The testcase which I'll attach causes a segmentation fault in libX11. It consists of: <html><body> <h1><center><h1> ))))...[about 5,000 right parentheses] Mozilla lays out the ))) string as a single line using large characters. According to my debugger, nsXFontAAScaledBitmap::DrawText8or16() creates a 264,070-pixel wide image and passes it to XPutImage(); XPutImage() calls _XReverse_Bytes() (a private helper function), and _XReverse_Bytes() calls itself recursively until it exhausts all stack space. This is based on something from the mangler (see bug 264944). I can reproduce the crash in firefox built from the tip of the aviary 1.0 branch today, but not in a copy of firefox built from the tip of the trunk (these copies are using different fonts for everything, so it's possible the trunk copy isn't drawing text the same way). In both cases I was using a fresh profile. The copy of ff that crashes was built as follows: . $topsrcdir/browser/config/mozconfig ac_add_options --disable-freetype2 ac_add_options --disable-tests ac_add_options --enable-debug ac_add_options --enable-default-toolkit=gtk2 ac_add_options --enable-optimize='-Os -march=athlon-xp -mfpmath=sse' ac_add_options --with-system-png ac_add_options --with-system-zlib I'm using mandrake linux 10.0, which uses Xfree86 4.3. Obviously this is an X bug, but if it's easy to reproduce then perhaps mozilla should work around it.
You may need to adjust the number of parentheses to make this work. It seems that layout asserts and doesn't draw anything if there are too many. The following assert is from a trunk build: ###!!! ASSERTION: bad width: 'metrics.width>=0', file /extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070 Break: at file /extra/kherron/moz/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1070
Something strange is going on here. According to the Xfree86 cvs repository (<http://cvsweb.xfree86.org/cvsweb/xc/lib/X11/>), XPutImage() doesn't contain an obvious call to _XReverse_Bytes() and _XReverse_Bytes() doesn't call itself. However, I was able to reproduce this stack trace several times.
Yup, looks like a dupe. *** This bug has been marked as a duplicate of 175711 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.