123881 - crash in font code

Status: VERIFIED DUPLICATE of bug 120348

(Core :: Internationalization, defect, P2)

Description

[Frank Tang]

I hit this crash when I try to verify our GB18030 code

Comment 1

[Frank Tang]

on both my local build and 2002020515 build
will include stack trace
crash on my NT4J

Comment 2

[Frank Tang]

Attachment: this html crash my nt4j I think it is caused by U+0080

Comment 3

[Frank Tang]

2001110803 build is ok. So this is a regression

Comment 4

[Frank Tang]

ok. the best way to reproduce this is 
1. visit http://warp.mcom.com/u/ftang/utf8test/gb18030.cgi?page=93
2. change the page number in the drop down from 93 to 94
so how I may not reproduce this if I go directly to 
http://warp.mcom.com/u/ftang/utf8test/gb18030.cgi?page=94 or look that attached 
file

here is the stack trace I got.

nsFontMetricsWin::FindGlobalFont(HDC__ * 0x360106ab, unsigned int 0x00000080) 
line 2314 + 335 bytes
nsFontMetricsWin::FindFont(HDC__ * 0x360106ab, unsigned int 0x00000080) line 
3109 + 22 bytes
nsFontMetricsWin::LocateFont(HDC__ * 0x360106ab, unsigned int 0x00000080, int & 
0x00000001) line 3452 + 16 bytes
nsFontMetricsWin::ResolveForwards(HDC__ * 0x360106ab, const unsigned short * 
0x0012b4fc, unsigned int 0x00000001, int (const nsFontSwitch *, const unsigned 
short *, unsigned int, void *)* 0x0234c5a0 do_GetTextDimensions(const 
nsFontSwitch *, const unsigned short *, unsigned int, void *), void * 
0x0012b164) line 3489 + 25 bytes
nsRenderingContextWin::GetTextDimensions(nsRenderingContextWin * const 
0x0568fea0, const unsigned short * 0x0012b4fc, unsigned int 0x00000001, 
nsTextDimensions & {...}, int * 0x00000000) line 2207
nsTextFrame::MeasureText(nsIPresContext * 0x0476e1d0, const nsHTMLReflowState & 
{...}, nsTextTransformer & {...}, nsILineBreaker * 0x050001c0, 
nsTextFrame::TextStyle & {...}, nsTextFrame::TextReflowData & {...}) line 4720
nsTextFrame::Reflow(nsTextFrame * const 0x03522844, nsIPresContext * 0x0476e1d0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 
0x00000000) line 5246 + 43 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x03522844, nsIFrame * * 0x0012c5ac, 
unsigned int & 0x00000000, nsHTMLReflowMetrics * 0x00000000, int & 0x00000000) 
line 1086 + 43 bytes
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineList_iterator {...}, nsIFrame * 0x03522844, unsigned char * 
0x0012b9b0) line 3734 + 29 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineList_iterator {...}, int * 0x0012c0dc, unsigned char * 0x0012bea0, 
int 0x00000000, int 0x00000000) line 3615 + 32 bytes
nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, 
nsLineList_iterator {...}, int * 0x0012c0dc, unsigned char * 0x0012bea0, int 
0x00000000, int 0x00000000) line 3540 + 46 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator 
{...}, int * 0x0012c0dc, int 0x00000000, int 0x00000000) line 3484 + 36 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, 
int * 0x0012c0dc, int 0x00000000) line 2639 + 33 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2278 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0352278c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 844 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x0352278c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x0000001e, int 0x0000001e, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x0352272c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 943
nsContainerFrame::ReflowChild(nsIFrame * 0x0352272c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x00000168, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
nsTableRowFrame::ReflowChildren(nsTableRowFrame * const 0x03539570, 
nsIPresContext * 0x0476e1d0, nsHTMLReflowMetrics & {...}, const 
nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0x00000000, int 
0x00000000) line 1037 + 45 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x03539570, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 1420 + 37 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x03539570, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x00000000, int 0x00000159, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
nsTableRowGroupFrame::ReflowChildren(nsTableRowGroupFrame * const 0x05174d3c, 
nsIPresContext * 0x0476e1d0, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState 
& {...}, unsigned int & 0x00000000, nsTableRowFrame * 0x00000000, int 
0x00000000, nsTableRowFrame * * 0x00000000) line 450 + 45 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x05174d3c, 
nsIPresContext * 0x0476e1d0, nsHTMLReflowMetrics & {...}, const 
nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1152 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x05174d3c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x0000000f, int 0x0000002d, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
nsTableFrame::ReflowChildren(nsTableFrame * const 0x051f0098, nsIPresContext * 
0x0476e1d0, nsTableReflowState & {...}, int 0x00000001, int 0x00000000, unsigned 
int & 0x00000000, int * 0x00000000) line 3133 + 50 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x051f0098, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 1934
nsContainerFrame::ReflowChild(nsIFrame * 0x051f0098, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x00000000, int 0x00000000, unsigned int 0x00000003, unsigned int & 0x00000000) 
line 753 + 31 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x051efecc, 
nsIPresContext * 0x0476e1d0, nsIFrame * 0x051f0098, const nsHTMLReflowState & 
{...}, nsHTMLReflowMetrics & {...}, int * 0x00000000, nsSize & {...}, nsMargin & 
{...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_Initial, 
unsigned int & 0x00000000) line 978 + 47 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x051efecc, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 1561 + 72 bytes
nsBlockReflowContext::DoReflowBlock(nsHTMLReflowState & {...}, nsReflowReason 
eReflowReason_Initial, nsIFrame * 0x051efecc, const nsRect & {...}, int 
0x00000001, nsCollapsingMargin & {...}, int 0x00000000, nsMargin & {...}, 
unsigned int & 0x00000000) line 580 + 36 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x051efecc, const nsRect & {...}, 
int 0x00000001, nsCollapsingMargin & {...}, int 0x00000000, nsMargin & {...}, 
unsigned int & 0x00000000) line 356 + 50 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator 
{...}, int * 0x0012df34) line 3229 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, 
int * 0x0012df34, int 0x00000001) line 2501 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2278 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x05169bfc, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 844 + 15 bytes
nsBlockReflowContext::DoReflowBlock(nsHTMLReflowState & {...}, nsReflowReason 
eReflowReason_Incremental, nsIFrame * 0x05169bfc, const nsRect & {...}, int 
0x00000001, nsCollapsingMargin & {...}, int 0x00000001, nsMargin & {...}, 
unsigned int & 0x00000000) line 580 + 36 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x05169bfc, const nsRect & {...}, 
int 0x00000001, nsCollapsingMargin & {...}, int 0x00000001, nsMargin & {...}, 
unsigned int & 0x00000000) line 356 + 50 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator 
{...}, int * 0x0012ec30) line 3229 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, 
int * 0x0012ec30, int 0x00000001) line 2501 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2278 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0516991c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 844 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x0516991c, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x051666ec, nsIPresContext * 0x0476e1d0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 
0x00000000) line 561
nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000, int 0x00000000, int 0x00000000, int 0x00003453, int 
0x000019aa, int 0x00000001) line 836
nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x05169880, 
nsBoxLayoutState & {...}) line 620 + 46 bytes
nsBox::Layout(nsBox * const 0x05169880, nsBoxLayoutState & {...}) line 1052
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x05166a84, nsBoxLayoutState 
& {...}) line 395
nsBox::Layout(nsBox * const 0x05166a84, nsBoxLayoutState & {...}) line 1052
nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x05166a84, 
const nsRect & {...}) line 646 + 16 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x05166a84, 
const nsRect & {...}) line 1071 + 17 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1226
nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x0516682c, nsBoxLayoutState 
& {...}) line 1079 + 15 bytes
nsBox::Layout(nsBox * const 0x0516682c, nsBoxLayoutState & {...}) line 1052
nsBoxFrame::Reflow(nsBoxFrame * const 0x051667f4, nsIPresContext * 0x0476e1d0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 
0x00000000) line 991
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x051667f4, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 786 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x051667f4, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) 
line 753 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x051666b0, nsIPresContext * 
0x0476e1d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0x00000000) line 574
nsHTMLReflowCommand::Dispatch(nsIPresContext * 0x0476e1d0, nsHTMLReflowMetrics & 
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 217
PresShell::ProcessReflowCommand(nsVoidArray & {...}, int 0x00000001, 
nsHTMLReflowMetrics & {...}, nsSize & {...}, nsIRenderingContext & {...}) line 
6188
PresShell::ProcessReflowCommands(int 0x00000001) line 6243
ReflowEvent::HandleEvent() line 6099
HandlePLEvent(ReflowEvent * 0x0564b1c0) line 6113
PL_HandleEvent(PLEvent * 0x0564b1c0) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a40ae0) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x060b04e2, unsigned int 0x0000c238, unsigned int 
0x00000000, long 0x00a40ae0) line 1071 + 9 bytes
USER32! 77e41186()

crash at the line "    if (CCMAP_HAS_CHAR_EXT(font->ccmap, c)) {" of the 
following

nsFontWin*
nsFontMetricsWin::FindGlobalFont(HDC aDC, PRUint32 c)
{
.....
    if (CCMAP_HAS_CHAR_EXT(font->ccmap, c)) {
      return LoadGlobalFont(aDC, font);
    }
  }
  return nsnull;
}

here c is 0x00000080
font name is "serif" (as ((*(nsStr*)(&((*this).mFont).name))).mUStr )
(*(((*this).mLoadedFonts).mImpl)).mCount is 6
font->name is Code2001
font->ccmap is point to 0x05211754
and here is the memory dump of 0x05211754 ( I dump something before that too)

05211730  00 1C 4B 04 A0 6C 4B 04 00 00 00 00  ..K. lK.....
0521173C  00 00 00 00 C4 24 00 00 01 00 00 00  ....Ä$......
05211748  5D FB 05 00 FD FD FD FD 01 00 00 01  ]...ýýýý....
05211754  30 00 10 00 70 00 10 00 10 00 10 00  0...p.......
05211760  10 00 10 00 10 00 10 00 10 00 10 00  ............
0521176C  10 00 10 00 A0 00 C0 00 20 00 20 00  .... .À. . .
05211778  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
05211784  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
05211790  20 00 20 00 00 00 00 00 00 00 00 00   . .........
0521179C  00 00 00 00 00 00 00 00 00 00 00 00  ............
052117A8  00 00 00 00 00 00 00 00 00 00 00 00  ............
052117B4  40 00 50 00 60 00 20 00 20 00 20 00  @.P.`. . . .
052117C0  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
052117CC  20 00 20 00 20 00 20 00 00 00 00 00   . . . .....
052117D8  FF FF FF FF FF FF FF FF FF FF FF 7F  ÿÿÿÿÿÿÿÿÿÿÿ.
052117E4  00 00 00 00 FF FF FF FF FF FF FF FF  ....ÿÿÿÿÿÿÿÿ
052117F0  FF FF FF FF 00 00 00 00 00 00 02 00  ÿÿÿÿ........
052117FC  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211808  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211814  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211820  00 00 00 00 00 00 00 00 00 00 00 00  ............
0521182C  00 00 00 04 00 00 00 00 80 00 90 00  ........€...
05211838  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
05211844  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
05211850  20 00 20 00 00 00 00 00 00 00 00 06   . .........
0521185C  00 00 00 00 00 00 10 00 00 00 00 00  ............
05211868  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211874  00 7C 2F 3E 10 B0 1B 00 00 00 00 00  .|/>.°......
05211880  00 00 00 00 00 00 00 00 00 00 00 00  ............
0521188C  00 00 00 00 00 00 00 00 20 00 20 00  ........ . .
05211898  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
052118A4  B0 00 20 00 20 00 20 00 20 00 20 00  °. . . . . .
052118B0  20 00 20 00 00 00 00 00 00 00 00 00   . .........
052118BC  00 00 C0 00 00 00 00 00 C0 00 00 00  ..À.....À...
052118C8  00 00 00 00 00 00 00 00 00 00 00 00  ............
052118D4  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
052118E0  D0 00 E0 00 F0 00 20 00 20 00 20 00  Ð..... . . .
052118EC  20 00 20 00 20 00 20 00 00 00 00 00   . . . .....
052118F8  00 04 00 E0 00 00 00 00 00 00 00 00  ............
05211904  00 00 00 00 00 80 1F 00 FF FF FF FF  .....€..ÿÿÿÿ
05211910  FF FF FF FF FF FF FF 7F 00 00 00 00  ÿÿÿÿÿÿÿ.....
0521191C  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211928  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211934  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211940  00 00 00 00 00 00 00 00 00 00 00 00  ............
0521194C  00 00 FF FF FF FF FF FF 30 01 00 00  ..ÿÿÿÿÿÿ0...
05211958  20 01 00 00 20 01 00 00 20 01 00 00   ... ... ...
05211964  20 01 00 00 20 01 00 00 20 01 00 00   ... ... ...
05211970  20 01 00 00 20 01 00 00 20 01 00 00   ... ... ...
0521197C  20 01 00 00 20 01 00 00 20 01 00 00   ... ... ...
05211988  20 01 00 00 20 01 00 00 20 01 00 00   ... ... ...
05211994  00 00 00 00 00 00 00 00 00 00 00 00  ............
052119A0  00 00 00 00 00 00 00 00 00 00 00 00  ............
052119AC  00 00 00 00 00 00 00 00 30 00 40 01  ........0.@.
052119B8  50 02 60 03 70 04 80 05 90 06 A0 07  P.`.p.€... .
052119C4  B0 08 C0 09 D0 0A E0 0B F0 0C 00 0E  °.À	Ð.......
052119D0  10 0F 20 10 20 00 20 00 20 00 20 00  .. . . . . .
052119DC  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
052119E8  20 00 20 00 20 00 20 00 20 00 20 00   . . . . . .
052119F4  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211A00  00 00 00 00 00 00 00 00 00 00 00 00  ............
05211A0C  00 00 00 00 00 00 00 00 40 00 50 00  ........@.P.
05211A18  60 00 70 00 80 00 90 00 A0 00 B0 00  `.p.€... .°.
05211A24  C0 00 D0 00 E0 00 F0 00 00 01 10 01  À.Ð.........
05211A30  20 01 30 01 CF FF FF FF FF FF CF FF   .0.ÏÿÿÿÿÿÏÿ
05211A3C  FF FD FF FF FF FF FF FD CD CD CD CD

Comment 5

[Frank Tang]

forget to mention 
font->flags	0x40000000

Comment 6

[Shanjian Li]

This is a dup of 120348. 

frank, could you review that one?

*** This bug has been marked as a duplicate of 120348 ***

Comment 7

[Frank Tang]

I saw some "a&b" instead of "a & b" patten in that CCMAP_HAS_CHAR_EXT . try to 
see is that cause the issue.

Comment 8

[Yuying Long]

I'm marking this as verified as dup. for now, will verified it after bug 120348
checked in.