Crash on scrolling page by line. Not if done by page up/down.

RESOLVED EXPIRED

Status

Core Graveyard
GFX: Gtk
--
critical
RESOLVED EXPIRED
14 years ago
4 years ago

People

(Reporter: Eric Andresen, Assigned: blizzard)

Tracking

({crash})

Trunk
x86
Linux
crash

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124

In the page located at: http://www.palminfocenter.com/view_story.asp?ID=6547

The page loads and displays correctly, but if you scroll down using the cursor
keys or mouse wheel, Mozilla will crash right around the display of the first ad
under the article text. It does not always crash in the same exact position.
If you use the Page Up or Down keys, you can view the entire page with no
problems and no missing content.


Reproducible: Always
Steps to Reproduce:
1. Go to http://www.palminfocenter.com/view_story.asp?ID=6547
2. Let page load.
3. Scroll down using cursor keys.
4. Watch mozilla crash after you pass the article text.

Actual Results:  
Mozilla crashed.

Expected Results:  
Page scrolled down to comments section.

Distribution: Fedora Core 1
RPM version of Mozilla 1.6 from DAG (http://dag.wieers.com/)
Is this an xft build (check about:buildconfig)?  I'm not seeing any crashes with
a current trunk CVS linux build...
(Reporter)

Comment 2

14 years ago
Scrolling worked correctly with a fresh CVS build with the same configure
options as the rpm versi
on was, minus the disabling of debug and symbol stripping:
--program-prefix= --prefix=/local --libdir=/local/lib --mandir=/local/share/man
--with-default-moz
illa-five-home=/local/lib/mozilla-1.6 '--enable-optimize=-O2\ -march=i386\
-mcpu=i686' --enable-xi
nerama --enable-calendar --disable-short-wchar --disable-xprint
--enable-nspr-autoconf --enable-ex
tensions=default,irc --without-mng --enable-crypto --without-system-nspr
--with-system-zlib --enab
le-default-toolkit=gtk2 --enable-xft --disable-freetype2

However, attempting to highligh the same section of the page that scrolling
previously crashed on,
 caused the following:

------- START PASTE ---------
CSS Error
(http://pagead2.googlesyndication.com/pagead/ads?client=ca-tribalfusion_2_120x600&ca&for
mat=120x600_new&random=1077668546672&hl=en&url=http%3A//www.palminfocenter.com/view_story.asp%3FID
%3D6547 :2.31): Error in parsing value for property 'cursor'.  Declaration dropped.
CSS Error
(http://pagead2.googlesyndication.com/pagead/ads?client=ca-tribalfusion_2_120x600&ca&for
mat=120x600_new&random=1077668546672&hl=en&url=http%3A//www.palminfocenter.com/view_story.asp%3FID
%3D6547 :2.72): Selector expected.  Ruleset ignored due to bad selector.
CSS Error
(http://pagead2.googlesyndication.com/pagead/ads?client=ca-tribalfusion_2_120x600&ca&for
mat=120x600_new&random=1077668546672&hl=en&url=http%3A//www.palminfocenter.com/view_story.asp%3FID
%3D6547 :2.75): Unexpected end of file while searching for closing } of invalid
rule set.
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(result)) failed, file nsHTMLTokens.cpp,
line 319
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(result)) failed, file nsHTMLTokenizer.cpp,
line 819
Document http://www.palminfocenter.com/view_story.asp?ID=6547 loaded successfully
--DOMWINDOW == 4
###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceC
ontext.cpp, line 668
Break: at file nsDeviceContext.cpp, line 668

Program ./mozilla-bin (pid = 17496) received signal 11.
Stack:
_ZN13nsProfileLock18FatalSignalHandlerEi+0x0000006C
[/scratch/tmp/mozilla/dist/bin/components/libp
rofile.so +0x0002B6EC]
UNKNOWN [/lib/i686/libpthread.so.0 +0x0000BD66]
UNKNOWN [/lib/i686/libc.so.6 +0x00028868]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x00362F71]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x00363794]
_ZN7nsFrame30GetNextPrevLineFromeBlockFrameEP14nsIPresContextP18nsPeekOffsetStructP8nsIFrameia+0x0
0000B37 [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x002ED627]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x002D3441]
_ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus+0x000001DE
[/scratch/tmp/mo
zilla/dist/bin/components/libgklayout.so +0x0034A42E]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x003499FD]
_ZN13nsViewManager11HandleEventEP6nsViewP10nsGUIEventi+0x000004FD
[/scratch/tmp/mozilla/dist/bin/c
omponents/libgklayout.so +0x006FFD4D]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x006FF0FA]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libgklayout.so +0x006F565B]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libwidget_gtk2.so +0x00032BA6]
_ZN8nsWindow19OnMotionNotifyEventEP10_GtkWidgetP15_GdkEventMotion+0x0000012E
[/scratch/tmp/mozilla
/dist/bin/components/libwidget_gtk2.so +0x0002485E]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libwidget_gtk2.so +0x00028DCE]
_gtk_marshal_BOOLEAN__BOXED+0x000000B4 [/usr/lib/libgtk-x11-2.0.so.0 +0x000D30F4]
g_closure_invoke+0x000000B0 [/usr/lib/libgobject-2.0.so.0 +0x00008CB0]
UNKNOWN [/usr/lib/libgobject-2.0.so.0 +0x0001ABBF]
g_signal_emit_valist+0x0000045D [/usr/lib/libgobject-2.0.so.0 +0x00019A0D]
g_signal_emit+0x00000034 [/usr/lib/libgobject-2.0.so.0 +0x00019E74]
UNKNOWN [/usr/lib/libgtk-x11-2.0.so.0 +0x001B5B65]
gtk_propagate_event+0x000000C7 [/usr/lib/libgtk-x11-2.0.so.0 +0x000D2EB7]
gtk_main_do_event+0x00000216 [/usr/lib/libgtk-x11-2.0.so.0 +0x000D1C16]
UNKNOWN [/usr/lib/libgdk-x11-2.0.so.0 +0x0003E895]
UNKNOWN [/usr/lib/libglib-2.0.so.0 +0x00021FDD]
g_main_context_dispatch+0x00000098 [/usr/lib/libglib-2.0.so.0 +0x00022FD8]
UNKNOWN [/usr/lib/libglib-2.0.so.0 +0x000232EF]
g_main_loop_run+0x0000017F [/usr/lib/libglib-2.0.so.0 +0x000239CF]
gtk_main+0x000000BF [/usr/lib/libgtk-x11-2.0.so.0 +0x000D144F]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libwidget_gtk2.so +0x00030372]
UNKNOWN [/scratch/tmp/mozilla/dist/bin/components/libnsappshell.so +0x000425FA]
UNKNOWN [./mozilla-bin +0x00019D90]
main+0x000001A1 [./mozilla-bin +0x0001AB51]
__libc_start_main+0x000000BF [/lib/i686/libc.so.6 +0x00015B7F]
Sleeping for 5 minutes.
Type 'gdb ./mozilla-bin 17496' to attach your debugger to this thread.
------- END PASTE ---------

Of course the 'UNKNOWN's here are unhelpful, so here's the same thing again done
through gdb:

------- START PASTE ---------
Document http://www.palminfocenter.com/view_story.asp?ID=6547 loaded successfully
###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceC
ontext.cpp, line 668
Break: at file nsDeviceContext.cpp, line 668

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 17763)]
0x41339a77 in TextStyle (this=0xbfffd350, aPresContext=0x881f350,
aRenderingContext=@0x87b4390, sc
=0x88decf8) at nsTextFrame.cpp:547
547        mNormalFont->GetSpaceWidth(mSpaceWidth);
(gdb) bt
#0  0x41339a77 in TextStyle (this=0xbfffd350, aPresContext=0x881f350,
aRenderingContext=@0x87b4390
, sc=0x88decf8) at nsTextFrame.cpp:547
#1  0x41332f71 in nsTextFrame::GetPosition(nsIPresContext*, nsPoint const&,
nsIContent**, int&, in
t&) (this=0x88ded24, aCX=0x881f350, aPoint=@0xbfffd400,
    aNewContent=0xbfffd6d4, aContentOffset=@0xbfffd6d8,
aContentOffsetEnd=@0xbfffd6dc) at nsTextFr
ame.cpp:3368
#2  0x41333794 in nsTextFrame::GetContentAndOffsetsFromPoint(nsIPresContext*,
nsPoint const&, nsIC
ontent**, int&, int&, int&) (this=0x88ded24, aCX=0x0,
    aPoint=@0xbfffd5c0, aNewContent=0xbfffd6d4, aContentOffset=@0xbfffd6d8,
aContentOffsetEnd=@0xb
fffd6dc, aBeginFrameContent=@0xbfffd6e8)
    at nsTextFrame.cpp:3527
#3  0x412bd627 in nsFrame::GetNextPrevLineFromeBlockFrame(nsIPresContext*,
nsPeekOffsetStruct*, ns
IFrame*, int, signed char) (aPresContext=0x881f350,
    aPos=0xbfffd6c0, aBlockFrame=0x88dea60, aLineStart=-1, aOutSideLimit=0 '\0')
at nsFrame.cpp:32
87
#4  0x412a3441 in nsBlockFrame::HandleEvent(nsIPresContext*, nsGUIEvent*,
nsEventStatus*) (this=0x
88dea60, aPresContext=0x881f350, aEvent=0xbfffdc60,
    aEventStatus=0xbfffda3c) at nsBlockFrame.cpp:5568
#5  0x4131a42e in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned,
nsEventStatus*) (th
is=0x8823c70, aEvent=0xbfffdc60, aView=0x885e848,
    aFlags=513, aStatus=0xbfffda3c) at nsPresShell.cpp:6081
#6  0x413199fd in PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus*,
int, int&) (this=0
x8823c70, aView=0x885e848, aEvent=0xbfffdc60,
    aEventStatus=0xbfffda3c, aForceHandle=1, aHandled=@0xbfffda40) at
nsPresShell.cpp:5929
#7  0x416cfd4d in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int)
(this=0x881f678, aView=0x8
85e848, aEvent=0xbfffdc60, aCaptured=0)
    at nsViewManager.cpp:2299
#8  0x416cf0fa in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*)
(this=0x881f678, aEven
t=0xbfffdc60, aStatus=0xbfffdc0c)
    at nsViewManager.cpp:2039
#9  0x416c565b in HandleEvent (aEvent=0xbfffdc60) at nsView.cpp:76
#10 0x41ccfba6 in nsCommonWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&)
(this=0x885e5c8, aEve
nt=0xbfffdc60, aStatus=@0xbfffdc5c)
    at nsCommonWidget.cpp:214
#11 0x41cc185e in nsWindow::OnMotionNotifyEvent(_GtkWidget*, _GdkEventMotion*)
(this=0x885e5c8, aW
idget=0x81ee978, aEvent=0x42c13490) at nsWindow.cpp:1333
#12 0x41cc5dce in motion_notify_event_cb (widget=0x0, event=0x42c13490) at
nsWindow.cpp:3215
#13 0x402330f4 in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
#14 0x404b2cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#15 0x404c4bbf in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#16 0x404c3a0d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
(gdb) p mNormalFont
$2 = (class nsIFontMetrics *) 0x0
------- END PASTE ---------

Of course, I'm not sure if this is the same problem as the one in the RPM build.

-- Eric Andresen
(Reporter)

Comment 3

14 years ago
I've found another URI that causes a similar backtrace..
http://opensource.theopalgroup.com/files/db_row.py.html
This one crashes immediately on load for both Mozilla 1.6 and the same CVS build
as used f
or the above.

Here's the backtrace:

###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceContext.cpp, line 668
Break: at file nsDeviceContext.cpp, line 668

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 21920)]
0x41339a77 in TextStyle (this=0xbfffa530, aPresContext=0x875fa38,
aRenderingContext=@0x826
59a0, sc=0x87bb030) at nsTextFrame.cpp:547
547           mNormalFont->GetSpaceWidth(mSpaceWidth);
(gdb) bt
#0  0x41339a77 in TextStyle (this=0xbfffa530, aPresContext=0x875fa38,
aRenderingContext=@0x82659a0, sc=0x87bb030) at nsTextFrame.cpp:547
#1  0x41336d8f in nsTextFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87bb05c, aPresContext=0x875fa38,
    aMetrics=@0xbfffa670, aReflowState=@0xbfffa6c0, aStatus=@0xbfffaea0) at
nsTextFrame.cpp:5217
#2  0x412eea87 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned&,
nsHTMLReflowMetrics*, int&) (this=0xbfffafa0, aFrame=0x87bb05c,
    aReflowStatus=@0xbfffaea0, aMetrics=0x0, aPushedFrame=@0xbfffa7d8) at
nsLineLayout.cpp:996
#3  0x412e8ba8 in nsInlineFrame::ReflowInlineFrame(nsIPresContext*,
nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned&) (
    this=0x87baff8, aPresContext=0x875fa38, aReflowState=@0x0, irs=@0xbfffa8c0,
aFrame=0x87bb05c, aStatus=@0xbfffaea0) at nsInlineFrame.cpp:709
#4  0x412e8633 in nsInlineFrame::ReflowFrames(nsIPresContext*, nsHTMLReflowState
const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned&)
(this=0x87baff8, aPresContext=0x875fa38, aReflowState=@0xbfffaa10,
irs=@0xbfffa8c0, aMetrics=@0xbfffa9c0, aStatus=@0xbfffaea0) at nsInlineFrame.cpp:529
#5  0x412e838e in nsInlineFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87baff8,
    aPresContext=0x875fa38, aMetrics=@0xbfffa9c0, aReflowState=@0xbfffaa10,
aStatus=@0xbfffaea0) at nsInlineFrame.cpp:438
#6  0x412eea87 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned&,
nsHTMLReflowMetrics*, int&) (this=0xbfffafa0, aFrame=0x87baff8,
    aReflowStatus=@0xbfffaea0, aMetrics=0x0, aPushedFrame=@0xbfffab28) at
nsLineLayout.cpp:996
#7  0x412e8ba8 in nsInlineFrame::ReflowInlineFrame(nsIPresContext*,
nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned&) (
    this=0x87baf0c, aPresContext=0x875fa38, aReflowState=@0x0, irs=@0xbfffac10,
aFrame=0x87baff8, aStatus=@0xbfffaea0) at nsInlineFrame.cpp:709
#8  0x412e8633 in nsInlineFrame::ReflowFrames(nsIPresContext*, nsHTMLReflowState
const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsign
ed&) (this=0x87baf0c, aPresContext=0x875fa38, aReflowState=@0xbfffad60,
irs=@0xbfffac10, aMetrics=@0xbfffad10, aStatus=@0xbfffaea0) at nsInlineFrame.cpp
:529
#9  0x412e838e in nsInlineFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87baf0c,
    aPresContext=0x875fa38, aMetrics=@0xbfffad10, aReflowState=@0xbfffad60,
aStatus=@0xbfffaea0) at nsInlineFrame.cpp:438
#10 0x412eea87 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned&,
nsHTMLReflowMetrics*, int&) (this=0xbfffafa0, aFrame=0x87baf0c,
    aReflowStatus=@0xbfffaea0, aMetrics=0x0, aPushedFrame=@0xbfffaea4) at
nsLineLayout.cpp:996
#11 0x4129ea22 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,
nsLineLayout&, nsLineList_iterator, nsIFrame*, unsigned char*) (this=0x87bae1c,
    aState=@0xbfffb960, aLineLayout=@0xbfffafa0, aLine={mCurrent = 0x87bb1f4,
mListLink = 0x87bae58}, aFrame=0x87baf0c, aLineReflowStatus=0xbfffaf2f "")
    at nsBlockFrame.cpp:3552
#12 0x4129e5b0 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&,
nsLineLayout&, nsLineList_iterator, int*, unsigned char*, int, int) (
    this=0x87bae1c, aState=@0xbfffb960, aLineLayout=@0xbfffafa0, aLine={mCurrent
= 0x87bb1f4, mListLink = 0x87bae58}, aKeepReflowGoing=0xbfffb604,
    aLineReflowStatus=0x0, aUpdateMaximumWidth=0, aDamageDirtyArea=0) at
nsBlockFrame.cpp:3419
#13 0x4129e2da in nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState&,
nsLineList_iterator, int*, unsigned char*, int, int) (this=0x0,
    aState=@0xbfffb960, aKeepReflowGoing=0x0, aLineReflowStatus=0x0,
aUpdateMaximumWidth=0, aDamageDirtyArea=0) at nsBlockFrame.cpp:3319
#14 0x4129e10c in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&,
nsLineList_iterator, int*, int, int) (this=0x87bae1c, aState=@0xbfffb960,
    aKeepReflowGoing=0xbfffb604, aDamageDirtyArea=0, aUpdateMaximumWidth=0) at
nsBlockFrame.cpp:3263
#15 0x4129c16a in nsBlockFrame::ReflowLine(nsBlockReflowState&,
nsLineList_iterator, int*, int) (this=0x87bae1c, aState=@0xbfffb960, aLine=
      {mCurrent = 0x87bb1f4, mListLink = 0x87bae58},
aKeepReflowGoing=0xbfffb604, aDamageDirtyArea=0) at nsBlockFrame.cpp:2422
#16 0x4129b09c in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
(this=0x87bae1c, aState=@0xbfffb960) at nsBlockFrame.cpp:2071
#17 0x41298083 in nsBlockFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87bae1c,
    aPresContext=0x875fa38, aMetrics=@0xbfffbed4, aReflowState=@0xbfffbdc0,
aStatus=@0xbfffbcdc) at nsBlockFrame.cpp:789
#18 0x412a9ad0 in nsBlockReflowContext::ReflowBlock(nsRect const&, int,
nsCollapsingMargin&, int, nsMargin&, nsHTMLReflowState&, unsigned&) (
    this=0xbfffbe90, aSpace=@0x0, aApplyTopMargin=0,
aPrevBottomMargin=@0xbfffc4b4, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffbd90,
    aFrameRS=@0xbfffbdc0, aFrameReflowStatus=@0xbfffbcdc) at
nsBlockReflowContext.cpp:546
#19 0x4129d727 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&,
nsLineList_iterator, int*) (this=0x87ba89c, aState=@0xbfffc450, aLine=
      {mCurrent = 0x87bb224, mListLink = 0x87ba8d8},
aKeepReflowGoing=0xbfffc0f4) at nsBlockFrame.cpp:3041
#20 0x4129be63 in nsBlockFrame::ReflowLine(nsBlockReflowState&,
nsLineList_iterator, int*, int) (this=0x87ba89c, aState=@0xbfffc450, aLine=
      {mCurrent = 0x87bb224, mListLink = 0x87ba8d8},
aKeepReflowGoing=0xbfffc0f4, aDamageDirtyArea=1) at nsBlockFrame.cpp:2286
#21 0x4129b09c in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
(this=0x87ba89c, aState=@0xbfffc450) at nsBlockFrame.cpp:2071
#22 0x41298083 in nsBlockFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87ba89c,
    aPresContext=0x875fa38, aMetrics=@0xbfffc9c4, aReflowState=@0xbfffc8b0,
aStatus=@0xbfffc7cc) at nsBlockFrame.cpp:789
#23 0x412a9ad0 in nsBlockReflowContext::ReflowBlock(nsRect const&, int,
nsCollapsingMargin&, int, nsMargin&, nsHTMLReflowState&, unsigned&) (
    this=0xbfffc980, aSpace=@0x0, aApplyTopMargin=1,
aPrevBottomMargin=@0xbfffcfa4, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffc880,
    aFrameRS=@0xbfffc8b0, aFrameReflowStatus=@0xbfffc7cc) at
nsBlockReflowContext.cpp:546
#24 0x4129d727 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&,
nsLineList_iterator, int*) (this=0x87b940c, aState=@0xbfffcf40, aLine=
      {mCurrent = 0x87ba8f0, mListLink = 0x87b9448},
aKeepReflowGoing=0xbfffcbe4) at nsBlockFrame.cpp:3041
#25 0x4129be63 in nsBlockFrame::ReflowLine(nsBlockReflowState&,
nsLineList_iterator, int*, int) (this=0x87b940c, aState=@0xbfffcf40, aLine=
      {mCurrent = 0x87ba8f0, mListLink = 0x87b9448},
aKeepReflowGoing=0xbfffcbe4, aDamageDirtyArea=1) at nsBlockFrame.cpp:2286
#26 0x4129b09c in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&)
(this=0x87b940c, aState=@0xbfffcf40) at nsBlockFrame.cpp:2071
#27 0x41298083 in nsBlockFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x87b940c,
    aPresContext=0x875fa38, aMetrics=@0xbfffd350, aReflowState=@0xbfffd290,
aStatus=@0xbfffd5dc) at nsBlockFrame.cpp:789
#28 0x412b37c7 in nsContainerFrame::ReflowChild(nsIFrame*, nsIPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned
&)
    (this=0x84c8528, aKidFrame=0x87b940c, aPresContext=0x875fa38,
aDesiredSize=@0x0, aReflowState=@0xbfffd290, aX=0, aY=0, aFlags=0,
aStatus=@0xbfffd5dc
)
    at nsContainerFrame.cpp:934
#29 0x412d40c2 in CanvasFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x84c8528, aPresContext=0x875fa3
8,
    aDesiredSize=@0xbfffd5f0, aReflowState=@0xbfffd490, aStatus=@0xbfffd5dc) at
nsHTMLFrame.cpp:559
#30 0x413e5446 in nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState&,
nsIPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&, int,
int, i
nt, int, int) (this=0x87b937c, aState=@0xbfffdb50, aPresContext=0x875fa38,
aDesiredSize=@0xbfffd5f0, aReflowState=@0xbfffdd10, aStatus=@0xbfffd5dc, aX=0
,
    aY=0, aWidth=19020, aHeight=12210, aMoveFrame=1) at nsBoxToBlockAdaptor.cpp:878
#31 0x413e4fb1 in nsBoxToBlockAdaptor::DoLayout(nsBoxLayoutState&)
(this=0x87b937c, aState=@0xbfffdb50) at nsBoxToBlockAdaptor.cpp:625
#32 0x413dc290 in nsBox::Layout(nsBoxLayoutState&) (this=0x87b937c,
aState=@0xbfffdb50) at nsBox.cpp:992
#33 0x413d7806 in nsScrollBoxFrame::DoLayout(nsBoxLayoutState&) (this=0x84c88b8,
aState=@0xbfffdb50) at nsScrollBoxFrame.cpp:335
#34 0x413dc290 in nsBox::Layout(nsBoxLayoutState&) (this=0x84c88f0,
aState=@0xbfffdb50) at nsBox.cpp:992
#35 0x413e7535 in nsContainerBox::LayoutChildAt(nsBoxLayoutState&, nsIBox*,
nsRect const&) (aState=@0xbfffdb50, aBox=0x84c88f0, aRect=@0xbfffd9e0)
    at nsContainerBox.cpp:650
#36 0x412cf3fd in nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState&, nsIBox*,
nsRect const&) (this=0x87b16d0, aState=@0x0, aBox=0x0, aRect=@0x0)
    at nsGfxScrollFrame.cpp:1205
#37 0x412cf738 in nsGfxScrollFrameInner::Layout(nsBoxLayoutState&)
(this=0x87b16d0, aState=@0xbfffdb50) at nsGfxScrollFrame.cpp:1352
#38 0x412cf45b in nsGfxScrollFrame::DoLayout(nsBoxLayoutState&) (this=0x84c87a8,
aState=@0xbfffdb50) at nsGfxScrollFrame.cpp:1213
#39 0x413dc290 in nsBox::Layout(nsBoxLayoutState&) (this=0x84c87e0,
aState=@0xbfffdb50) at nsBox.cpp:992
#40 0x413dfc07 in nsBoxFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x84c87a8, aPresContext=0xbfffdaf
0,
    aDesiredSize=@0xbfffdde0, aReflowState=@0xbfffdd10, aStatus=@0xbfffdec8) at
nsBoxFrame.cpp:865
#41 0x412ce509 in nsGfxScrollFrame::Reflow(nsIPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) (this=0x84c87a8,
    aPresContext=0x875fa38, aDesiredSize=@0xbfffdde0, aReflowState=@0xbfffdd10,
aStatus=@0xbfffdec8) at nsGfxScrollFrame.cpp:823
#42 0x412b37c7 in nsContainerFrame::ReflowChild(nsIFrame*, nsIPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned
&)
    (this=0x84c842c, aKidFrame=0x84c87a8, aPresContext=0x875fa38,
aDesiredSize=@0x0, aReflowState=@0xbfffdd10, aX=0, aY=0, aFlags=0,
aStatus=@0xbfffdec8
)
    at nsContainerFrame.cpp:934
#43 0x4133e810 in ViewportFrame::Reflow(nsIPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) (this=0x84c842c,
    aPresContext=0x875fa38, aDesiredSize=@0xbfffe060, aReflowState=@0xbfffded0,
aStatus=@0xbfffdec8) at nsViewportFrame.cpp:247
#44 0x4130c0f8 in IncrementalReflow::Dispatch(nsIPresContext*,
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) (this=0xbfffe020,
    aPresContext=0x875fa38, aDesiredSize=@0xbfffe060, aMaxSize=@0xbfffe050,
aRendContext=@0x82659a0) at nsPresShell.cpp:892
#45 0x4131b09b in PresShell::ProcessReflowCommands(int) (this=0x826d7b0,
aInterruptible=1) at nsPresShell.cpp:6364
#46 0x41326005 in ReflowEvent::HandleEvent() (this=0x87c23c0) at
nsPresShell.cpp:6190
#47 0x4131aa2f in HandlePLEvent (aEvent=0x0) at nsPresShell.cpp:6206
#48 0x40c0660c in PL_HandleEvent (self=0x87c23c0) at plevent.c:671
#49 0x40c064c9 in PL_ProcessPendingEvents (self=0x810e940) at plevent.c:606
#50 0x40c0950b in nsEventQueueImpl::ProcessPendingEvents() (this=0x80ea6d0) at
nsEventQueue.cpp:391
#51 0x41dccd35 in event_processor_callback (source=0x8279060, condition=G_IO_IN,
data=0x0) at nsAppShell.cpp:67
#52 0x40523ccf in g_vsnprintf () from /usr/lib/libglib-2.0.so.0
#53 0x40502fdd in unblock_source () from /usr/lib/libglib-2.0.so.0
#54 0x40503fd8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#55 0x405042ef in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#56 0x405049cf in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#57 0x4023144f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#58 0x08265940 in ?? ()
#59 0x08153624 in ?? ()
#60 0x08153618 in ?? ()
#61 0xbfffe358 in ?? ()
#62 0x08265940 in ?? ()

-- Eric Andresen

Comment 4

14 years ago
looks like a dupe of bug 180309

do you have any FON fonts (microsoft) in your font path? (try removing them)
Blocks: 198955
Whiteboard: DUPEME
(Reporter)

Comment 5

14 years ago
No FON files at all. We do have TTF microsoft fonts in the path, though.

[root@bosporos /]# find . -iname '*.fon' -xdev
[root@bosporos /]# 

Comment 6

14 years ago
WORKSFORME with linux trunk CVS/gtk2/xft.

can you construct a testcase (starting from
http://opensource.theopalgroup.com/files/db_row.py.html would probably be
easiest)?  just download the page, remove parts of the page and retest.  remove
everything that isn't needed to crash.
Keywords: crash
(Reporter)

Comment 7

14 years ago
It would appear that the culprit tag is <font face="Lucida,Courier New">.
Removing the "Lucida," portion makes the page load fine.

On that note, I did a few searches for fonts/files with [Ll]ucida in their name,
and came up with nothing that should be in my fonts path (only Java jre hits).
The font is available through xfontsel, however. It looks like it is, however, a
standard XFree86 font, in both the 100dpi and 75dpi varieties (pcf). The font
works fine in other applications.

-- Eric Andresen
(Reporter)

Comment 8

14 years ago
On the first page reported, highlighting the areas that use the following tag:
<font face="Tahoma, Lucida, Helvetica" size="+2">

cause the crash as well. Low and behold, Lucida. (I don't have Tahoma, so Lucida
would be first up.)

-- Eric Andresen

Comment 9

14 years ago
lucida and tahoma are both MS Windows truetype (not .fon) fonts.  Your
Xft-Mozilla will not use your bitmap fonts AFAIK and fallback to a different
font unless it can find your windows fonts.
(Reporter)

Comment 10

14 years ago
Well, as I mentioned, I do not have Tahoma. Lucida, I do not have in a .ttf at
all, either. Thus it should simply fall back to the next choice by what you're
saying, which it appears not to be doing.

Comment 11

14 years ago
can you set environment variables:
NSPR_LOG_MODULES XftFontLoad:5
NSPR_LOG_FILE /tmp/xft.log

and then try out Mozilla and attach xft.log to this bug?
(Reporter)

Comment 12

14 years ago
That gives me nothing more than:
[bosporos:eandres(~)]$ cat /tmp/xft.log
16384[8090880]: WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
nsPermissionManager.cpp, line 610
16384[8090880]: ###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceContext.cpp, line 668
16384[8090880]: ###!!! Break: at file nsDeviceContext.cpp, line 668

which we already saw.
(Reporter)

Comment 13

14 years ago
Looking again at the output rather than xft.log, it seems this is what you wanted:

[0x875d310] setting up pattern with the following specification:
        adding non-generic families: tahoma, lucida, helvetica,
        lang group: x-western
        adding generic font from preferences: serif
        adding generic family: serif
        pixel,twip size: 24.000002,360
        slant: roman
        weight: (orig,calc) 401,180
matched the following (1) fonts:
        Lucida
[0x85cf728] setting up pattern with the following specification:
        adding non-generic families: tahoma, lucida, helvetica,
        lang group: x-western
        adding generic font from preferences: serif
        adding generic family: serif
        pixel,twip size: 24.000002,360
        slant: roman
        weight: (orig,calc) 401,180
matched the following (1) fonts:
        Lucida
###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceContext.cpp, line 668

Comment 14

14 years ago
ok, so it's definitely trying to use Lucida...
try this:
% fc-list Lucida file family

that will (hopefully) tell us what font file it would use.
(Reporter)

Comment 15

14 years ago
[bosporos:eandres(~)]$ fc-list Lucida file family
/usr/X11R6/lib/X11/fonts/fluxbox-artwiz-fonts/glisp-bold.pcf: Lucida
/usr/X11R6/lib/X11/fonts/fluxbox-artwiz-fonts/glisp.pcf.gz: Lucida
/usr/X11R6/lib/X11/fonts/fluxbox-artwiz-fonts/glisp-bold.pcf.gz: Lucida
/usr/X11R6/lib/X11/fonts/fluxbox-artwiz-fonts/glisp.pcf: Lucida
/usr/X11R6/lib/X11/fonts/fluxbox-artwiz-fonts/snap.pcf: Lucida
[bosporos:eandres(~)]$ 

Comment 16

14 years ago
I am having the same problem on my FreeBSD-stable port build of firefox 0.8,
port revision 4. There are many, many pages where I have this issue, and it is
only on those pages.

I am crashing on load here:
http://www.w3.org/TR/CSS2/

On this next URL, it only crashes if I scroll down to the bottom and scroll up
slowly, and only if the window is a certain size. Maximized on 1024x756
reproduces it, but being something like 400 wide does not.
http://www.deadly.org/article.php3?sid=20040218170204

I enabled logging and got this on the second URL:
###!!! ASSERTION: font metrics should not be null - bug 136248:
'NS_SUCCEEDED(rv)', file nsDeviceContext.cpp, line 704
Break: at file nsDeviceContext.cpp, line 704
###!!! ASSERTION: no font metrics: 'nsnull != aFontMetrics', file
nsHTMLReflowState.cpp, line 2162
Break: at file nsHTMLReflowState.cpp, line 2162

I tried to build a debugging image, but I think the port disabled something,
because I don't seem to be getting a very informational backtrace. It could also
be that this is the first time that I have ever used gdb and I am not doing it
right.

When I set "Always use my fonts", all of the pages work fine.
(Reporter)

Comment 17

14 years ago
Since it is apparently fluxbox artwiz fonts at fault, I simply moved them out of
my font path and everything seems happy so far.

Comment 18

14 years ago
My problem seems to be with pages that use Helvetica, but my Helvetica is
default XFree86 4.3 (FreeBSD port. No revision.). At least, that is what fc-list
says. Is it possible that this is caused by a corrupt font file? I can reinstall
them and try again.

This page crashed on load once, and crashed after some scrolling some other time:
http://spf.pobox.com/

Comment 19

14 years ago
I reinstalled my X fonts, and seems to work fine on all of the pages that I have
reported.
Product: Browser → Seamonkey

Comment 20

13 years ago
I can confirm this bug with an Xft-build of Mozilla-1.7.3.

It seems to be triggered when a non-scalable font (in my case, 'helvetica')
is requested in a size that is not available in the system.

Like Ben Woolley, I experience the crash when trying to load
http://www.w3.org/TR/CSS2/

Relevant components in my system (a somewhat older but patched up SuSE 7.1):
- XFree-4.1.0
- xft-2.1.2
- freetype2-2.1.9
- fontconfig-2.2.90
- mozilla-1.7.3, built from sources with the following configuration:

mk_add_options MOZ_OBJDIR=/tmp/moz/build
mk_add_options MOZ_CO_PROJECT=suite
ac_add_options --enable-application=suite
ac_add_options --enable-crypto
ac_add_options --disable-debug
ac_add_options --enable-crash-on-assert
ac_add_options '--enable-optimize=-O2 -gstabs+'
ac_add_options --enable-default-toolkit=gtk2
ac_add_options --enable-xft
ac_add_options --disable-freetype2
ac_add_options --disable-tests

The relevant Mozilla settings under Appearance/Fonts:
'Proportional' is Sans Serif
'Sans-serif' is Sans Serif
'Size' is 16 for both Proportional and Monospace
'Minimum font size' is None
'Display resolution' is 100dpi
'Allow documents to use other fonts' is enabled

The culprit is that nsFontCache::GetMetricsFor() returns a NULL pointer.

Here is what my investigation, starting in GetMetricsFor(), turned out:

gfx/src/nsDeviceContext.cpp
- nsFontCache::GetMetricsFor() does not find a matching font metrics object
  in the cache, so a new one is created and bound to be initialized via
  'fm->Init(...)'

gfx/src/gtk/nsFontMetricsXft.cpp
- nsFontMetricsXft::Init() does some setup and finally tries to Realize()
  the corresponding font
- nsFontMetricsXft::Realize() successfully initializes mWesternFont and
  calls CacheFontMetrics()
- nsFontMetricsXft::CacheFontMetrics() tries to get the XftFont out of
  mWesternFont by calling mWesternFont->GetXftFont(), which ends up in...

gfx/src/gtk/nsFontMetricsXft.cpp
- nsFontXft::GetXftFont(), where the call to XftFontOpenPattern() fails.

Activating traces in xft and freetype, it turns out the 'helvetica' font
is requested with size 16, but the system only provides a (not scalable)
.pcf version of 'helvetica' in the sizes 14 and 17 (and several other
larger or smaller sizes).

The XftFontOpenPattern() call to xft leads via an FT_Set_Char_Size() call
(which is intended to set the font size to 16) to PCF_Set_Pixel_Size()
in freetype's PCF driver.  This call fails, since the selected font (in
this case, with size 14) does not match the requested size.

With the failed opening of the font, we are back in...

gfx/src/nsDeviceContext.cpp
- nsFontCache::GetMetricsFor(), where now the cache gets Compact()ed, the
  query for a new font metrics instance is repeated and fails again.

  As a fallback, if there are any entries left in the cache, the last of
  those is used to satisfy the request for the font metrics.

  Otherwise, nsnull is returned and the crash can be observed.

Comment 21

13 years ago
I'd just like to say that happens to me in Firefox 1.0 with xft.  In my case
pages like www.ati.com won't load.  But I can't view that CSS page either.

Comment 22

13 years ago
-> Core / GFX: Gtk
Assignee: general → blizzard
Component: General → GFX: Gtk
Product: Mozilla Application Suite → Core
QA Contact: general → ian

Comment 23

13 years ago
At least as far as my comment #20 is concerned: the problem vanished with the
solution to bug 180309
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → EXPIRED
Product: Core → Core Graveyard

Updated

4 years ago
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.