241324 - Crash with theregister.co.uk CSS @ nsRuleNode::CalcLength & nsHTMLReflowState::CalcLineHeight

Status: RESOLVED INCOMPLETE

(Core :: Layout, defect)

Description

[Brad Jackson]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a) Gecko/20040422 Firefox/0.8.0+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a) Gecko/20040422 Firefox/0.8.0+

Loaded www.theregister.co.uk 04/22/2004, 9:00 AM with Firefox 20040422 CVS
build, get:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085449856 (LWP 3155)]
0x085fe35b in CalcLength(nsCSSValue const&, nsFont const*, nsStyleContext*,
nsresContext*, int&) ()
(gdb) bt
#0  0x085fe35b in CalcLength(nsCSSValue const&, nsFont const*,
nsStyleContext*nsIPresContext*, int&) ()
#1  0x085fe45f in CalcLength(nsCSSValue const&, nsFont const*,
nsStyleContext*nsIPresContext*, int&) ()
#2  0x086018b0 in nsRuleNode::ComputePaddingData(nsStyleStruct*, nsCSSStruct
cst&, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail const&, int) ()
#3  0x08605aaa in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*,
nuleData*, nsCSSStruct*) ()
#4  0x08607798 in nsRuleNode::GetStyleData(nsStyleStructID, nsStyleContext*, i) ()
#5  0x00000010 in ?? ()
#6  0x0953dbdc in ?? ()
#7  0xbfffd2f0 in ?? ()
#8  0xbfffcf80 in ?? ()

Also get this with a simple page that just includes the style sheet file.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085449856 (LWP 3178)]
0x087dfa46 in nsHTMLReflowState::CalcLineHeight(nsIPresContext*,
nsIRenderingContext*, nsIFrame*) ()
(gdb) bt
#0  0x087dfa46 in nsHTMLReflowState::CalcLineHeight(nsIPresContext*,
nsIRenderingContext*, nsIFrame*) ()
#1  0x087cd593 in nsBlockReflowState::nsBlockReflowState(nsHTMLReflowState
const&, nsIPresContext*, nsBlockFrame*, nsHTMLReflowMetrics const&, int) ()
#2  0x087cb0ec in nsBlockFrame::RenumberLists(nsIPresContext*) ()
#3  0xbfffce80 in ?? ()
#4  0x0953efb8 in ?? ()
#5  0x09542fd0 in ?? ()
#6  0xbfffcf94 in ?? ()

Mozilla 1.6 also crashes

Reproducible: Always
Steps to Reproduce:
1. Load www.theregister.co.uk
2. Get seg fault
3.

Actual Results:  
Browser crashes

Expected Results:  
Should handle any problems in CSS

nsRuleNode::CalcLength & nsHTMLReflowState::CalcLineHeight

Will do a -g build with more details.  Will also attach files that cause the crash.

Comment 1

[Brad Jackson]

Attachment: HTML and CSS from theregister.co.uk

Comment 2

[Andrew Schultz]

worksforme with linux trunk 2004042108 and current CVS (this morning).
what were your build options in .mozconfig?

Can you also determine the minimum CSS needed to crash?

Comment 3

[Chris]

Works for me, no problems loading the page.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a) Gecko/20040422
Firefox/0.8.0+

Comment 4

[Brad Jackson]

Attachment: Backtrace from crash

This may be a problem specific to my machine.  The crash is caused by this:

<style type="text/css">
body
{
  font-family: Helvetica;
}
</style>

Comment 5

[Andrew Schultz]

check to make sure you:
1) have Helvetica font
2) it's world-readable
3) it's not corrupt

search for crash bugs with summary GetNormalLineHeight for similar crashes.

Comment 6

[Brad Jackson]

I don't see any Helvetica ttf files.  I don't see any .fon files.  The font
directories are all readable.  I had fontconfig 2.2.1 and tried upgrading to
2.2.2, but it still crashes.

Comment 7

[Andrew Schultz]

see bug 183729 or bug 225892 for another possibility
and http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111973
for more info.

Comment 8

[Brad Jackson]

I tested whether this is a system-specific problem by booting up a Gnoppix CD
and the Register site also crashes Mozilla there.

I was watching Mozilla 1.6 under strace and the file it reads just before
crashing is /usr/X11R6/lib/X11/fonts/75dpi/helvR12-ISO8859-1.pcf.gz.  I've run
rpm -V on XFree86-75dpi-fonts and the file is intact.

Comment 9

[Brad Jackson]

My initial workaround for this crash was to set the font preferences to "Always
use my Fonts" and that works, but every page has the same font.

Then I found this page:
---
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-fonts.html

Certain fonts, such as Helvetica, may have a problem when anti-aliased. Usually
this manifests itself as a font that seems cut in half vertically. At worst, it
may cause applications such as Mozilla to crash. To avoid this, consider adding
the following to local.conf:

         <match target="pattern" name="family">
             <test qual="any" name="family">
                 <string>Helvetica</string>
             </test>
             <edit name="family" mode="assign">
                 <string>sans-serif</string>
             </edit>
         </match>       
---

After adding this block and restarting the xfs service, I can now view pages
using Helvetica with no crashes.

Comment 10

[timeless]

Attachment: Don't call nsHTMLReflowState::CalcLineHeight for an empty frame

I used this (which corrupts whatever sort of creature anonymous is, but that's
life, this is just to draw a line to the problem):
s|=|:|g;s|<|"<|g;s|>|>"|g;s|: ([^':])'|: /*\1*/'/g;s|{{|{anonymous:{|g;s|, {|,
anonymous:{|g;
s|(:\s*)(\w+)(\s*([,}])|\1/*\2*/\3|g;s|(\t\w+\s):|\1=|g;

function search(haystack, needle, string){
trace(arguments);
string = string? string + "." : "";
for (var i in haystack) {
if (i == needle) print(string+i+": "+haystack[i]);
if (haystack[i] instanceof Object) search(haystack[i], needle, string+i);
}
}
... to read through your gdb variables.

The problem is visible in frame 2
state.mBand.mData.anonymous.anonymous.mFrame: 0

If you were using a debug build, you'd have hit an assertion.

Comment 11

[timeless]

Comment on attachment 147145 [details] [diff] [review]
Don't call nsHTMLReflowState::CalcLineHeight for an empty frame

would you take this wallpaper?

Comment 12

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

What are we reflowing if there's not a frame?

Comment 13

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 147145 [details] [diff] [review]
Don't call nsHTMLReflowState::CalcLineHeight for an empty frame

I don't see how we could ever end up in this code if there's no frame.	Are you
sure the crash wasn't due to null font metrics?

Comment 14

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 15

[dolphinling]

Is this still a problem, or can it be resolved worksforme?

Comment 16

[Cosimo Cecchi (GNOME)]

We still get reports of this crash in Epiphany using xulrunner 1.9, so I believe this is still an issue.

Comment 17

[Daniel.S]

(In reply to comment #16)
> We still get reports of this crash in Epiphany using xulrunner 1.9, so I
> believe this is still an issue.

Can you please provide further information about these crashes?