Closed Bug 266966 Opened 20 years ago Closed 20 years ago

Segfault in XPutImage() called from nsXFontAAScaledBitmap::DrawText8or16()

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 175711

People

(Reporter: kherron+mozilla, Unassigned)

References

Details

(Keywords: crash)

Attachments

(2 files)

Testcase
4.91 KB, text/html
Details
Stack trace
19.39 KB, text/plain
Details 
The testcase which I'll attach causes a segmentation fault in libX11. It
consists of:

    <html><body>
    <h1><center><h1>
    ))))...[about 5,000 right parentheses]

Mozilla lays out the ))) string as a single line using large characters.
According to my debugger, nsXFontAAScaledBitmap::DrawText8or16() creates a
264,070-pixel wide image and passes it to XPutImage(); XPutImage() calls
_XReverse_Bytes() (a private helper function), and _XReverse_Bytes() calls
itself recursively until it exhausts all stack space.

This is based on something from the mangler (see bug 264944). I can reproduce
the crash in firefox built from the tip of the aviary 1.0 branch today, but not
in a copy of firefox built from the tip of the trunk (these copies are using
different fonts for everything, so it's possible the trunk copy isn't drawing
text the same way). In both cases I was using a fresh profile. The copy of ff
that crashes was built as follows:

  . $topsrcdir/browser/config/mozconfig

  ac_add_options --disable-freetype2
  ac_add_options --disable-tests
  ac_add_options --enable-debug
  ac_add_options --enable-default-toolkit=gtk2
  ac_add_options --enable-optimize='-Os -march=athlon-xp -mfpmath=sse'
  ac_add_options --with-system-png
  ac_add_options --with-system-zlib

I'm using mandrake linux 10.0, which uses Xfree86 4.3. Obviously this is an X
bug, but if it's easy to reproduce then perhaps mozilla should work around it.
Attached file Testcase 
You may need to adjust the number of parentheses to make this work. It seems
that layout asserts and doesn't draw anything if there are too many. The
following assert is from a trunk build:

###!!! ASSERTION: bad width: 'metrics.width>=0', file
/extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070
Break: at file
/extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070
Attached file Stack trace 
Something strange is going on here. According to the Xfree86 cvs repository
(<http://cvsweb.xfree86.org/cvsweb/xc/lib/X11/>), XPutImage() doesn't contain
an obvious call to _XReverse_Bytes() and _XReverse_Bytes() doesn't call itself.
However, I was able to reproduce this stack trace several times.
Sorry for the spam...got the dependency backwards.
Blocks: Zalewski
No longer depends on: Zalewski
this looks like bug 175711
Keywords: crash
Yup, looks like a dupe.

*** This bug has been marked as a duplicate of 175711 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: