Segfault in XPutImage() called from nsXFontAAScaledBitmap::DrawText8or16()

RESOLVED DUPLICATE of bug 175711

Status

()

defect
RESOLVED DUPLICATE of bug 175711
15 years ago
13 years ago

People

(Reporter: kherron+mozilla, Unassigned)

Tracking

({crash})

Other Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

15 years ago
The testcase which I'll attach causes a segmentation fault in libX11. It
consists of:

    <html><body>
    <h1><center><h1>
    ))))...[about 5,000 right parentheses]

Mozilla lays out the ))) string as a single line using large characters.
According to my debugger, nsXFontAAScaledBitmap::DrawText8or16() creates a
264,070-pixel wide image and passes it to XPutImage(); XPutImage() calls
_XReverse_Bytes() (a private helper function), and _XReverse_Bytes() calls
itself recursively until it exhausts all stack space.

This is based on something from the mangler (see bug 264944). I can reproduce
the crash in firefox built from the tip of the aviary 1.0 branch today, but not
in a copy of firefox built from the tip of the trunk (these copies are using
different fonts for everything, so it's possible the trunk copy isn't drawing
text the same way). In both cases I was using a fresh profile. The copy of ff
that crashes was built as follows:

  . $topsrcdir/browser/config/mozconfig

  ac_add_options --disable-freetype2
  ac_add_options --disable-tests
  ac_add_options --enable-debug
  ac_add_options --enable-default-toolkit=gtk2
  ac_add_options --enable-optimize='-Os -march=athlon-xp -mfpmath=sse'
  ac_add_options --with-system-png
  ac_add_options --with-system-zlib

I'm using mandrake linux 10.0, which uses Xfree86 4.3. Obviously this is an X
bug, but if it's easy to reproduce then perhaps mozilla should work around it.
(Reporter)

Comment 1

15 years ago
Posted file Testcase
You may need to adjust the number of parentheses to make this work. It seems
that layout asserts and doesn't draw anything if there are too many. The
following assert is from a trunk build:

###!!! ASSERTION: bad width: 'metrics.width>=0', file
/extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070
Break: at file
/extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070
(Reporter)

Comment 2

15 years ago
Posted file Stack trace
Something strange is going on here. According to the Xfree86 cvs repository
(<http://cvsweb.xfree86.org/cvsweb/xc/lib/X11/>), XPutImage() doesn't contain
an obvious call to _XReverse_Bytes() and _XReverse_Bytes() doesn't call itself.
However, I was able to reproduce this stack trace several times.
(Reporter)

Comment 3

15 years ago
Sorry for the spam...got the dependency backwards.
Blocks: Zalewski
No longer depends on: Zalewski

Comment 4

15 years ago
this looks like bug 175711
Keywords: crash
(Reporter)

Comment 5

15 years ago
Yup, looks like a dupe.

*** This bug has been marked as a duplicate of 175711 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.