Closed Bug 43214 Opened 24 years ago Closed 24 years ago

Crash when font X_HEIGHT property is garbage (mozilla-fonts font package)

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
FreeBSD
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jesup, Assigned: pollmann)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [nsbeta3+]fix in hand)

Attachments

(5 files)

HTML for tensingpen.com
9.59 KB, text/html
Details
backtrace for crash at tensingpen.com
5.33 KB, text/plain
Details
backtraces and structure dumps from assertion failures
9.65 KB, text/plain
Details
FreeBSD 3.3 patches for broken linker
16.32 KB, patch
Details | Diff | Splinter Review
A minimal example - the bug depends on the Arial font
238 bytes, text/html
Details 
Version post-M16 - updated from CVS around 6/17 or later

Crash due to flow (from flow->mNextInFlow) being NULL at nsBlockFrame.cpp:5644

Created by going to playboy.com, then clicking on the link that leads to
playboy.com/oncampus.

(gdb) p flow
$3 = (nsBlockFrame *) 0x0
(gdb) p this
$4 = (nsBlockFrame *) 0x99c915c
(gdb) p *this
$5 = {
  <nsHTMLContainerFrame> = {
    <nsContainerFrame> = {
      <nsSplittableFrame> = {
        <nsFrame> = {
          <nsIFrame> = {
            <nsISupports> = {
              _vptr$ = 0x2a0765a0
            }, <No data fields>}, 
          <nsIFrameDebug> = {
            <nsISupports> = {
              _vptr$ = 0x2a076560
            }, <No data fields>}, 
          members of nsFrame: 
          mRect = {
            x = 0, 
            y = 0, 
            width = 8625, 
            height = 15150
          }, 
          mContent = 0x9a06c8c, 
          mStyleContext = 0x960c000, 
          mParent = 0x99c9100, 
          mNextSibling = 0x0, 
          mState = 1835013
        }, 
        members of nsSplittableFrame: 
        mPrevInFlow = 0x0, 
        mNextInFlow = 0x0
      }, 
      members of nsContainerFrame: 
      mFrames = {
        mFirstChild = 0x0
      }
    }, <No data fields>}, 
  members of nsBlockFrame: 
  mLines = 0x9ae04f0, 
  mTextRuns = 0x0, 
  mFloaters = {
    mFirstChild = 0x0
  }, 
  mBullet = 0x0, 
  mAbsoluteContainer = {
    mAbsoluteFrames = {
      mFirstChild = 0x0
    }
  }
}
(gdb) p nextInFlow
No symbol "nextInFlow" in current context.
(gdb) bt
#0  0x29ac4007 in nsBlockFrame::DoRemoveFrame (this=0x99c915c, 
    aPresContext=0x8310e00, aDeletedFrame=0x9bda37c) at nsBlockFrame.cpp:5644
#1  0x29ac41fd in nsBlockFrame::DeleteChildsNextInFlow (this=0x99c915c, 
    aPresContext=0x8310e00, aChild=0x99c91e4) at nsBlockFrame.cpp:5669
#2  0x29ac958c in nsBlockReflowContext::ReflowBlock (this=0xbfbf8df0, 
    aFrame=0x99c91e4, aSpace=@0xbfbf8d38, aApplyTopMargin=1, 
    aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbf8d48, 
    aFrameReflowStatus=@0xbfbf8d2c) at nsBlockReflowContext.cpp:601
#3  0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x99c915c, 
    aState=@0xbfbf9234, aLine=0x9ae0518, aKeepReflowGoing=0xbfbf8fc8)
    at nsBlockFrame.cpp:3928
#4  0x29abebbd in nsBlockFrame::ReflowLine (this=0x99c915c, aState=@0xbfbf9234, 
    aLine=0x9ae0518, aKeepReflowGoing=0xbfbf8fc8, aDamageDirtyArea=1)
    at nsBlockFrame.cpp:3192
#5  0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x99c915c, 
    aState=@0xbfbf9234) at nsBlockFrame.cpp:2999
#6  0x29abb863 in nsBlockFrame::Reflow (this=0x99c915c, aPresContext=0x8310e00, 
    aMetrics=@0xbfbf960c, aReflowState=@0xbfbf956c, aStatus=@0xbfbfa82c)
    at nsBlockFrame.cpp:1765
#7  0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9100, 
    aKidFrame=0x99c915c, aPresContext=0x8310e00, aDesiredSize=@0xbfbf960c, 
    aReflowState=@0xbfbf956c, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c)
    at nsContainerFrame.cpp:693
#8  0x29d5ad0b in nsTableCellFrame::Reflow (this=0x99c9100, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9824, aReflowState=@0xbfbf9784, 
    aStatus=@0xbfbfa82c) at nsTableCellFrame.cpp:822
#9  0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c90b8, 
    aKidFrame=0x99c9100, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9824, 
    aReflowState=@0xbfbf9784, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c)
    at nsContainerFrame.cpp:693
#10 0x29d71cbb in nsTableRowFrame::IR_TargetIsChild (this=0x99c90b8, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf99d4, 
    aStatus=@0xbfbfa82c, aNextFrame=0x99c9100) at nsTableRowFrame.cpp:1388
#11 0x29d718a0 in nsTableRowFrame::IncrementalReflow (this=0x99c90b8, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf99d4, 
    aStatus=@0xbfbfa82c) at nsTableRowFrame.cpp:1269
#12 0x29d722ef in nsTableRowFrame::Reflow (this=0x99c90b8, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf9af4, 
    aStatus=@0xbfbfa82c) at nsTableRowFrame.cpp:1623
#13 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9074, 
    aKidFrame=0x99c90b8, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, 
    aReflowState=@0xbfbf9af4, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c)
    at nsContainerFrame.cpp:693
#14 0x29d76715 in nsTableRowGroupFrame::IR_TargetIsChild (this=0x99c9074, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9c94, 
    aStatus=@0xbfbfa82c, aNextFrame=0x99c90b8) at nsTableRowGroupFrame.cpp:1541
#15 0x29d75860 in nsTableRowGroupFrame::IncrementalReflow (this=0x99c9074, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9c94, 
    aStatus=@0xbfbfa82c) at nsTableRowGroupFrame.cpp:1173
#16 0x29d7534a in nsTableRowGroupFrame::Reflow (this=0x99c9074, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9dc0, 
    aStatus=@0xbfbfa82c) at nsTableRowGroupFrame.cpp:1074
#17 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9010, 
    aKidFrame=0x99c9074, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, 
    aReflowState=@0xbfbf9dc0, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c)
    at nsContainerFrame.cpp:693
#18 0x29d65df7 in nsTableFrame::IR_TargetIsChild (this=0x99c9010, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbf9f14, 
    aStatus=@0xbfbfa82c, aNextFrame=0x99c9074) at nsTableFrame.cpp:2719
#19 0x29d657f7 in nsTableFrame::IncrementalReflow (this=0x99c9010, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbfa21c, 
    aStatus=@0xbfbfa82c) at nsTableFrame.cpp:2507
#20 0x29d62f4a in nsTableFrame::Reflow (this=0x99c9010, aPresContext=0x8310e00, 
    aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbfa21c, aStatus=@0xbfbfa82c)
    at nsTableFrame.cpp:1550
#21 0x29ace031 in nsContainerFrame::ReflowChild (this=0x98c5f68, 
    aKidFrame=0x99c9010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, 
    aReflowState=@0xbfbfa21c, aX=0, aY=0, aFlags=3, aStatus=@0xbfbfa82c)
    at nsContainerFrame.cpp:693
#22 0x29d6ced1 in nsTableOuterFrame::OuterReflowChild (this=0x98c5f68, 
    aPresContext=0x8310e00, aChildFrame=0x99c9010, aOuterRS=@0xbfbfa6c0, 
    aMetrics=@0xbfbfa3b0, aAvailWidth=0x0, aDesiredSize=@0xbfbfa404, 
    aMargin=@0xbfbfa3f4, aPadding=@0xbfbfa3e4, 
    aReflowReason=eReflowReason_Incremental, aStatus=@0xbfbfa82c)
    at nsTableOuterFrame.cpp:884
#23 0x29d6dcba in nsTableOuterFrame::IR_InnerTableReflow (this=0x98c5f68, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aOuterRS=@0xbfbfa6c0, 
    aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:1186
#24 0x29d6d2a7 in nsTableOuterFrame::IR_TargetIsInnerTableFrame (
    this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, 
    aReflowState=@0xbfbfa6c0, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:986
#25 0x29d6d177 in nsTableOuterFrame::IR_TargetIsChild (this=0x98c5f68, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aReflowState=@0xbfbfa6c0, 
    aStatus=@0xbfbfa82c, aNextFrame=0x99c9010) at nsTableOuterFrame.cpp:958
#26 0x29d6d106 in nsTableOuterFrame::IncrementalReflow (this=0x98c5f68, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aReflowState=@0xbfbfa6c0, 
    aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:937
#27 0x29d6e6f5 in nsTableOuterFrame::Reflow (this=0x98c5f68, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aOuterRS=@0xbfbfa6c0, 
    aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:1387
#28 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfa8f0, 
    aFrame=0x98c5f68, aSpace=@0xbfbfa838, aApplyTopMargin=0, 
    aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbfa848, 
    aFrameReflowStatus=@0xbfbfa82c) at nsBlockReflowContext.cpp:511
#29 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x98c5ea4, 
    aState=@0xbfbfad34, aLine=0x9b5e480, aKeepReflowGoing=0xbfbfaac8)
    at nsBlockFrame.cpp:3928
#30 0x29abebbd in nsBlockFrame::ReflowLine (this=0x98c5ea4, aState=@0xbfbfad34, 
    aLine=0x9b5e480, aKeepReflowGoing=0xbfbfaac8, aDamageDirtyArea=1)
    at nsBlockFrame.cpp:3192
#31 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x98c5ea4, 
    aState=@0xbfbfad34) at nsBlockFrame.cpp:2999
#32 0x29abb863 in nsBlockFrame::Reflow (this=0x98c5ea4, aPresContext=0x8310e00, 
    aMetrics=@0xbfbfb2a0, aReflowState=@0xbfbfb030, aStatus=@0xbfbfb19c)
    at nsBlockFrame.cpp:1765
#33 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfb260, 
    aFrame=0x98c5ea4, aSpace=@0xbfbfb1a8, aApplyTopMargin=1, 
    aPrevBottomMargin=0, aIsAdjacentWithTop=0, aComputedOffsets=@0xbfbfb1b8, 
    aFrameReflowStatus=@0xbfbfb19c) at nsBlockReflowContext.cpp:511
#34 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x960ed64, 
    aState=@0xbfbfb6a4, aLine=0x9b5e4d0, aKeepReflowGoing=0xbfbfb438)
    at nsBlockFrame.cpp:3928
#35 0x29abebbd in nsBlockFrame::ReflowLine (this=0x960ed64, aState=@0xbfbfb6a4, 
    aLine=0x9b5e4d0, aKeepReflowGoing=0xbfbfb438, aDamageDirtyArea=1)
    at nsBlockFrame.cpp:3192
#36 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x960ed64, 
    aState=@0xbfbfb6a4) at nsBlockFrame.cpp:2999
#37 0x29abb863 in nsBlockFrame::Reflow (this=0x960ed64, aPresContext=0x8310e00, 
    aMetrics=@0xbfbfbc10, aReflowState=@0xbfbfb9a0, aStatus=@0xbfbfbb0c)
    at nsBlockFrame.cpp:1765
#38 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfbbd0, 
    aFrame=0x960ed64, aSpace=@0xbfbfbb18, aApplyTopMargin=1, 
    aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbfbb28, 
    aFrameReflowStatus=@0xbfbfbb0c) at nsBlockReflowContext.cpp:511
#39 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x960ecdc, 
    aState=@0xbfbfc014, aLine=0x960edd8, aKeepReflowGoing=0xbfbfbda8)
    at nsBlockFrame.cpp:3928
#40 0x29abebbd in nsBlockFrame::ReflowLine (this=0x960ecdc, aState=@0xbfbfc014, 
    aLine=0x960edd8, aKeepReflowGoing=0xbfbfbda8, aDamageDirtyArea=1)
    at nsBlockFrame.cpp:3192
#41 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x960ecdc, 
    aState=@0xbfbfc014) at nsBlockFrame.cpp:2999
#42 0x29abb863 in nsBlockFrame::Reflow (this=0x960ecdc, aPresContext=0x8310e00, 
    aMetrics=@0xbfbfc3ec, aReflowState=@0xbfbfc34c, aStatus=@0xbfbfc724)
    at nsBlockFrame.cpp:1765
#43 0x29ace031 in nsContainerFrame::ReflowChild (this=0x960e04c, 
    aKidFrame=0x960ecdc, aPresContext=0x8310e00, aDesiredSize=@0xbfbfc3ec, 
    aReflowState=@0xbfbfc34c, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfc724)
    at nsContainerFrame.cpp:693
#44 0x29aecdda in CanvasFrame::Reflow (this=0x960e04c, aPresContext=0x8310e00, 
    aDesiredSize=@0xbfbfc6f0, aReflowState=@0xbfbfc51c, aStatus=@0xbfbfc724)
    at nsHTMLFrame.cpp:301
#45 0x29db3c13 in nsBoxToBlockAdaptor::Reflow (this=0x960ec80, 
    aState=@0xbfbfca4c, aPresContext=0x8310e00, aDesiredSize=@0xbfbfc6f0, 
    aReflowState=@0xbfbfcbb0, aStatus=@0xbfbfc724, aX=0, aY=0, aWidth=13620, 
    aHeight=10905, aMoveFrame=1) at nsBoxToBlockAdaptor.cpp:794
#46 0x29db3307 in nsBoxToBlockAdaptor::Layout (this=0x960ec80, 
    aState=@0xbfbfca4c) at nsBoxToBlockAdaptor.cpp:467
#47 0x29b3b5cd in nsScrollPortFrame::Layout (this=0x960e128, aState=@0xbfbfca4c)
    at nsScrollPortFrame.cpp:335
#48 0x29db6187 in nsContainerBox::LayoutChildAt (aState=@0xbfbfca4c, 
    aBox=0x960e160, aRect=@0xbfbfc950) at nsContainerBox.cpp:609
#49 0x29b3946b in nsGfxScrollFrameInner::LayoutBox (this=0x9b72b00, 
    aState=@0xbfbfca4c, aBox=0x960e160, aRect=@0xbfbfc950)
    at nsGfxScrollFrame.cpp:1016
#50 0x29b396df in nsGfxScrollFrameInner::Layout (this=0x9b72b00, 
    aState=@0xbfbfca4c) at nsGfxScrollFrame.cpp:1101
#51 0x29b394e7 in nsGfxScrollFrame::Layout (this=0x960e084, aState=@0xbfbfca4c)
    at nsGfxScrollFrame.cpp:1029
#52 0x29dc7226 in nsBoxFrame::Reflow (this=0x960e088, aPresContext=0x8310e00, 
    aDesiredSize=@0xbfbfcc58, aReflowState=@0xbfbfcbb0, aStatus=@0xbfbfcdc0)
    at nsBoxFrame.cpp:648
#53 0x29b38546 in nsGfxScrollFrame::Reflow (this=0x960e084, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfcc58, aReflowState=@0xbfbfcbb0, 
    aStatus=@0xbfbfcdc0) at nsGfxScrollFrame.cpp:715
#54 0x29ace031 in nsContainerFrame::ReflowChild (this=0x960e010, 
    aKidFrame=0x960e088, aPresContext=0x8310e00, aDesiredSize=@0xbfbfcc58, 
    aReflowState=@0xbfbfcbb0, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfcdc0)
    at nsContainerFrame.cpp:693
#55 0x29b361e6 in ViewportFrame::Reflow (this=0x960e010, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfce44, aReflowState=@0xbfbfcd20, 
    aStatus=@0xbfbfcdc0) at nsViewportFrame.cpp:545
#56 0x29aee904 in nsHTMLReflowCommand::Dispatch (this=0x9a503c0, 
    aPresContext=0x8310e00, aDesiredSize=@0xbfbfce44, aMaxSize=@0xbfbfce24, 
    aRendContext=@0xa043000) at nsHTMLReflowCommand.cpp:144
#57 0x29b1bad4 in PresShell::ProcessReflowCommands (this=0x8c1a400, 
    aInterruptible=1) at nsPresShell.cpp:3927
#58 0x29ef2ca8 in ReflowEvent::HandleEvent (this=0x9b26040)
    at nsPresShell.cpp:3815
#59 0x29b1b597 in HandlePLEvent (aEvent=0x9b26040) at nsPresShell.cpp:3826
#60 0x281d9d61 in PL_HandleEvent (self=0x9b26040) at plevent.c:575
#61 0x281d9bf0 in PL_ProcessPendingEvents (self=0x8112480) at plevent.c:520
#62 0x281dbecc in nsEventQueueImpl::ProcessPendingEvents (this=0x8112440)
    at nsEventQueue.cpp:356
#63 0x290cbba3 in event_processor_callback (data=0x8112440, source=8, 
    condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#64 0x290cb755 in our_gdk_io_invoke (source=0x8256d20, condition=G_IO_IN, 
    data=0x8256d10) at nsAppShell.cpp:58
#65 0x292c35aa in g_io_unix_dispatch () from /usr/local/lib/libglib12.so.3
#66 0x292c4d17 in g_main_dispatch () from /usr/local/lib/libglib12.so.3
#67 0x292c531f in g_main_iterate () from /usr/local/lib/libglib12.so.3
#68 0x292c54a1 in g_main_run () from /usr/local/lib/libglib12.so.3
#69 0x291f96f3 in gtk_main () from /usr/X11R6/lib/libgtk12.so.2
#70 0x290cc545 in nsAppShell::Run (this=0x8140ce0) at nsAppShell.cpp:334
#71 0x28963ee6 in nsAppShellService::Run (this=0x813ddc0)
    at nsAppShellService.cpp:386
#72 0x8054e47 in main1 (argc=1, argv=0xbfbfd398, nativeApp=0x0)
    at nsAppRunner.cpp:906
#73 0x8055be1 in main (argc=1, argv=0xbfbfd398) at nsAppRunner.cpp:1092
(gdb) up
#1  0x29ac41fd in nsBlockFrame::DeleteChildsNextInFlow (this=0x99c915c, 
    aPresContext=0x8310e00, aChild=0x99c91e4) at nsBlockFrame.cpp:5669
(gdb) p *aPresContext
$6 = (nsIPresContext *) 0x8310e00
(gdb) p *aPresContext
$7 = {
  <nsISupports> = {
    _vptr$ = 0x2a09d460
  }, <No data fields>}
(gdb) p *nextInFlow
$8 = (nsIFrame *) 0x9bda37c
(gdb) p *nextInFlow
$9 = {
  <nsISupports> = {
    _vptr$ = 0x2a090dc0
  }, <No data fields>}
(gdb) down
#0  0x29ac4007 in nsBlockFrame::DoRemoveFrame (this=0x99c915c, 
    aPresContext=0x8310e00, aDeletedFrame=0x9bda37c) at nsBlockFrame.cpp:5644
(gdb) p line
$10 = (nsLineBox *) 0x0
(gdb) p prevLine
$11 = (nsLineBox *) 0x0
(gdb) p *linep
$12 = (nsLineBox **) 0x9ae051c
(gdb) p *linep
$13 = (nsLineBox *) 0x0
(gdb) p *this->mLines
$14 = (nsLineBox *) 0x9ae04f0
(gdb) p *this->mLines
$15 = {
  mFirstChild = 0x99c91a8, 
  mNext = 0x9ae0518, 
  mBounds = {
    x = 0, 
    y = 0, 
    width = 0, 
    height = 0
  }, 
  mMaxElementWidth = 0, 
  mMaximumWidth = 0, 
  {
    mAllFlags = 1024, 
    mFlags = {
      mDirty = 0, 
      mBlock = 0, 
      mImpactedByFloater = 0, 
      mTrimmed = 0, 
      mHasPercentageChild = 0, 
      mLineWrapped = 0, 
      mBreakType = 0, 
      mChildCount = 1
    }
  }, 
  {
    mData = 0x0, 
    mBlockData = 0x0, 
    mInlineData = 0x0
  }
}
(gdb)
Using Linux Build 2000062008 from 6/20/00, mozilla doesn't crash.  Instead, some
javascript errors are reported.

JavaScript error:
 line 0: uncaught exception: [Exception... "Component does not have requested
interface"  code: "-2147467262" nsresult: "0x80004002 (NS_NOINTERFACE)"
location: "<unknown>"]

JavaScript error:
 line 0: uncaught exception: [Exception... "Component does not have requested
interface"  code: "-2147467262" nsresult: "0x80004002 (NS_NOINTERFACE)"
location: "<unknown>"]

Changed the URL to tensingpen.com.  The crash is consistent.  Warning:
tensingpen.com might be changing (it changed in the last week); I may try to
create a minimal example.

Here's the output associated with the crash.  Note all the assertion failures.

Document http://www.mozilla.org/ loaded successfully
->>>>>>>>>>>>>> Write Clipboard to memory
Entry at index 0 is tensingpen.com
Document: Done (5.955 secs)
Error loading URL http://tensingpen.com/ 
Enabling Quirk StyleSheet
Document: Done (0.925 secs)
*** check number of frames in content area 
Error loading URL http://www.tensingpen.com/ 
WARNING: not calling OnDataAvailable, file nsAsyncStreamListener.cpp, line 409
Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
WARNING: cell content 0x89e0fa0 has large height 1073743969 
nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=11040,1073743969!
nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=11040,1073743969!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 796
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796
WARNING: cell content 0x89e0fa0 has large height 1073743969 
nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=10815,1073743969!
nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=10815,1073743969!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 796
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796
WARNING: cell content 0x89e0fa0 has large height 1073743969 
nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=10815,1073743969!
nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=10815,1073743969!
###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file
nsBlockFrame.cpp, line 5524
###!!! Break: at file nsBlockFrame.cpp, line 5524
###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file
nsBlockFrame.cpp, line 5528
###!!! Break: at file nsBlockFrame.cpp, line 5528
###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file
nsBlockFrame.cpp, line 5642
###!!! Break: at file nsBlockFrame.cpp, line 5642
Segmentation fault - core dumped
URL: http://playboy.com/oncampus/http://tensingpen.com
*sigh* What a rough job.  I am not able to reproduce this (Javascript warnings 
or crash) on today's Windows NT build at any of the sites mentioned.  Will try 
Linux tomorrow when I get in.
Component: HTMLFrames → Layout
Unable to reproduce a crash on PC/Linux SuSE6.2, build 2000062020, with the
"HTML for tensingpen.com" attachment. My X server is running on a different
machine than mozilla, don't know if that makes any difference. Shell output:

Entry at index 0 is
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434
Document: Done (1.607 secs)
Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 
Document: Done (6.832 secs)
Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 

Note: In Communicator, all images are broken on the attachment page.
Add <base href="http://www.tensingpen.com"> to the attachment to make the crash
happen.  (I really had added the attachment because I was worried that the site
would change before the problem could be tracked down - it went through a major
update in the last week.)

I'll upload a modified attachment.
Tried this on Linux (today's build) with the attachment, the modified 
attachment, and the current tensingpen.com homepage.  No crashes and no 
javascript warnings.

Reporter, can you please try today's build to see if you can still reproduce the 
problem?  Thanks!

Marking WORKSFORME due to unreproducibility.  Please reopen if you can reproduce 
this with today's build.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
To clarify, "modified attachment" in my above comment means that I took the 
attachment and added <base href="http://www.tensingpen.com"> as suggested.  This 
page behaved correctly on Linux and Win NT.  
Fresh checkout, clean and build on 6/21/2000 at ~9pm: still crashes when
http://tensingpen.com is loaded.  I'll upload a backtrace for the crash,
and also for when the first assertion failure occurs.


Entry at index 0 is tensingpen.com
Document: Done (1.009 secs)
Error loading URL http://tensingpen.com/ 
Enabling Quirk StyleSheet
Document: Done (1.482 secs)
Error loading URL http://www.tensingpen.com/ 
Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
WARNING: cell content 0x8b39fa0 has large height 1073743969 
nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9720,1073743969!
nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9720,1073743969!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 796
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796
WARNING: cell content 0x8b39fa0 has large height 1073743969 
nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9495,1073743969!
nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9495,1073743969!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 796
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796
WARNING: cell content 0x8b39fa0 has large height 1073744209 
nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9495,1073744209!
nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9495,1073744209!
###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file
nsBlockFrame.cpp, line 5524
###!!! Break: at file nsBlockFrame.cpp, line 5524
###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file
nsBlockFrame.cpp, line 5528
###!!! Break: at file nsBlockFrame.cpp, line 5528
###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file
nsBlockFrame.cpp, line 5642
###!!! Break: at file nsBlockFrame.cpp, line 5642

Program received signal SIGSEGV, Segmentation fault.
0x29ac3937 in ?? ()
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Puzzling!  I just tested a 10PM debug pull from 21-Jun on both Linux and Solaris 
and no crash.  I wonder if this is FreeBSD only...  I know this is redundant, 
but exactly what steps do you take to get the crash?  I started up, typed: 
"http://tensingpen.com" in the URL bar then hit Enter.  Page loads, no crash.

Have you tried deleting ~/.mozilla (sometimes old profiles cause badness)

Do you have any changes in your tree?
 grep "^M" $MOZROOT/../cvsco.log

If we rule out the obvious, I'll see if I can set up a FreeBSD machine here, or 
find one already set up.
One further note: After I opened mozilla, I resized it a bit larger.  I then
typed "tensingpen.com" into the URL widget and hit return.  Boom.
Compiler is gcc/g++ 2.95.2; OS is FreeBSD 3.x.

build options are:
ac_add_options --disable-md
ac_add_options --disable-cpp-rtti
ac_add_options --disable-xterm-updates
ac_add_options --disable-pedantic
ac_add_options --enable-cpp-exceptions
ac_add_options --with-pthreads
ac_add_options --enable-pics
ac_add_options --enable-tests

I added a package of diffs (from the *.mozilla.*.unix newsgroup)
to intl that make Mozilla work with FreeBSD 3.3 (which I happen to be using).

I don't see how these changes could be it, but you never know...

Those changes were to work around a bug in symbol resolution from dlopen()'d
shared objects.

The message the diff was taken from was:
From: pete@alphanumerica.com (pete collins)
Subject: Re: Running M15 on FreeBSD3.3
Newsgroups: netscape.public.mozilla.unix
Date: 27 Apr 2000 18:43:47 GMT

I also changed one line in nsProfile.cpp; see bug #43087.
I changed nsProfile.cpp:349 to:
    if (NS_FAILED(rv) || ((const PRUnichar*)currentProfileStr == 0)) {

I don't think this could be implicated.
I agree, those patches are probably not to blame for the crash you're seeing.  
I'll try to get a FreeBSD build going, but it may take a few days due to other 
deadlines I've got to meet.  :)
See related bug 43250.
Keywords: crash
Adding crash keyword to all open crashers.
Build ID 2000061408, fresh checkout/clean/build as of July 1, problem still
happens using the first attachment (06/20/00 19:33).

I just now got a FreeBSD machine up and running.  Build is past xpcom, so I 
think I should have something to work with next week.
Can't reproduce the crash in my FreeBSD build.  I tested at tensingpen.com and 
that other URL mentioned above.  ;)  I get no crashes.

pollmann rock(1):~> uname -a
FreeBSD rock 4.0-20000712-STABLE FreeBSD 4.0-20000712-STABLE #0: Wed
Jul 12 11:19:03 GMT 2000     root@usw3.freebsd.org:/usr/src/sys/compile/GENERIC
 i386
pollmann rock(2):~> gcc --version
2.95.2

Added these configure options (same as I use on Linux)

ac_add_options --with-pthreads
ac_add_options --disable-build-nspr
ac_add_options --enable-xterm-updates
ac_add_options --enable-debug

I'm curious - would you be willing to build an additional, completely clean tree 
without these options set (they are ones that you added), or are they needed for 
the build?  Also, have you thought of upgrading from 3.3 to 4?  :)

ac_add_options --disable-md
ac_add_options --disable-cpp-rtti
ac_add_options --enable-cpp-exceptions
ac_add_options --enable-pics

(BTW, I have to say that FreeBSD was the fastest and easiest to set up of any OS  
I've used so far!  My only nit is that I still don't have automount working for 
NIS maps we have setup internally here.  :S )
Fresh build with new options still crashes.

I wonder if this could be related to the fonts I have installed on my system.

I installed some additional fonts supposedly designed for Mozilla (and Netscape
4.x) under Linux/etc; I don't know if they'd have an effect.  I got them from
this place:  http://fox.mit.edu/skunk/xwin/#mozilla_fonts

See also bug 44677

My ~/.mozconfig (please excuse the disable/enable of xterm-updates):

ac_add_options --disable-xterm-updates
ac_add_options --disable-pedantic
ac_add_options --with-pthreads
ac_add_options --enable-tests
ac_add_options --enable-xterm-updates
ac_add_options --enable-debug


Document: Done (2.754 secs)
Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434
WARNING: not calling OnDataAvailable, file nsAsyncStreamListener.cpp, line 404
Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
WARNING: cell content 0x8d51010 has large height 1073744209
nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13305,1073744209!
nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13305,1073744209!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 813
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813
WARNING: cell content 0x8d51010 has large height 1073744209
nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13245,1073744209!
nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13245,1073744209!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 813
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813
WARNING: cell content 0x8d51010 has large height 1073744209
nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13080,1073744209!
nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13080,1073744209!
###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file
nsBoxToBlockAdaptor.cpp, line 813
###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813
WARNING: cell content 0x8d51010 has large height 1073744209
nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13080,1073744209!
nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13080,1073744209!
###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file
nsBlockFrame.cpp, line 5468
###!!! Break: at file nsBlockFrame.cpp, line 5468
###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file
nsBlockFrame.cpp, line 5472
###!!! Break: at file nsBlockFrame.cpp, line 5472
###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file
nsBlockFrame.cpp, line 5586
###!!! Break: at file nsBlockFrame.cpp, line 5586
Segmentation fault - core dumped

Another site that causes the same crash:

http://www.avsforum.com/ubbcgi/forumdisplay.cgi?action=topics&forum=HDTV&number=11&DaysPrune=5&LastLogin=

(Or, go to www.avsforum.com, and click on HDTV).
I made a minimal example.  This bug is closely related (or is the same as) bug
44677.  This appears to be caused by problems handling the Arial font that's
installed by the mozilla font package mentioned.  I suspect strongly something
isn't checking for an error when getting the size of a string.
After installing the fonts, I can see the crash.  Great work narrowing down the
problem Randell!

My guess is that this bug is also present on Linux, Solaris, and any Unix after
installing the fonts.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
This is a severe bug (crash) but not widely seen (need to install these 
particular fonts, and on un*x only).  Marking Future.
Target Milestone: --- → Future
Ok, I tracked down the specific reason for the wacky area sizes that cause
problems.

In nsFontMetricsGTK.cpp:942, we do this:

    if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr))
    {
      mXHeight = nscoord(pr * f);
  #ifdef REALLY_NOISY_FONTS
      printf("xHeight=%d\n", mXHeight);
  #endif
    }

All well and good.  However, this font appears to have the X_HEIGHT property set
to 0xfffffffe:
  (gdb) p/x fontInfo->properties[16]
  $29 = {
    name = 0x38, 
    card32 = 0xfffffffe
  }

Note: the call didn't fail, the font has a garbage value for X_HEIGHT.

There are two solutions (we can do both):
1) get the font designer to fix the font.  This font is supposedly designed for
use with Mozilla (witness the name).  The problem may well be in their font
editor/converter, since few people build them by hand.
2) Add this to nsFontMetricsGTK.cpp:

    if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr))
    {
      if (pr < 0x00ffffff)  // arbitrary to exclude garbage values
      {
         mXHeight = nscoord(pr * f);
#ifdef REALLY_NOISY_FONTS
         printf("xHeight=%d\n", mXHeight);
#endif
      }
    }

Note that this sort of sanity-checking could apply to any font property, so we'd
need to add it to a bunch of them.  While this would avoid the problem, I don't
think malformed fonts are that big an issue in general, __UNLESS__ there's a
tool out there that does this commonly to converted fonts - and there might be. 
We need to contact the author of the fonts and find out how this happened (and
get him to fix it).

I'd suggest closing this bug, at least until we find out if there's a bad tool
creating these bad X_HEIGHT's in common use.  Also, 44677 should be marked as a
dup of this (or vice-versa).

Also, you might want to not close this one, but resolve it by adding Assertions
about the X font properties, so any future problems like this are easier to
debug (it can cause wild-ass problems far down the road from the error). That
wouldn't impact speed/size in non-debug versions.

*** Bug 44677 has been marked as a duplicate of this bug. ***
Great work Randell!  Thanks for going the extra mile on this!


    if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr))
    {
      if (pr < 0x00ffffff)  // arbitrary to exclude garbage values
      {
         mXHeight = nscoord(pr * f);
#ifdef REALLY_NOISY_FONTS
         printf("xHeight=%d\n", mXHeight);
#endif
      }
    }

Should the check be pr < 0xfffffffe?

What should be done in the "else" case?  Is there some rational number for
mXHeight to default to, or should it not be changed as above?  (what is
mXHeight?  can it be derived somehow from the font?)

I'd be interested to see what the moz-classic source base did in this case
because it seems to handle those fonts fine!
>Should the check be pr < 0xfffffffe?

	I chose a "very large" value (0x00ffffff - 16 million points).  If anything,
that should be lowered.  It's just meant to exclude irrational items.)

>What should be done in the "else" case?  Is there some rational number for
>mXHeight to default to, or should it not be changed as above?  (what is
>mXHeight?  can it be derived somehow from the font?)

	It's the 'nominal' height of lower-case letters above the baseline.  There is a
default already set before this snippet of code, so all we have to do is not set
it to a silly value.

>I'd be interested to see what the moz-classic source base did in this case
>because it seems to handle those fonts fine!

  It'd be very interesting.  Note: mXHeight is used to create default
superscript and subscript vertical offsets (which was where the problem was
coming from).  I suspect old Netscape used something else.

> I chose a "very large" value (0x00ffffff - 16 million points).  If anything,
> that should be lowered.  It's just meant to exclude irrational items.)

Agreed - I didn't see the preceeding 00 somehow...  Oops!

Using the default values is fine, that's great that it's set in case the font
has a wacky value!

I couldn't find this in the moz-classic code base.  I can say from
http://lxr.mozilla.org/classic that we never called XGetFontProperty to get
XA_X_HEIGHT anywhere in the code base.  Perhaps a fixed value (based on the font
size?) was used?
(I changed the Summary)

It didn't crash (or have problems) in Classic because it used the font->ascent/2
for superscripts (and probably subscripts), instead of using X_HEIGHT (which is
more correct - X_HEIGHT is the nominal height of lower-case letters in the font;
ascent is the height of upper-case characters).

Search for text "superscript" on LXR in classic and you'll find it in the layout
directory near the front of the hit list.
Summary: Crash when removing a frame on reflow → Crash when font X_HEIGHT property is garbage (mozilla-fonts font package)
Since we start out with the assumption that the nominal height is .56 of the
ascent, it seems like we'll fall back on a reasonable value with your fix. 
Annotating this as "fix in hand" and nominating for beta3.  This is a simple,
low-risk solution for the crash.
Keywords: nsbeta3
Whiteboard: fix in hand
Target Milestone: Future → M18
Marking nsbeta3+
Whiteboard: fix in hand → [nsbeta3+]fix in hand
Changing priority to P1
Priority: P3 → P1
Fix checked in (to GTK, Xlib, and Xprint).  To verify:

1) Get a Linux build
2) Add the naughty fonts to your path: xset +fp /u/pollmann/public/mozilla-fonts
3) Start up apprunner
4) Type http://tensingpen.com into the URL bar and press Enter

If you don't crash, the bug is fixed!

Thanks again Randell!
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Thanks.  Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: