a nightly
debug build that can be downloaded?  If not, why should I as a user/tester have
to build it?  i.e.  That should be done automatically by the nightly build process.



> If not, why should I as a user/tester have to build it.

You don't get it yet. The stack trace isn't helpful enough here.
Attached file testcase 
Perhaps this can be of assistance :-). Reduced test case from the blue jays
site. Odd, really. It's got an EMBED, a table, and a form. And it seems to
matter that it's all in Arial. Hmmmm...
Keywords: testcase
Hmmm... Crashes when I run it off my desktop, but not off bugzilla.

TB22504148H, if it helps any.
Robert (and others), do you crash on the reduced testcase? This is one of the
few cases where "me too" posts are welcome and encouraged... [I still don't
crash BTW.]
Assignee: kmcclusk → rbs
Bingo Jason... I finally got the crash with the reduced test case...

>	gkgfxwin.dll!nsRenderingContextWin::GetWidth(const char * aString=0x0012b318,
unsigned int aLength=1, int & aWidth=0)  Line 1518 + 0x1d	C++
Of course, it is random, and I haven't reproduced again. If somebody figures out
any steps to maximize the reproducibility, it would be helpful.
Reproducibility from when I was making the test case was about 97% or so. 

Clearing the cache might help. I think I needed to do that on the original page.
Crashes every time with the test case for me.  I cleared my cache too.  I also
have it set to compare the page every time...

For me, attachment works fine when I click through to it from bugzilla. But when
I open it from disk, at first Firebird was misbehaving (the spinning loading
icon stops spinning, nothing's happening). I cleared the cache, and now every
time I open the attachment straight from disk, Firebird is crashing.

I have Visual Studio installed - do I have to get all the source code and build
it locally to give any more help?
*** Bug 215272 has been marked as a duplicate of this bug. ***
(from the just duped bug)

The crash happens for those test URLS when the URL opens a new window, but does
not crash when opening in a new tab.  

For those of you with consistant crash test URLs, does this behavior appear for
you as well?  Also, my browser's default new window size is full screen; don't
know if that's a factor or not.
Another crash URL:
http://go.fark.com/cgi/fark/go.pl?IDLink=610342&location=http://www.rednova.com/rnprogs/indexgen%3fk=0%26u=0

Opening in tab still crashes.

TalkbackID: TB22534294Y
OK, I am able to reproduce more or less frequently by doing:
- disable all cache options of relevance I could find in about:config
- span several windows with the testcase
  -> crash eventually happens after flipping back and forth bteween the windows,
     click reload, click back/forward inside the windows.

Comment 49 is right on for me. The attached test case crashes when you open a
new window, but not a new tab or an existing window.
I just installed the 0810 build and I have a new crashing website to report -
http://www.svc.com or http://www.svcompucycle.com, both of which are the same
website. Do the developers have any idea where the problem lies?
Hrm. WFM.

2003081004 win32 open in tab or new window.
*** Bug 215835 has been marked as a duplicate of this bug. ***
*** Bug 215773 has been marked as a duplicate of this bug. ***
These crashes make up 6 out of 10 topcrashers in current Talkback data (a couple
of valid stack signatures and a few offsets):
Here are the latest user comments and urls from Talkback reports:

From nsRenderingContextWin::GetWidth crashes:
(22640445)	URL: http://www.plumtree.com
     (22637190)	URL: http://www.christianfreebies.com/
     (22637190)	Comments: pressed back after watching an image (no tabs or
anything at the time. happened the two or three times I tested. 
     (22633383)	URL: http://www.geocities.com/nate2k3x/index.html
     (22633383)	Comments: Error comes when accessing this page:  
http://www.geocities.com/nate2k3x/index.html
     (22629595)	URL: http://www.stamp-connection.com
     (22629595)	Comments: THIS IS REPEATABLE.  Click on the "WheresGeorge.com"
stamp link.  
     (22629574)	URL: http://www.stamp-connection.com
     (22629574)	Comments: I clicked on the link for "WheresGeorge.com"
self-inking stamps.
     (22624071)	URL: http://www.shockwave.com/sw/content/popndrop
     (22624067)	URL: http://www.shockwave.com/sw/content/popndrop
     (22624067)	Comments: When clicking "Play game" a new window pops up - as it
should. Something in this window causes Mozilla to crash. (I've had the same
problem with several other windows on shockwave.com).
     (22613707)	URL: http://www.sfgiants.com
     (22597933)	URL: foxnews.com
     (22597933)	Comments: Trying to watch a real audio streaming clip.
     (22556227)	URL: http://summerslam.wwe.com
     (22556227)	Comments: After going to the WWE Summerslam site I clicked on a
link which should've taken me to the Summerslam history website but instead the
browser crashed after the link was clicked on.
     (22536706)	URL: http://www.sgi.com
     (22536507)	URL: http://www.sgi.com
     (22527426)	URL: http://www.ford.com
     (22527400)	URL: http://www.ford.com
     (22464246)	URL: nodedb.com
     (22443308)	URL: www.bajafresh.com
     (22419764)	URL: www.ericflint.net
     (22419764)	Comments: Clicked on the "Enter Here" link.  Display started to
update then an illegal memory access was committed.  I updated to the latest
build from the 31-July build I had been using and the display seemed to go a bit
further before the crash.

From the 0x00616e61 crashes:
(22638943)	URL: http://www.nvidia.com
     (22638943)	Comments: nvidia page crash!
     (22638656)	URL: opening www.gamespot.com
     (22638656)	Comments: crashes all over when visiting some sites
     (22632777)	URL: http://www.caja-ingenieros.es/
     (22631612)	URL: www.rednova.com
     (22631513)	URL: www.rednova.com
     (22631513)	Comments: appears that communictor blocked a popup on
www.rednova.com
     (22631407)	URL: www.rednova.com
     (22631407)	Comments: trying to go to www.rednova.com
     (22621664)	URL: http://www.unitethecows.com
     (22621664)	Comments: trying to get to there web site 
     (22611654)	URL: http://www.celebrityrants.com
     (22611654)	Comments: I clicked on a link.
     (22611590)	URL: http://www.celebrityrants.com
     (22611590)	Comments: I clicked on a link for a David Duchovny audio link.
     (22592954)	URL: http://www.fox.com
     (22590566)	URL: http://www.caja-ingenieros.es/
     (22586862)	URL: www.vippertalentos.com.br
     (22586862)	Comments: back the last page
     (22585917)	URL: http://www.fox.com
     (22584792)	URL: www.fox.com
     (22584792)	Comments: Crashes on this page
     (22577575)	URL: http://www.agaveblue.net/unsubscribe.asp?e=foo@gazzy.com
     (22577575)	Comments: Clicked page link in email  navigator window popped up
and displayed address  crash immediately after that.
     (22574280)	URL: http://www.fox.com
     (22573338)	URL: http://www.fox.com
     (22572871)	URL: http://www.caja-ingenieros.es/
     (22572871)	Comments: Starting this web page
     (22572731)	URL: http://www.fox.com
     (22572674)	URL: http://www.fox.com
     (22570267)	URL: http://www.fox.com
     (22569237)	URL: http://www.tmn.ca
     (22569232)	URL: http://www.tmn.ca
     (22569232)	Comments: Opening the web page.
     (22563780)	URL: http://www.fox.com
     (22563157)	URL: http://www.fox.com
     (22562769)	URL: http://www.fox.com
     (22553818)	URL: http://www.fox.com
     (22553758)	URL: http://www.fox.com
     (22538362)	URL: http://www.sgi.com
     (22536379)	URL: http://www.sgi.com
     (22535761)	URL: http://www.sgi.com
     (22528358)	URL: http://www.sgi.com
     (22511506)	URL: http://www.usr.com
     (22510605)	URL: http://www.usr.com
     (22507542)	URL: http://fox.com
     (22506299)	URL: http://fox.com
     (22505918)	URL: http://fox.com
     (22504718)	URL: http://www.fox.com
     (22503575)	URL: http://www.fox.com
     (22496980)	URL: http://fox.com
     (22496907)	URL: http://fox.com
     (22487271)	URL: www.keptech.com/
     (22487271)	Comments: Opening a link from [H]ardOCP.com to the above site. 
Failure happened twice.
     (22480771)	URL: www.fox.com
     (22478446)	URL: http://www.nvidia.com/
     (22478015)	URL: www.fox.com
     (22476490)	URL: www.fox.com
     (22476294)	URL: www.fox.com
     (22476235)	URL: www.fox.com
     (22476222)	URL: www.fox.com
     (22475376)	URL:
http://www.pctechtalk.com/browse.php?sid=1r0d3v2d3q0p8w7k7b6r9f3z9d0c0h8w
     (22475376)	Comments: pressing the back button again
     (22473403)	URL: http://www.nvidia.com
     (22473403)	Comments: just started it up from the WinXP command line:   
http://www.nvidia.com    Moz. is my default browser
     (22468821)	URL: www.fox.com
     (22468804)	URL: www.fox.com
     (22468772)	URL: www.fox.com
     (22468731)	URL: www.fox.com
     (22468714)	URL: www.fox.com
     (22432194)	URL: www.br-alpha.de
     (22432191)	URL: www.br-alpha.de
     (22427707)	URL: http://www.nvidia.com/

From nsRenderingContextWin::GetTextDimensions crashes:
(22639723)	URL: http://www.sysmatrix.net/~patrickberg/music.htm
     (22639723)	Comments: I reloaded the page & then Mozilla failed
     (22583554)	Comments: reading mail 
     (22540394)	URL: foxnews.com
     (22540394)	Comments: Trying to watch a video in an imbedded real player page.
     (22526261)	URL: http://gardnerinc.com
     (22526261)	Comments: Just browsing
     (22424412)	URL: http://www.gamespot.com
     (22424399)	URL: http://www.gamespot.com
Keywords: topcrash+
Summary: Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth][@ nsRenderingContextWin::GetTextDimensions] → Random crashes when loading some websites since 0718 build [@ nsRenderingContextWin::GetWidth][@ nsRenderingContextWin::GetTextDimensions][@ 0x00616e61 ]
Attached file another testcase 
Testcase made from ford.com. While the other one had FORM and DIV elements,
this one doesn't. They both have EMBED and 2 <TD STYLE="FONT-SIZE...
*** Bug 215834 has been marked as a duplicate of this bug. ***
*** Bug 215870 has been marked as a duplicate of this bug. ***
(using aebrahims unofficial Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.5b) Gecko/20030810 Mozilla Firebird/0.6.1+)

while I was NEVER able to reproduce these crashes out in the wild, these last
testcases  crash the browser (only by selecting "Open Link in a new window").
rbs: 
Sorry, i missed your comment !
I can't get to crash my debug build, only my optimized with symbols (but every
time for fox.com today)

I see another crash with my debug on http://www.plumtree.com (from the Talkback
comments) but i opened bug 215878 for that.
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta
Attached file another test case 
This isn't quite as elegant as the other two test cases, but I figured it
couldn't hurt to upload it.
Attached patch patchSplinter Review 
Here is the patch to fix this nasty crasher.

There was a subtle flaw in this chunk:
@@ -2641,13 +2643,11 @@
 
 void nsRenderingContextWin :: SetupFontAndColor(void)
 {
-  if (((mFontMetrics != mCurrFontMetrics) || (NULL == mCurrFontMetrics)) &&
-      (nsnull != mFontMetrics))
-  {
+  if (mFontMetrics && (!mCurrFontWin || mCurrFontWin->mFont != mCurrFont)) {
     nsFontHandle  fontHandle;
     mFontMetrics->GetFontHandle(fontHandle);
     HFONT	   tfont = (HFONT)fontHandle;
-    
+
     ::SelectObject(mDC, tfont);
 
     mCurrFont = tfont;
=============================================

The whole point of this |if| is to avoid the OS function |::SelectObject| as
much as possible because it is an expensive operation. This optimization has a
bug.

Consider the scenario where |mFontMetrics| is released in SetFont() and another
one is |new|ed such that, by _coincidence_, the address is the same as the old
one. In this case |mFontMetrics == mCurrFontMetrics| and so the setup code
jumps pass the |if|, meaning that the other variables retains the values
associated to the older font-metrics that was released... A crash follows since
these values point to garbage. The randomness is explained by the bad
coincidence: the new and old addresses have to match.

In the patch, I changed the |if| to only trust what comes from |mFontMetrics|
itself. It owns |mCurrFontWin|. If SetFont() is called, mFontMetrics is changed
along with its constituents. And by clearing |mCurrFontWin|, the |if| gets
executed, and things are brought in sync again.
Comment on attachment 129651 [details] [diff] [review]
patch

Asking r/sr
Attachment #129651 - Flags: superreview?(roc+moz)
Attachment #129651 - Flags: review?(roc+moz)
Comment on attachment 129651 [details] [diff] [review]
patch

looks good, although I'm not very familiar with the Win32 font code.

It might be helpful if you could add some comments to nsRenderingContextWin.h
documenting the roles of mCurrFont, mCurrFontWin, and mFontMetrics, especially
what the invariants are. (e.g., mCurrFontWin is a font owned by mFontMetrics,
or null)
Attachment #129651 - Flags: superreview?(roc+moz)
Attachment #129651 - Flags: superreview+
Attachment #129651 - Flags: review?(roc+moz)
Attachment #129651 - Flags: review+
Comment on attachment 129651 [details] [diff] [review]
patch

Asking a= on this nasty top crasher. The bug was due to the fact that a local
variable was keeping the value of a reference-counted font-metrics object that
could die, leaving that local variable with a value that is now meaningless.
The patch remedies the problem by relying on what the font-metrics object
itself owns.
Attachment #129651 - Flags: approval1.5b?
>It has nothing to do with Flash - it has crashed my Mozilla Firebird every time
>I've tried www.redsox.com so far - and I don't have Flash installed.
It does not matter if you have flash, but if the *page* has flash (and
www.redsox.com redirects to a page with flash).

I think this has something to do with plugins that display content in a web
page, almost all of the pages listed/reported have flash or java applets in them.

The weird thing is that crashes a random and sometimes more frequent on some
sites than others (fox.com 50% vs. d2ol.com 10%).


*** Bug 215837 has been marked as a duplicate of this bug. ***
*** Bug 216158 has been marked as a duplicate of this bug. ***
*** Bug 216151 has been marked as a duplicate of this bug. ***
*** Bug 216072 has been marked as a duplicate of this bug. ***
Comment on attachment 129651 [details] [diff] [review]
patch

 a=asa (on behalf of drivers) for checkin to Mozilla 1.5beta.
Attachment #129651 - Flags: approval1.5b? → approval1.5b+
Checked-in with these added comments in nsRenderingContextWin.h:
+  // mFontMetrics owns mCurrFontWin which is a thin wrapper
+  // around mCurrFont (the actual GDI font handle). These variables
+  // allow us to quickly tell the current selected font and to
+  // avoid the high expense of a redundant setup of the same font.
   nsFontWin         *mCurrFontWin;
   HFONT             mCurrFont;
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
*** Bug 215886 has been marked as a duplicate of this bug. ***
*** Bug 216300 has been marked as a duplicate of this bug. ***
*** Bug 214345 has been marked as a duplicate of this bug. ***
*** Bug 218064 has been marked as a duplicate of this bug. ***
*** Bug 214725 has been marked as a duplicate of this bug. ***
*** Bug 215682 has been marked as a duplicate of this bug. ***
Product: Core → Core Graveyard
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Crash Signature: [@ nsRenderingContextWin::GetWidth] [@ nsRenderingContextWin::GetTextDimensions] [@ 0x00616e61 ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: