190459 - crashes on startup in [@ DeviceContextImpl::GetMetricsFor]

Status: RESOLVED FIXED

(Core Graveyard :: GFX, defect)

Description

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Crashes in DeviceContextImpl::GetMetricsFor started appearing prominently in
talkback starting in 2003-01-22-10 builds.  Here's all the info I know:

DeviceContextImpl::GetMetricsFor   19 
BBID range: 16486438 - 16547554
Min/Max Seconds since last crash: 0 - 196
Min/Max Runtime: 0 - 198
Crash data range: 2003-01-22 to 2003-01-23
Build ID range: 2003012210 to 2003012315
Keyword List : 
Stack Trace: 

         DeviceContextImpl::GetMetricsFor      
[c:/builds/seamonkey/mozilla/gfx/src/nsDeviceContext.cpp  line 368]
         nsTextBoxFrame::GetTextSize   
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsTextBoxFrame.cpp  line 803]
         nsTextBoxFrame::CalcTextSize  
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsTextBoxFrame.cpp  line 825]
         nsTextBoxFrame::GetAscent     
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsTextBoxFrame.cpp  line 875]
         nsSprocketLayout::GetAscent   
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsSprocketLayout.cpp  line 1519]
         nsContainerBox::GetAscent     
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp  line 588]
         nsBoxFrame::GetAscent 
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp  line 992]
         nsSprocketLayout::GetAscent   
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsSprocketLayout.cpp  line 1519]
         nsContainerBox::GetAscent     
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp  line 588]
         nsBoxFrame::GetAscent 
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp  line 992]
         nsSprocketLayout::Layout      
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsSprocketLayout.cpp  line 243]
         nsContainerBox::DoLayout      
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp  line 605]
         nsBox::Layout 
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp  line 1074]
         nsStackLayout::Layout 
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsStackLayout.cpp  line 328]
         nsContainerBox::DoLayout      
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp  line 605]
         nsBox::Layout 
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp  line 1074]
         nsBoxFrame::Reflow    
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp  line 902]
         nsRootBoxFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp  line 241]
         nsContainerFrame::ReflowChild 
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp  line 974]
         ViewportFrame::Reflow 
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp  line 300]
         IncrementalReflow::Dispatch   
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 896]
         PresShell::ProcessReflowCommands      
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6489]
         PresShell::FlushPendingNotifications  
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 5072]
         nsXULDocument::FlushPendingNotifications      
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp  line 2441]
         nsXBLStreamListener::Load     
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLService.cpp  line 444]
         nsEventListenerManager::HandleEvent   
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp  line
1858]
         nsDocument::HandleDOMEvent    
[c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp  line 3515]
         nsXMLDocument::EndLoad
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLDocument.cpp  line 545]
         nsXMLContentSink::DidBuildModel       
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp  line
472]
         nsExpatDriver::DidBuildModel  
[c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp  line 972]
         nsParser::DidBuildModel       
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp  line 1284]
         nsParser::ResumeParse 
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp  line 1830]
         nsParser::OnStopRequest       
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp  line 2459]
         nsXBLStreamListener::OnStopRequest    
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLService.cpp  line 320]
         nsJARChannel::OnStopRequest   
[c:/builds/seamonkey/mozilla/netwerk/protocol/jar/src/nsJARChannel.cpp  line 638]
         nsCOMPtr_base::assign_with_AddRef     
[c:/builds/seamonkey/mozilla/xpcom/glue/nsCOMPtr.cpp  line 70]
         nsInputStreamPump::OnStateStop
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp  line 425]
         nsInputStreamPump::OnInputStreamReady 
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp  line 320]
         nsInputStreamReadyEvent::EventHandler 
[c:/builds/seamonkey/mozilla/xpcom/io/nsStreamUtils.cpp  line 183]
         PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c 
line 664]
         PL_ProcessPendingEvents       
[c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c  line 597]
         _md_EventReceiverProc 
[c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c  line 1386]
 
        Source File : c:/builds/seamonkey/mozilla/gfx/src/nsDeviceContext.cpp
line : 368
     (16543961) Comments: i was trying to download the nightly...it had some
problem with the windows entry point xp??.dll.  now mozilla browser doesn't
start  when i try to disable quick-start it crashed.
     (16540867) Comments: While starting the browser after the initial install
     (16486471) Comments: Startup.
     (16486438) Comments: Installing it.

Comment 1

[Randell Jesup [:jesup] (needinfo me)]

I suspected this is due to rbs's checkin to compact the font cache when Win32
GDI resources are low.
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/gfx/src&command=DIFF_FRAMESET&file=nsDeviceContext.cpp&rev2=3.83&rev1=3.82

I checked; memory-pressure only gets Notify'd from the UI thread, so that's not it.

I looked hard at the Compact() code and nsFontCache::GetMetricsFor() code, and
couldn't see anything.  I was suspecting the nsFontCache code was inlined, but
apparently it's a virtual method, so unless the compiler is being very
smart/tricky/stupid, that's not happening.

I don't see how it could be a null mFontCache in
nsDeviceContext::GetMetricsFor() (or any other sort of crash there unless
there's memory trashing).

We really need to be able to reproduce it.  Also, verification if it's really
windows-only (which would tend to point to the Compact() code).

Looking at Bonsai for other changes from the day before this started might help.

 

Comment 2

[rbs]

> Looking at Bonsai for other changes from the day before this started might help.

Yep indeed. Seems a recent regression while Compact() has been pretty safe for
over a year. In fact, it is precisely meant to help low-memory situations, and
seem to have withstand m1.0/Nav7.0 quite well.

Comment 3

[Jay Patel [:jay]]

Adding crash, regression keywords and making this zt4newcrash.  This crash
started with 1/22 Trunk builds.  We need to find a fix or identify the checkin
that caused this and back it out if possible.

This is a Windows only crash according to Talkback data.

Here's another slightly different stack with the same stack signature:
DeviceContextImpl::GetMetricsFor
[c:/builds/seamonkey/mozilla/gfx/src/nsDeviceContext.cpp  line 344] 
	 ComputeLineHeight
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLReflowState.cpp  line 2373] 
	 nsHTMLReflowState::CalcLineHeight
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLReflowState.cpp  line 2411] 
	 nsBlockReflowState::nsBlockReflowState
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp  line 182] 
	 nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp  line 816] 
	 nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp  line 974] 
	 CanvasFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLFrame.cpp  line 590] 
	 nsBoxToBlockAdaptor::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp  line 906] 
	 nsBoxToBlockAdaptor::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp  line 648] 
	 nsBox::Layout	[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp  line
1074] 
	 nsScrollBoxFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp  line 361] 
	 nsBox::Layout	[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp  line
1074] 
	 nsContainerBox::LayoutChildAt
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp  line 647] 
	 nsGfxScrollFrameInner::LayoutBox
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp  line 1154] 
	 nsGfxScrollFrameInner::Layout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp  line 1313] 
	 nsGfxScrollFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp  line 1162] 
	 nsBox::Layout	[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp  line
1074] 
	 nsBoxFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp  line 902] 
	 nsGfxScrollFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp  line 848] 
	 nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp  line 974] 
	 ViewportFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp  line 300] 
	 PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 2796] 
	 HTMLContentSink::StartLayout
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp 
line 4191] 
	 HTMLContentSink::OpenBody
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp 
line 3233] 
	 CNavDTD::OpenBody	[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp 
line 3147] 
	 CNavDTD::OpenContainer	[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp
 line 3379] 
	 CNavDTD::HandleDefaultStartToken
[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp  line 1391] 
	 CNavDTD::HandleStartToken
[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp  line 1779] 
	 CNavDTD::HandleToken	[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp 
line 953] 
	 CNavDTD::BuildModel	[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp 
line 528] 
	 nsParser::BuildModel	[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp
 line 1909] 
	 nsParser::ResumeParse	[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp
 line 1773] 
	 nsParser::OnDataAvailable
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp  line 2409] 
	 nsDocumentOpenInfo::OnDataAvailable
[c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp  line 245] 
	 nsInputStreamChannel::OnDataAvailable
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamChannel.cpp  line 371] 
	 nsInputStreamPump::OnStateTransfer
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp  line 388] 
	 nsInputStreamPump::OnInputStreamReady
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp  line 317] 
	 nsInputStreamReadyEvent::EventHandler
[c:/builds/seamonkey/mozilla/xpcom/io/nsStreamUtils.cpp  line 102] 
	 PL_HandleEvent	[c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c  line 664] 
	 PL_ProcessPendingEvents	[c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c 
line 597] 
	 _md_TimerProc	[c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c  line 965] 
	 KERNEL32.DLL + 0x2317 (0xbff72317)   
 
     (16571064)	Comments: Sames as failure just submitted from same
address--this was onlaunch _without_  AdSubtract running. Must revert to
previous stable release I guess.
     (16570838)	Comments: First launch after d/l newest build.  Tried without
AdSubtract running and then with--same error.  I am not using Mozilla
QuickStart.    MOZILLA caused an invalid page fault in  module GKGFX.DLL at
017f:61e829bf.  Registers:  EAX=00835eb0 CS=017f
     (16570838)	Comments:  EIP=61e829bf EFLGS=00010202  EBX=01ee9f50 SS=0187
ESP=0065ec34 EBP=0065ec40  ECX=0083c7c0 DS=0187 ESI=00000000 FS=1a97 
EDX=00000002 ES=0187 EDI=01ee9f2c GS=0000  Bytes at CS:EIP:  8b 0e 50 ff 75 0c
56 ff 51 0c 5e 5d c2 10 00 55   Stack dump:  0065ec84
     (16570838)	Comments:  0083a500 00000001 0065ec74 614f68c3 0083a500 01ee9f54
00835eb0 0065ec84 008576c0 ffffffff 00000000 01ee9f50 01ed8a94 0083a500 00835eb0 
     (16565568)	Comments: opening for the first time after install  

Comment 4

[Jay Patel [:jay]]

Attachment: Recent DeviceContextImpl::GetMetricsFor crashes on the Trunk

Here's all the Talkback data we have for this crash since 1/22.

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

It might be useful to see registers and disassembly.

Comment 6

[Jay Patel [:jay]]

Here ya go David (from incident 16612388):

x86 Registers:
EAX:	024ffce0 	EBX:	024ecc40 	ECX:	024ed1d0 	EDX:	81972250
ESI:	00000000 	EDI:	01445718 	ESP:	0065e930 	EBP:	0065e944
EIP:	61e62a1f 	cf pf af zf sf of IF df nt RF vm   IOPL: 0
CS:	015f	DS:	0167	SS:	0167	ES:	0167	FS:	0ff7	GS:	0000
Code Around the PC:
61e62a1f 8b0e             mov     ecx,[esi]
61e62a21 56               push    esi
61e62a22 ff510c           call    dword ptr [ecx+0xc]
61e62a25 5e               pop     esi
61e62a26 5d               pop     ebp
61e62a27 c20c00           ret     0xc
61e62a2a d9442408         fld     dword ptr [esp+0x8]
61e62a2e 8b442404         mov     eax,[esp+0x4]
61e62a32 d9582c           fstp    dword ptr [eax+0x2c]
61e62a35 33c0             xor     eax,eax
61e62a37 c20800           ret     0x8
61e62a3a 8b442404         mov     eax,[esp+0x4]
61e62a3e d99915cbbaef     fstp    dword ptr [ecx+0xefbacb15]

Comment 7

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

That shows |mFontCache| is null.

Comment 8

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

The range of checkins is
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=MozillaTinderboxAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2003-01-21+08%3A00&maxdate=2003-01-22+10%3A00&cvsroot=%2Fcvsroot

I wonder if this could somehow be related to the GRE installer or the gfx file
reorganization.

Comment 9

[Sean Su]

I'm able to reproduce this bug.  It's caused by the GRE patch landing on 01/22.
 Bug 190144 will fix this problem.

Comment 10

[Sean Su]

mine now.

Comment 11

[Sean Su]

bug 190144 is now fixed.  closing this bug as fixed. if people are still seeing
this bug, please reopen.