Closed
Bug 294022
Opened 20 years ago
Closed 19 years ago
Crash when loading SVG [@ SelectAndVendDataForGlyphVector]
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: richard, Assigned: tor)
References
Details
(Keywords: crash, fixed1.8, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050512 Firefox/1.0+
Crash when loading embedded SVG in an internal app. Unfortunately I can't give you a url for testing, but
I'll try to come up with a simple test case.
Reproducible: Always
Steps to Reproduce:
1. Open the page with the embedded SVG.
Actual Results:
The browser crashes.
Expected Results:
not crashed!
Talkback ID: TB5798862Y
Command: firefox-bin
Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin
Parent: launchd [1]
Version: 1.0+ (1.0+)
PID: 1172
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000006
Thread 0 Crashed:
0 com.apple.QD 0x916d0fa4 SelectAndVendDataForGlyphVector(ATSGlyphVector*, unsigned
long, unsigned char, unsigned char, void**, unsigned long*) + 284
1 com.apple.QD 0x916d3df4 ATSUDirectGetLayoutDataArrayPtrFromTextLayout + 156
2 org.mozilla.firefox 0x00857140 _cairo_hash_string + 1516
3 org.mozilla.firefox 0x00840004 _cairo_gstate_text_to_glyphs + 152
4 org.mozilla.firefox 0x00821988 cairo_text_extents + 128
5 org.mozilla.firefox 0x003bf468 nsSVGCairoGlyphMetrics::Update(unsigned, int*) + 244
6 org.mozilla.firefox 0x0044504c nsSVGGlyphFrame::NotifyMetricsUnsuspended() + 72
7 org.mozilla.firefox 0x00437af4 nsSVGTextFrame::NotifyRedrawUnsuspended() + 236
8 org.mozilla.firefox 0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
9 org.mozilla.firefox 0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
10 org.mozilla.firefox 0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
11 org.mozilla.firefox 0x0047f1a0 nsSVGOuterSVGFrame::UnsuspendRedraw() + 176
12 org.mozilla.firefox 0x0047e6fc nsSVGOuterSVGFrame::DidReflow(nsPresContext*,
nsHTMLReflowState const*, int) + 160
13 org.mozilla.firefox 0x00365e48 nsContainerFrame::FinishReflowChild(nsIFrame*,
nsPresContext*, nsHTMLReflowState const*, nsHTMLReflowMetrics&, int, int, unsigned) + 244
14 org.mozilla.firefox 0x0041d608 CanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) + 388
15 org.mozilla.firefox 0x00365c48 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned&) + 148
16 org.mozilla.firefox 0x0045ff6c nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState
const&, int, nsHTMLReflowMetrics*, int) + 376
17 org.mozilla.firefox 0x004600c0 nsHTMLScrollFrame::ReflowContents(ScrollReflowState*,
nsHTMLReflowMetrics const&) + 228
18 org.mozilla.firefox 0x004607d4 nsHTMLScrollFrame::Reflow(nsPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 736
19 org.mozilla.firefox 0x00365c48 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*,
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned&) + 148
20 org.mozilla.firefox 0x00458034 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&,
nsHTMLReflowState const&, unsigned&) + 300
21 org.mozilla.firefox 0x001eff20 PresShell::InitialReflow(int, int) + 536
22 org.mozilla.firefox 0x003d54f8 nsContentSink::StartLayout(int) + 208
23 org.mozilla.firefox 0x00381a98 nsXMLContentSink::StartLayout() + 144
24 org.mozilla.firefox 0x0038064c nsXMLContentSink::DidBuildModel() + 456
25 org.mozilla.firefox 0x00157ed0 nsExpatDriver::DidBuildModel(unsigned, int, nsIParser*,
nsIContentSink*) + 56
26 org.mozilla.firefox 0x0013da84 nsParser::DidBuildModel(unsigned) + 120
27 org.mozilla.firefox 0x0013eb1c nsParser::ResumeParse(int, int, int) + 592
28 org.mozilla.firefox 0x0013dc7c nsParser::ContinueInterruptedParsing() + 108
29 org.mozilla.firefox 0x001df620 CSSLoaderImpl::SheetComplete(SheetLoadData*, int) + 216
30 org.mozilla.firefox 0x001df510 CSSLoaderImpl::ParseSheet(nsIUnicharInputStream*,
SheetLoadData*, int&) + 448
31 org.mozilla.firefox 0x001de344 SheetLoadData::OnStreamComplete(nsIUnicharStreamLoader*,
nsISupports*, unsigned, nsIUnicharInputStream*) + 1056
32 org.mozilla.firefox 0x000a3cc0 nsUnicharStreamLoader::OnStopRequest(nsIRequest*,
nsISupports*, unsigned) + 388
33 org.mozilla.firefox 0x000bf718 nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*,
unsigned) + 628
34 org.mozilla.firefox 0x0009c064 nsInputStreamPump::OnStateStop() + 160
35 org.mozilla.firefox 0x0009bbec nsInputStreamPump::OnInputStreamReady
(nsIAsyncInputStream*) + 128
36 libxpcom_core.dylib 0x10081c50 nsAStreamCopier::PostContinuationEvent_Locked() + 1240
37 libxpcom_core.dylib 0x10044ea0 PL_HandleEvent + 36
38 libxpcom_core.dylib 0x10044dc4 PL_ProcessPendingEvents + 128
39 libxpcom_core.dylib 0x100452a8 PL_IsQueueNative + 136
40 com.apple.HIToolbox 0x93120dd4 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*,
HandlerCallRec*) + 692
41 com.apple.HIToolbox 0x9312052c SendEventToEventTargetInternal(OpaqueEventRef*,
OpaqueEventTargetRef*, HandlerCallRec*) + 372
42 com.apple.HIToolbox 0x931203a8 SendEventToEventTargetWithOptions + 40
43 com.apple.HIToolbox 0x931276ec ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*,
OpaqueEventRef*, void*) + 704
44 com.apple.HIToolbox 0x93121024 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*,
HandlerCallRec*) + 1284
45 com.apple.HIToolbox 0x9312052c SendEventToEventTargetInternal(OpaqueEventRef*,
OpaqueEventTargetRef*, HandlerCallRec*) + 372
46 com.apple.HIToolbox 0x931272b0 SendEventToEventTarget + 40
47 com.apple.HIToolbox 0x93168160 ToolboxEventDispatcher + 92
48 com.apple.HIToolbox 0x932070f4 TryEventDispatcher + 112
49 com.apple.HIToolbox 0x93206d48 GetOrPeekEvent + 304
50 com.apple.HIToolbox 0x93206a84 GetNextEventMatchingMask + 156
51 com.apple.HIToolbox 0x9320692c WNEInternal + 140
52 com.apple.HIToolbox 0x9320688c WaitNextEvent + 76
53 org.mozilla.firefox 0x001bf11c nsMacMessagePump::GetEvent(EventRecord&) + 116
54 org.mozilla.firefox 0x001bf000 nsMacMessagePump::DoMessagePump() + 48
55 org.mozilla.firefox 0x001a8a64 nsAppShell::Run() + 56
56 org.mozilla.firefox 0x007fee84 XRE_main + 3480
57 org.mozilla.firefox 0x0000f69c start + 432
58 org.mozilla.firefox 0x0000f51c start + 48
Thread 1:
0 libSystem.B.dylib 0x9001efcc select + 12
1 libnspr4.dylib 0x0301fa60 poll + 392
2 libnspr4.dylib 0x0301c284 PR_OpenDir + 944
3 org.mozilla.firefox 0x000a7ec4 nsSocketTransportService::Poll(unsigned*) + 116
4 org.mozilla.firefox 0x000a8610 nsSocketTransportService::Run() + 432
5 libxpcom_core.dylib 0x10047b7c nsThread::Main(void*) + 56
6 libnspr4.dylib 0x0301d6f8 PR_Select + 828
7 libSystem.B.dylib 0x9002c3b4 _pthread_body + 96
Thread 2:
0 libSystem.B.dylib 0x900563f8 semaphore_timedwait_signal_trap + 8
1 libSystem.B.dylib 0x90056264 pthread_cond_timedwait + 704
2 libnspr4.dylib 0x030185f8 PR_Unlock + 300
3 libnspr4.dylib 0x0301885c PR_WaitCondVar + 136
4 libxpcom_core.dylib 0x1004a6cc TimerThread::Run() + 412
5 libxpcom_core.dylib 0x10047b7c nsThread::Main(void*) + 56
6 libnspr4.dylib 0x0301d6f8 PR_Select + 828
7 libSystem.B.dylib 0x9002c3b4 _pthread_body + 96
Thread 3:
0 libSystem.B.dylib 0x900563f8 semaphore_timedwait_signal_trap + 8
1 libSystem.B.dylib 0x90056264 pthread_cond_timedwait + 704
2 libnspr4.dylib 0x030185f8 PR_Unlock + 300
3 libnspr4.dylib 0x0301885c PR_WaitCondVar + 136
4 org.mozilla.firefox 0x0006810c nsIOThreadPool::ThreadFunc(void*) + 116
5 libnspr4.dylib 0x0301d6f8 PR_Select + 828
6 libSystem.B.dylib 0x9002c3b4 _pthread_body + 96
Thread 0 crashed with PPC Thread State:
srr0: 0x916d0fa4 srr1: 0x0200f930 vrsave: 0x00000000
cr: 0x24022442 xer: 0x00000000 lr: 0x916d3df4 ctr: 0x00000000
r0: 0xffffffff r1: 0xbfffcf90 r2: 0x00000000 r3: 0x00000064
r4: 0x04a2a620 r5: 0x04a2a62c r6: 0x00000001 r7: 0xbfffd0dc
r8: 0x00000001 r9: 0x00000000 r10: 0xbfffd0dc r11: 0x00000000
r12: 0xbfffd0e0 r13: 0x00000002 r14: 0x00000000 r15: 0xa3120b38
r16: 0x01910970 r17: 0xbfffeb40 r18: 0x504c4543 r19: 0x00000001
r20: 0x00000001 r21: 0xbfffe048 r22: 0xbfffdb44 r23: 0x00000001
r24: 0xbfffd0dc r25: 0x00000000 r26: 0xbfffd0e0 r27: 0x00000064
r28: 0x04a2a530 r29: 0x00000000 r30: 0x00000000 r31: 0x0085709c
Binary Images Description:
0x1000 - 0x9bdfff org.mozilla.firefox 1.0+ /Applications/Firefox.app/Contents/MacOS/
firefox-bin
0xfe5000 - 0xfeefff libqfaservices.dylib /Applications/Firefox.app/Contents/MacOS/
components/libqfaservices.dylib
0x1808000 - 0x182ffff talkback.dylib /Applications/Firefox.app/Contents/MacOS/components/
talkback/talkback.dylib
0x1849000 - 0x185efff libjsd.dylib /Applications/Firefox.app/Contents/MacOS/components/
libjsd.dylib
0x1beb000 - 0x1bedfff com.apple.textencoding.unicode 2.0 /System/Library/TextEncodings/Unicode
Encodings.bundle/Contents/MacOS/Unicode Encodings
0x2d75000 - 0x2d7ffff com.netscape.DefaultPlugin ??? (1.0) /Applications/Firefox.app/Contents/
MacOS/plugins/Default Plugin.plugin/Contents/MacOS/Default Plugin
0x3000000 - 0x3033fff libnspr4.dylib /Applications/Firefox.app/Contents/MacOS/libnspr4.dylib
0x3f7e000 - 0x3fa9fff libnssckbi.dylib /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib
0x4000000 - 0x400dfff libplds4.dylib /Applications/Firefox.app/Contents/MacOS/libplds4.dylib
0x485d000 - 0x4935fff com.divxnetworks.DivXCodec 5.1b /Library/QuickTime/DivX 5.component/
Contents/MacOS/DivX 5
0x5000000 - 0x500efff libplc4.dylib /Applications/Firefox.app/Contents/MacOS/libplc4.dylib
0x6000000 - 0x6081fff libmozjs.dylib /Applications/Firefox.app/Contents/MacOS/libmozjs.dylib
0x7000000 - 0x7000fff libxpcom.dylib /Applications/Firefox.app/Contents/MacOS/libxpcom.dylib
0x8000000 - 0x801bfff libssl3.dylib /Applications/Firefox.app/Contents/MacOS/libssl3.dylib
0x9000000 - 0x905ffff libnss3.dylib /Applications/Firefox.app/Contents/MacOS/libnss3.dylib
0xa000000 - 0xa01dfff libsmime3.dylib /Applications/Firefox.app/Contents/MacOS/
libsmime3.dylib
0xb000000 - 0xb07afff libsoftokn3.dylib /Applications/Firefox.app/Contents/MacOS/
libsoftokn3.dylib
0xc000000 - 0xc019fff libxpcom_compat.dylib /Applications/Firefox.app/Contents/MacOS/
libxpcom_compat.dylib
0x10000000 - 0x10085fff libxpcom_core.dylib /Applications/Firefox.app/Contents/MacOS/
libxpcom_core.dylib
0x8fe00000 - 0x8fe50fff dyld 43 /usr/lib/dyld
0x90000000 - 0x901a6fff libSystem.B.dylib /usr/lib/libSystem.B.dylib
0x901fe000 - 0x90202fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib
0x90204000 - 0x90257fff com.apple.CoreText 1.0.0 (???) /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90284000 - 0x90335fff ATS /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x90364000 - 0x9069cfff com.apple.CoreGraphics 1.256.0 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
CoreGraphics.framework/Versions/A/CoreGraphics
0x90727000 - 0x90800fff com.apple.CoreFoundation 6.4 (368)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x90849000 - 0x90849fff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/
CoreServices.framework/Versions/A/CoreServices
0x9084b000 - 0x9094dfff libicucore.A.dylib /usr/lib/libicucore.A.dylib
0x909a7000 - 0x90a2bfff libobjc.A.dylib /usr/lib/libobjc.A.dylib
0x90a55000 - 0x90ac9fff com.apple.framework.IOKit 1.4 (???) /System/Library/Frameworks/
IOKit.framework/Versions/A/IOKit
0x90ae3000 - 0x90af5fff libauto.dylib /usr/lib/libauto.dylib
0x90afc000 - 0x90dc1fff com.apple.CoreServices.CarbonCore 10.4 (611.1)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/
CarbonCore.framework/Versions/A/CarbonCore
0x90e24000 - 0x90ea4fff com.apple.CoreServices.OSServices 4.0 (4.0.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/
OSServices.framework/Versions/A/OSServices
0x90eee000 - 0x90f2efff com.apple.CFNetwork 4.0 (80) /System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x90f43000 - 0x90f5bfff com.apple.WebServices 1.1.2 (1.1.0) /System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/
WebServicesCore
0x90f6b000 - 0x90fe9fff com.apple.SearchKit 1.0.3 /System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x9102e000 - 0x91055fff com.apple.Metadata 0.1 (121) /System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91066000 - 0x91073fff libz.1.dylib /usr/lib/libz.1.dylib
0x91076000 - 0x91238fff com.apple.security 4.0 (221) /System/Library/Frameworks/
Security.framework/Versions/A/Security
0x9133a000 - 0x91343fff com.apple.DiskArbitration 2.1 /System/Library/Frameworks/
DiskArbitration.framework/Versions/A/DiskArbitration
0x9134a000 - 0x91371fff com.apple.SystemConfiguration 1.8.0
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91384000 - 0x9138cfff libbsm.dylib /usr/lib/libbsm.dylib
0x91390000 - 0x9140efff com.apple.audio.CoreAudio 3.0.0 (3.0)
/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x9144c000 - 0x9144cfff com.apple.ApplicationServices 10.4 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x9144e000 - 0x91486fff com.apple.AE 1.5 (297) /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x914a1000 - 0x9156cfff com.apple.ColorSync 4.4 /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x915c1000 - 0x91654fff com.apple.print.framework.PrintCore 4.0 (172)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
PrintCore.framework/Versions/A/PrintCore
0x9169a000 - 0x91757fff com.apple.QD 3.8.5 (???) /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x91795000 - 0x917f3fff com.apple.HIServices 1.5.0 (???) /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91821000 - 0x91844fff com.apple.LangAnalysis 1.6 /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/
LangAnalysis
0x91858000 - 0x9187dfff com.apple.FindByContent 1.5 /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/
FindByContent
0x91890000 - 0x918d0fff com.apple.LaunchServices 10.4 (118)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
LaunchServices.framework/Versions/A/LaunchServices
0x918eb000 - 0x918fffff com.apple.speech.synthesis.framework 3.3
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x9190d000 - 0x91943fff com.apple.ImageIO.framework 1.0 /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x91957000 - 0x91a19fff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib
0x91a65000 - 0x91a7afff libcups.2.dylib /usr/lib/libcups.2.dylib
0x91a7f000 - 0x91a9bfff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91aa0000 - 0x91b0ffff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91b26000 - 0x91b2afff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91b2c000 - 0x91b44fff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b47000 - 0x91b8afff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91b91000 - 0x91baafff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91baf000 - 0x91bb2fff libRadiance.dylib /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/
libRadiance.dylib
0x91bb4000 - 0x91bb4fff com.apple.Accelerate 1.1 (Accelerate 1.1)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91bb6000 - 0x91ca0fff com.apple.vImage 2.0 /System/Library/Frameworks/
Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91ca8000 - 0x91cc7fff com.apple.Accelerate.vecLib 3.1 (vecLib 3.1)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/
Versions/A/vecLib
0x91d33000 - 0x91d53fff libmx.A.dylib /usr/lib/libmx.A.dylib
0x91d59000 - 0x91dbefff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91dc8000 - 0x91e5afff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91e74000 - 0x92404fff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x9244c000 - 0x9275cfff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92789000 - 0x92814fff com.apple.DesktopServices 1.3 /System/Library/PrivateFrameworks/
DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x92856000 - 0x92a7ffff com.apple.Foundation 6.4 (567) /System/Library/Frameworks/
Foundation.framework/Versions/C/Foundation
0x92b9d000 - 0x92c7bfff libxml2.2.dylib /usr/lib/libxml2.2.dylib
0x92c9b000 - 0x92d89fff libiconv.2.dylib /usr/lib/libiconv.2.dylib
0x92d9b000 - 0x92db9fff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/
A/Libraries/libGL.dylib
0x92dc4000 - 0x92e1efff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/
A/Libraries/libGLU.dylib
0x92e3c000 - 0x92e3cfff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/
Carbon.framework/Versions/A/Carbon
0x92e3e000 - 0x92e52fff com.apple.ImageCapture 3.0 /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92e6a000 - 0x92e7afff com.apple.speech.recognition.framework 3.4
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/
SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92e86000 - 0x92e9bfff com.apple.securityhi 2.0 (203) /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92ead000 - 0x92f34fff com.apple.ink.framework 101.2 (69)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/
Versions/A/Ink
0x92f48000 - 0x92f53fff com.apple.help 1.0.3 (32) /System/Library/Frameworks/Carbon.framework/
Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92f5d000 - 0x92f8afff com.apple.openscripting 1.2.2 (???) /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92fa4000 - 0x92fb4fff com.apple.print.framework.Print 4.0 (187)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/
Versions/A/Print
0x92fc0000 - 0x93026fff com.apple.htmlrendering 1.1.2 /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x93057000 - 0x930a9fff com.apple.NavigationServices 3.4 /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/
NavigationServices
0x930d5000 - 0x930f2fff com.apple.audio.SoundManager 3.9 /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x93104000 - 0x93111fff com.apple.CommonPanels 1.2.2 (73)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/
CommonPanels.framework/Versions/A/CommonPanels
0x9311a000 - 0x93429fff com.apple.HIToolbox 1.4.0 (???) /System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x93574000 - 0x93580fff com.apple.opengl 1.4.0 /System/Library/Frameworks/OpenGL.framework/
Versions/A/OpenGL
0x93612000 - 0x93612fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/
Cocoa.framework/Versions/A/Cocoa
0x93614000 - 0x93c45fff com.apple.AppKit 6.4 (824) /System/Library/Frameworks/
AppKit.framework/Versions/C/AppKit
0x93fd1000 - 0x9403bfff com.apple.CoreData 1.0 (46) /System/Library/Frameworks/
CoreData.framework/Versions/A/CoreData
0x94073000 - 0x9413dfff com.apple.audio.toolbox.AudioToolbox 1.4
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x94191000 - 0x94191fff com.apple.audio.units.AudioUnit 1.4
/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x94193000 - 0x942f2fff com.apple.QuartzCore 1.4 /System/Library/Frameworks/
QuartzCore.framework/Versions/A/QuartzCore
0x9433a000 - 0x94377fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib
0x9437f000 - 0x943cafff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/
Versions/A/Libraries/libGLImage.dylib
0x9456a000 - 0x94579fff libCGATS.A.dylib /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libCGATS.A.dylib
0x94581000 - 0x9458dfff libCSync.A.dylib /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libCSync.A.dylib
0x945d2000 - 0x945e6fff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x945ec000 - 0x9484efff com.apple.QuickTime 7.0.0 /System/Library/Frameworks/
QuickTime.framework/Versions/A/QuickTime
0x94921000 - 0x94940fff com.apple.vecLib 3.1 (vecLib 3.1) /System/Library/Frameworks/
vecLib.framework/Versions/A/vecLib
0x97a71000 - 0x97a7efff com.apple.agl 2.5.6 (AGL-2.5.6) /System/Library/Frameworks/
AGL.framework/Versions/A/AGL
0x99414000 - 0x99ba6fff com.apple.QuickTimeComponents.component 7.0
/System/Library/QuickTime/QuickTimeComponents.component/Contents/MacOS/
QuickTimeComponents
0x9b2f9000 - 0x9b32efff libOpenGLContext.A.dylib /System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libOpenGLContext.A.dylib
Model: PowerBook5,2, BootROM 4.7.1f1, 1 processors, PowerPC G4 (1.1), 1.25 GHz, 768 MB
Graphics: ATI Mobility Radeon 9600, ATY,RV350M10, AGP, 64 MB
Memory Module: SODIMM0/J25LOWER, 256 MB, DDR SDRAM, PC2700U-25330
Memory Module: SODIMM1/J25UPPER, 512 MB, DDR SDRAM, PC2700U-25330
AirPort: AirPort Extreme, 3.5f1 (3.50.37.p6)
Modem: LastDash, Euro, V.92, 4.0, APPLE VERSION 2.6.4
Bluetooth: Version 1.6.0f2, 2 service, 0 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
PCI Card: TXN,PCIXXXX-00, cardbus, PC Card
Parallel ATA Device: MATSHITACD-RW CW-8122,
Parallel ATA Device: FUJITSU MHT2060AT, 55.89 GB
USB Device: Bluetooth HCI, , Up to 12 Mb/sec, 500 mA
Keywords: crash
Summary: Crash when loading SVG → Crash when loading SVG [@ SelectAndVendDataForGlyphVector]
Reporter | ||
Comment 1•20 years ago
|
||
This seems to be the simplest file that demonstrates the crash. Looks like it
is triggered by the clipPath.
Comment 2•19 years ago
|
||
This is an automated message, with ID "auto-resolve01".
This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.
While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.
If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.
The latest beta releases can be obtained from:
Firefox: http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey: http://www.mozilla.org/projects/seamonkey/
Comment 3•19 years ago
|
||
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051026 Firefox/1.6a1
I think this might've been fixed by the check-in for bug 298914. It's not crashing for me on Linux. Can anyone verify it's fixed on Mac?
Reporter | ||
Comment 4•19 years ago
|
||
It no longer crashes for me on the Mac (OSX 10.4).
Updated•19 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Comment 5•19 years ago
|
||
Firefox trunk 13 nov, Mac OS 10.3.9
I'm reopening this bug - loading the testcase in comment #1 crashes for me. The stack is not identical, but the crash do occur in SelectAndVendDataForGlyphVector.
Talkback ID: TB11801057Y
I'll attach a log from crashreporter. I also get a similar crash by loading http://www.w3.org/Consortium/Offices/Presentations/SVG/0.svg - stack looks pretty much the same (at least to me).
Talbacks from the w3 svg tutorial: TB11799958G, TB11800742W.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Comment 6•19 years ago
|
||
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 7•19 years ago
|
||
I just saw this on an SVG file in the W3C test suite in the most recent Camino nightly (2005-12-15), though I'm not sure which one it was.
Comment 8•19 years ago
|
||
Actually, a whole bunch of the text ones seem to crash for me; one of them being http://www.w3.org/Graphics/SVG/Test/20030813/htmlframe/full-text-tref-01-b.html .
Comment 9•19 years ago
|
||
Wevah, I assume the stacktrace for all of the crashes is the same as this one? If they're not they could be different bugs.
Comment 10•19 years ago
|
||
The stacks are identical, line-for-line (with the exception of org.mozilla.firefox changing to org.mozilla.camino, of course).
Comment 11•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060108 Firefox/1.6a1
I am seeing something very similar at http://www.skolelinux.no/mascot/tux_bag.svg
, looking at the source 'cairo-atsui-font.c', Apple's documentation, e.g.
http://developer.apple.com/documentation/Carbon/Reference/ATSUI_Reference/index.html
and this bug report http://lists.freedesktop.org/archives/cairo-bugs/2005-November/000501.html ,
I suspect that the mechanism is the same as Bug 298914 "[mac] Firefox crashing while trying to view http://www.opera.com/features/svg/index.dml" in that
we are passing a zero length unicode string to
ATSUDirectGetLayoutDataArrayPtrFromTextLayout( ) .
This spackle hides the problem:
Index: cairo-atsui-font.c
===================================================================
RCS file: /cvsroot/mozilla/gfx/cairo/cairo/src/cairo-atsui-font.c,v
retrieving revision 1.11
diff -U8 -r1.11 cairo-atsui-font.c
--- cairo-atsui-font.c 6 Oct 2005 04:32:44 -0000 1.11
+++ cairo-atsui-font.c 8 Jan 2006 20:59:44 -0000
@@ -507,24 +507,42 @@
cairo_atsui_font_t *font = abstract_font;
ItemCount glyphCount;
int i;
status = _cairo_utf8_to_utf16 ((unsigned char *)utf8, -1, &utf16, &n16);
if (status)
return status;
+// Curious bug in ATSU with zero-length strings
+ if( n16 == 0 ) {
+ fprintf( stderr, "Early return to avoid presenting ATSUDirectGetLayoutDataArrayPtrFromTextLayout( ) with a zero-lngth string\n" );
+ return CAIRO_STATUS_NULL_POINTER; // Actually it is an internal error, 'Parameter error' or some such
+ };
+
err = ATSUCreateTextLayout(&textLayout);
Comment 12•19 years ago
|
||
*** Bug 323585 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Flags: blocking1.8.0.2?
Comment 13•19 years ago
|
||
Adding a note that this bug is still apparent in Tiger OS 10.4.4. (I have not
seen it in 10.2 or 10.3)
Assignee | ||
Comment 14•19 years ago
|
||
This isn't crashing for me on either the trunk or 1.8 branch, with OS-X 10.4.4.
Comment 15•19 years ago
|
||
Odd. The testcase here still crashes for me with today's trunk nightly on Mac OS X 10.4.4 (PPC).
Keywords: testcase
Assignee | ||
Comment 16•19 years ago
|
||
Comment 17•19 years ago
|
||
I think you're supposed to use IsEmpty() instead of comparing Length() to zero.
Does this patch fix the case in bug 323585, which involved a string consisting only of spaces?
Isn't this really a cairo bug?
Assignee | ||
Comment 18•19 years ago
|
||
Attachment #209722 -
Attachment is obsolete: true
Assignee | ||
Comment 19•19 years ago
|
||
(In reply to comment #17)
> Does this patch fix the case in bug 323585, which involved a string consisting
> only of spaces?
323585 ends up trying to work with an empty string, so it is the same bug.
> Isn't this really a cairo bug?
I don't belive cairo has a documented policy on what it does with degenerate objects, but generally it tends to loose its mind. Both the win32 and atsui font backends have problems with empty strings in our experience, and our code tries to avoid handing them to cairo. This was just a missed case.
Assignee: general → tor
Attachment #209742 -
Flags: review?(scootermorris)
Updated•19 years ago
|
Attachment #209742 -
Flags: review?(scootermorris) → review+
Comment 20•19 years ago
|
||
(In reply to comment #17)
>
> Isn't this really a cairo bug?
>
If cairo is crashing on empty strings, then yes that is a bug in cairo.
(That might not change the need for a workaround in mozilla, but it is definitely the case that we over in cairo land want to see bug reports (http://bugs.freedesktop.org about things like this.)
Thanks,
-Carl
Assignee | ||
Comment 21•19 years ago
|
||
Checked in.
Status: NEW → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Comment 22•19 years ago
|
||
Comment on attachment 209742 [details] [diff] [review]
use IsEmpty(), patch right location
a=dveditz for drivers
Attachment #209742 -
Flags: approval1.8.0.2+
Updated•19 years ago
|
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Assignee | ||
Comment 23•19 years ago
|
||
1.8.0/1.8.0.x already have similar code, so this patch isn't needed there.
Keywords: fixed1.8
Updated•19 years ago
|
Flags: blocking1.8.0.2+
Updated•19 years ago
|
Attachment #209742 -
Flags: approval1.8.0.2+
Comment 24•16 years ago
|
||
layout/svg/crashtests/294022-1.svg
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Updated•14 years ago
|
Crash Signature: [@ SelectAndVendDataForGlyphVector]
You need to log in
before you can comment on or make changes to this bug.
Description
•