Crash when loading SVG [@ SelectAndVendDataForGlyphVector]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
14 years ago
10 years ago

People

(Reporter: richard, Assigned: tor)

Tracking

(Blocks: 1 bug, {crash, fixed1.8, testcase})

Trunk
PowerPC
Mac OS X
crash, fixed1.8, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050512 Firefox/1.0+

Crash when loading embedded SVG in an internal app. Unfortunately I can't give you a url for testing, but 
I'll try to come up with a simple test case. 

Reproducible: Always

Steps to Reproduce:
1. Open the page with the embedded SVG.

Actual Results:  
The browser crashes.

Expected Results:  
not crashed!

Talkback ID: TB5798862Y


Command: firefox-bin
Path:    /Applications/Firefox.app/Contents/MacOS/firefox-bin
Parent:  launchd [1]

Version: 1.0+ (1.0+)

PID:    1172
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000006

Thread 0 Crashed:
0   com.apple.QD        	0x916d0fa4 SelectAndVendDataForGlyphVector(ATSGlyphVector*, unsigned 
long, unsigned char, unsigned char, void**, unsigned long*) + 284
1   com.apple.QD        	0x916d3df4 ATSUDirectGetLayoutDataArrayPtrFromTextLayout + 156
2   org.mozilla.firefox 	0x00857140 _cairo_hash_string + 1516
3   org.mozilla.firefox 	0x00840004 _cairo_gstate_text_to_glyphs + 152
4   org.mozilla.firefox 	0x00821988 cairo_text_extents + 128
5   org.mozilla.firefox 	0x003bf468 nsSVGCairoGlyphMetrics::Update(unsigned, int*) + 244
6   org.mozilla.firefox 	0x0044504c nsSVGGlyphFrame::NotifyMetricsUnsuspended() + 72
7   org.mozilla.firefox 	0x00437af4 nsSVGTextFrame::NotifyRedrawUnsuspended() + 236
8   org.mozilla.firefox 	0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
9   org.mozilla.firefox 	0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
10  org.mozilla.firefox 	0x004327c4 nsSVGDefsFrame::NotifyRedrawUnsuspended() + 96
11  org.mozilla.firefox 	0x0047f1a0 nsSVGOuterSVGFrame::UnsuspendRedraw() + 176
12  org.mozilla.firefox 	0x0047e6fc nsSVGOuterSVGFrame::DidReflow(nsPresContext*, 
nsHTMLReflowState const*, int) + 160
13  org.mozilla.firefox 	0x00365e48 nsContainerFrame::FinishReflowChild(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const*, nsHTMLReflowMetrics&, int, int, unsigned) + 244
14  org.mozilla.firefox 	0x0041d608 CanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 388
15  org.mozilla.firefox 	0x00365c48 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned&) + 148
16  org.mozilla.firefox 	0x0045ff6c nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState 
const&, int, nsHTMLReflowMetrics*, int) + 376
17  org.mozilla.firefox 	0x004600c0 nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, 
nsHTMLReflowMetrics const&) + 228
18  org.mozilla.firefox 	0x004607d4 nsHTMLScrollFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 736
19  org.mozilla.firefox 	0x00365c48 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned, unsigned&) + 148
20  org.mozilla.firefox 	0x00458034 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 300
21  org.mozilla.firefox 	0x001eff20 PresShell::InitialReflow(int, int) + 536
22  org.mozilla.firefox 	0x003d54f8 nsContentSink::StartLayout(int) + 208
23  org.mozilla.firefox 	0x00381a98 nsXMLContentSink::StartLayout() + 144
24  org.mozilla.firefox 	0x0038064c nsXMLContentSink::DidBuildModel() + 456
25  org.mozilla.firefox 	0x00157ed0 nsExpatDriver::DidBuildModel(unsigned, int, nsIParser*, 
nsIContentSink*) + 56
26  org.mozilla.firefox 	0x0013da84 nsParser::DidBuildModel(unsigned) + 120
27  org.mozilla.firefox 	0x0013eb1c nsParser::ResumeParse(int, int, int) + 592
28  org.mozilla.firefox 	0x0013dc7c nsParser::ContinueInterruptedParsing() + 108
29  org.mozilla.firefox 	0x001df620 CSSLoaderImpl::SheetComplete(SheetLoadData*, int) + 216
30  org.mozilla.firefox 	0x001df510 CSSLoaderImpl::ParseSheet(nsIUnicharInputStream*, 
SheetLoadData*, int&) + 448
31  org.mozilla.firefox 	0x001de344 SheetLoadData::OnStreamComplete(nsIUnicharStreamLoader*, 
nsISupports*, unsigned, nsIUnicharInputStream*) + 1056
32  org.mozilla.firefox 	0x000a3cc0 nsUnicharStreamLoader::OnStopRequest(nsIRequest*, 
nsISupports*, unsigned) + 388
33  org.mozilla.firefox 	0x000bf718 nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, 
unsigned) + 628
34  org.mozilla.firefox 	0x0009c064 nsInputStreamPump::OnStateStop() + 160
35  org.mozilla.firefox 	0x0009bbec nsInputStreamPump::OnInputStreamReady
(nsIAsyncInputStream*) + 128
36  libxpcom_core.dylib 	0x10081c50 nsAStreamCopier::PostContinuationEvent_Locked() + 1240
37  libxpcom_core.dylib 	0x10044ea0 PL_HandleEvent + 36
38  libxpcom_core.dylib 	0x10044dc4 PL_ProcessPendingEvents + 128
39  libxpcom_core.dylib 	0x100452a8 PL_IsQueueNative + 136
40  com.apple.HIToolbox 	0x93120dd4 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, 
HandlerCallRec*) + 692
41  com.apple.HIToolbox 	0x9312052c SendEventToEventTargetInternal(OpaqueEventRef*, 
OpaqueEventTargetRef*, HandlerCallRec*) + 372
42  com.apple.HIToolbox 	0x931203a8 SendEventToEventTargetWithOptions + 40
43  com.apple.HIToolbox 	0x931276ec ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*, 
OpaqueEventRef*, void*) + 704
44  com.apple.HIToolbox 	0x93121024 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, 
HandlerCallRec*) + 1284
45  com.apple.HIToolbox 	0x9312052c SendEventToEventTargetInternal(OpaqueEventRef*, 
OpaqueEventTargetRef*, HandlerCallRec*) + 372
46  com.apple.HIToolbox 	0x931272b0 SendEventToEventTarget + 40
47  com.apple.HIToolbox 	0x93168160 ToolboxEventDispatcher + 92
48  com.apple.HIToolbox 	0x932070f4 TryEventDispatcher + 112
49  com.apple.HIToolbox 	0x93206d48 GetOrPeekEvent + 304
50  com.apple.HIToolbox 	0x93206a84 GetNextEventMatchingMask + 156
51  com.apple.HIToolbox 	0x9320692c WNEInternal + 140
52  com.apple.HIToolbox 	0x9320688c WaitNextEvent + 76
53  org.mozilla.firefox 	0x001bf11c nsMacMessagePump::GetEvent(EventRecord&) + 116
54  org.mozilla.firefox 	0x001bf000 nsMacMessagePump::DoMessagePump() + 48
55  org.mozilla.firefox 	0x001a8a64 nsAppShell::Run() + 56
56  org.mozilla.firefox 	0x007fee84 XRE_main + 3480
57  org.mozilla.firefox 	0x0000f69c start + 432
58  org.mozilla.firefox 	0x0000f51c start + 48

Thread 1:
0   libSystem.B.dylib   	0x9001efcc select + 12
1   libnspr4.dylib      	0x0301fa60 poll + 392
2   libnspr4.dylib      	0x0301c284 PR_OpenDir + 944
3   org.mozilla.firefox 	0x000a7ec4 nsSocketTransportService::Poll(unsigned*) + 116
4   org.mozilla.firefox 	0x000a8610 nsSocketTransportService::Run() + 432
5   libxpcom_core.dylib 	0x10047b7c nsThread::Main(void*) + 56
6   libnspr4.dylib      	0x0301d6f8 PR_Select + 828
7   libSystem.B.dylib   	0x9002c3b4 _pthread_body + 96

Thread 2:
0   libSystem.B.dylib   	0x900563f8 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056264 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x030185f8 PR_Unlock + 300
3   libnspr4.dylib      	0x0301885c PR_WaitCondVar + 136
4   libxpcom_core.dylib 	0x1004a6cc TimerThread::Run() + 412
5   libxpcom_core.dylib 	0x10047b7c nsThread::Main(void*) + 56
6   libnspr4.dylib      	0x0301d6f8 PR_Select + 828
7   libSystem.B.dylib   	0x9002c3b4 _pthread_body + 96

Thread 3:
0   libSystem.B.dylib   	0x900563f8 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056264 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x030185f8 PR_Unlock + 300
3   libnspr4.dylib      	0x0301885c PR_WaitCondVar + 136
4   org.mozilla.firefox 	0x0006810c nsIOThreadPool::ThreadFunc(void*) + 116
5   libnspr4.dylib      	0x0301d6f8 PR_Select + 828
6   libSystem.B.dylib   	0x9002c3b4 _pthread_body + 96

Thread 0 crashed with PPC Thread State:
  srr0: 0x916d0fa4 srr1: 0x0200f930                vrsave: 0x00000000
    cr: 0x24022442  xer: 0x00000000   lr: 0x916d3df4  ctr: 0x00000000
    r0: 0xffffffff   r1: 0xbfffcf90   r2: 0x00000000   r3: 0x00000064
    r4: 0x04a2a620   r5: 0x04a2a62c   r6: 0x00000001   r7: 0xbfffd0dc
    r8: 0x00000001   r9: 0x00000000  r10: 0xbfffd0dc  r11: 0x00000000
   r12: 0xbfffd0e0  r13: 0x00000002  r14: 0x00000000  r15: 0xa3120b38
   r16: 0x01910970  r17: 0xbfffeb40  r18: 0x504c4543  r19: 0x00000001
   r20: 0x00000001  r21: 0xbfffe048  r22: 0xbfffdb44  r23: 0x00000001
   r24: 0xbfffd0dc  r25: 0x00000000  r26: 0xbfffd0e0  r27: 0x00000064
   r28: 0x04a2a530  r29: 0x00000000  r30: 0x00000000  r31: 0x0085709c

Binary Images Description:
    0x1000 -   0x9bdfff org.mozilla.firefox 1.0+	/Applications/Firefox.app/Contents/MacOS/
firefox-bin
  0xfe5000 -   0xfeefff libqfaservices.dylib 	/Applications/Firefox.app/Contents/MacOS/
components/libqfaservices.dylib
 0x1808000 -  0x182ffff talkback.dylib 	/Applications/Firefox.app/Contents/MacOS/components/
talkback/talkback.dylib
 0x1849000 -  0x185efff libjsd.dylib 	/Applications/Firefox.app/Contents/MacOS/components/
libjsd.dylib
 0x1beb000 -  0x1bedfff com.apple.textencoding.unicode 2.0	/System/Library/TextEncodings/Unicode 
Encodings.bundle/Contents/MacOS/Unicode Encodings
 0x2d75000 -  0x2d7ffff com.netscape.DefaultPlugin ??? (1.0)	/Applications/Firefox.app/Contents/
MacOS/plugins/Default Plugin.plugin/Contents/MacOS/Default Plugin
 0x3000000 -  0x3033fff libnspr4.dylib 	/Applications/Firefox.app/Contents/MacOS/libnspr4.dylib
 0x3f7e000 -  0x3fa9fff libnssckbi.dylib 	/Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib
 0x4000000 -  0x400dfff libplds4.dylib 	/Applications/Firefox.app/Contents/MacOS/libplds4.dylib
 0x485d000 -  0x4935fff com.divxnetworks.DivXCodec 5.1b	/Library/QuickTime/DivX 5.component/
Contents/MacOS/DivX 5
 0x5000000 -  0x500efff libplc4.dylib 	/Applications/Firefox.app/Contents/MacOS/libplc4.dylib
 0x6000000 -  0x6081fff libmozjs.dylib 	/Applications/Firefox.app/Contents/MacOS/libmozjs.dylib
 0x7000000 -  0x7000fff libxpcom.dylib 	/Applications/Firefox.app/Contents/MacOS/libxpcom.dylib
 0x8000000 -  0x801bfff libssl3.dylib 	/Applications/Firefox.app/Contents/MacOS/libssl3.dylib
 0x9000000 -  0x905ffff libnss3.dylib 	/Applications/Firefox.app/Contents/MacOS/libnss3.dylib
 0xa000000 -  0xa01dfff libsmime3.dylib 	/Applications/Firefox.app/Contents/MacOS/
libsmime3.dylib
 0xb000000 -  0xb07afff libsoftokn3.dylib 	/Applications/Firefox.app/Contents/MacOS/
libsoftokn3.dylib
 0xc000000 -  0xc019fff libxpcom_compat.dylib 	/Applications/Firefox.app/Contents/MacOS/
libxpcom_compat.dylib
0x10000000 - 0x10085fff libxpcom_core.dylib 	/Applications/Firefox.app/Contents/MacOS/
libxpcom_core.dylib
0x8fe00000 - 0x8fe50fff dyld 43	/usr/lib/dyld
0x90000000 - 0x901a6fff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x901fe000 - 0x90202fff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x90204000 - 0x90257fff com.apple.CoreText 1.0.0 (???)	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90284000 - 0x90335fff ATS 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x90364000 - 0x9069cfff com.apple.CoreGraphics 1.256.0 (???)
	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
CoreGraphics.framework/Versions/A/CoreGraphics
0x90727000 - 0x90800fff com.apple.CoreFoundation 6.4 (368)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x90849000 - 0x90849fff com.apple.CoreServices 10.4 (???)	/System/Library/Frameworks/
CoreServices.framework/Versions/A/CoreServices
0x9084b000 - 0x9094dfff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x909a7000 - 0x90a2bfff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90a55000 - 0x90ac9fff com.apple.framework.IOKit 1.4 (???)	/System/Library/Frameworks/
IOKit.framework/Versions/A/IOKit
0x90ae3000 - 0x90af5fff libauto.dylib 	/usr/lib/libauto.dylib
0x90afc000 - 0x90dc1fff com.apple.CoreServices.CarbonCore 10.4 (611.1)
	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/
CarbonCore.framework/Versions/A/CarbonCore
0x90e24000 - 0x90ea4fff com.apple.CoreServices.OSServices 4.0 (4.0.0)
	/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/
OSServices.framework/Versions/A/OSServices
0x90eee000 - 0x90f2efff com.apple.CFNetwork 4.0 (80)	/System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x90f43000 - 0x90f5bfff com.apple.WebServices 1.1.2 (1.1.0)	/System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/
WebServicesCore
0x90f6b000 - 0x90fe9fff com.apple.SearchKit 1.0.3	/System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x9102e000 - 0x91055fff com.apple.Metadata 0.1 (121)	/System/Library/Frameworks/
CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91066000 - 0x91073fff libz.1.dylib 	/usr/lib/libz.1.dylib
0x91076000 - 0x91238fff com.apple.security 4.0 (221)	/System/Library/Frameworks/
Security.framework/Versions/A/Security
0x9133a000 - 0x91343fff com.apple.DiskArbitration 2.1	/System/Library/Frameworks/
DiskArbitration.framework/Versions/A/DiskArbitration
0x9134a000 - 0x91371fff com.apple.SystemConfiguration 1.8.0
	/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91384000 - 0x9138cfff libbsm.dylib 	/usr/lib/libbsm.dylib
0x91390000 - 0x9140efff com.apple.audio.CoreAudio 3.0.0 (3.0)
	/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x9144c000 - 0x9144cfff com.apple.ApplicationServices 10.4 (???)
	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x9144e000 - 0x91486fff com.apple.AE 1.5 (297)	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x914a1000 - 0x9156cfff com.apple.ColorSync 4.4	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x915c1000 - 0x91654fff com.apple.print.framework.PrintCore 4.0 (172)
	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
PrintCore.framework/Versions/A/PrintCore
0x9169a000 - 0x91757fff com.apple.QD 3.8.5 (???)	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x91795000 - 0x917f3fff com.apple.HIServices 1.5.0 (???)	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91821000 - 0x91844fff com.apple.LangAnalysis 1.6	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/
LangAnalysis
0x91858000 - 0x9187dfff com.apple.FindByContent 1.5	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/
FindByContent
0x91890000 - 0x918d0fff com.apple.LaunchServices 10.4 (118)
	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
LaunchServices.framework/Versions/A/LaunchServices
0x918eb000 - 0x918fffff com.apple.speech.synthesis.framework 3.3
	/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/
SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x9190d000 - 0x91943fff com.apple.ImageIO.framework 1.0	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x91957000 - 0x91a19fff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91a65000 - 0x91a7afff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91a7f000 - 0x91a9bfff libJPEG.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91aa0000 - 0x91b0ffff libJP2.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91b26000 - 0x91b2afff libGIF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91b2c000 - 0x91b44fff libRaw.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b47000 - 0x91b8afff libTIFF.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91b91000 - 0x91baafff libPng.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91baf000 - 0x91bb2fff libRadiance.dylib 	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/
libRadiance.dylib
0x91bb4000 - 0x91bb4fff com.apple.Accelerate 1.1 (Accelerate 1.1)
	/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91bb6000 - 0x91ca0fff com.apple.vImage 2.0	/System/Library/Frameworks/
Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91ca8000 - 0x91cc7fff com.apple.Accelerate.vecLib 3.1 (vecLib 3.1)
	/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/
Versions/A/vecLib
0x91d33000 - 0x91d53fff libmx.A.dylib 	/usr/lib/libmx.A.dylib
0x91d59000 - 0x91dbefff libvMisc.dylib 	/System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91dc8000 - 0x91e5afff libvDSP.dylib 	/System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91e74000 - 0x92404fff libBLAS.dylib 	/System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x9244c000 - 0x9275cfff libLAPACK.dylib 	/System/Library/Frameworks/Accelerate.framework/
Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92789000 - 0x92814fff com.apple.DesktopServices 1.3	/System/Library/PrivateFrameworks/
DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x92856000 - 0x92a7ffff com.apple.Foundation 6.4 (567)	/System/Library/Frameworks/
Foundation.framework/Versions/C/Foundation
0x92b9d000 - 0x92c7bfff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x92c9b000 - 0x92d89fff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x92d9b000 - 0x92db9fff libGL.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/
A/Libraries/libGL.dylib
0x92dc4000 - 0x92e1efff libGLU.dylib 	/System/Library/Frameworks/OpenGL.framework/Versions/
A/Libraries/libGLU.dylib
0x92e3c000 - 0x92e3cfff com.apple.Carbon 10.4 (???)	/System/Library/Frameworks/
Carbon.framework/Versions/A/Carbon
0x92e3e000 - 0x92e52fff com.apple.ImageCapture 3.0	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92e6a000 - 0x92e7afff com.apple.speech.recognition.framework 3.4
	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/
SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92e86000 - 0x92e9bfff com.apple.securityhi 2.0 (203)	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92ead000 - 0x92f34fff com.apple.ink.framework 101.2 (69)
	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/
Versions/A/Ink
0x92f48000 - 0x92f53fff com.apple.help 1.0.3 (32)	/System/Library/Frameworks/Carbon.framework/
Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92f5d000 - 0x92f8afff com.apple.openscripting 1.2.2 (???)	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92fa4000 - 0x92fb4fff com.apple.print.framework.Print 4.0 (187)
	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/
Versions/A/Print
0x92fc0000 - 0x93026fff com.apple.htmlrendering 1.1.2	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x93057000 - 0x930a9fff com.apple.NavigationServices 3.4	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/
NavigationServices
0x930d5000 - 0x930f2fff com.apple.audio.SoundManager 3.9	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x93104000 - 0x93111fff com.apple.CommonPanels 1.2.2 (73)
	/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/
CommonPanels.framework/Versions/A/CommonPanels
0x9311a000 - 0x93429fff com.apple.HIToolbox 1.4.0 (???)	/System/Library/Frameworks/
Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x93574000 - 0x93580fff com.apple.opengl 1.4.0	/System/Library/Frameworks/OpenGL.framework/
Versions/A/OpenGL
0x93612000 - 0x93612fff com.apple.Cocoa 6.4 (???)	/System/Library/Frameworks/
Cocoa.framework/Versions/A/Cocoa
0x93614000 - 0x93c45fff com.apple.AppKit 6.4 (824)	/System/Library/Frameworks/
AppKit.framework/Versions/C/AppKit
0x93fd1000 - 0x9403bfff com.apple.CoreData 1.0 (46)	/System/Library/Frameworks/
CoreData.framework/Versions/A/CoreData
0x94073000 - 0x9413dfff com.apple.audio.toolbox.AudioToolbox 1.4
	/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x94191000 - 0x94191fff com.apple.audio.units.AudioUnit 1.4
	/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x94193000 - 0x942f2fff com.apple.QuartzCore 1.4	/System/Library/Frameworks/
QuartzCore.framework/Versions/A/QuartzCore
0x9433a000 - 0x94377fff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x9437f000 - 0x943cafff libGLImage.dylib 	/System/Library/Frameworks/OpenGL.framework/
Versions/A/Libraries/libGLImage.dylib
0x9456a000 - 0x94579fff libCGATS.A.dylib 	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libCGATS.A.dylib
0x94581000 - 0x9458dfff libCSync.A.dylib 	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libCSync.A.dylib
0x945d2000 - 0x945e6fff libRIP.A.dylib 	/System/Library/Frameworks/ApplicationServices.framework/
Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x945ec000 - 0x9484efff com.apple.QuickTime 7.0.0	/System/Library/Frameworks/
QuickTime.framework/Versions/A/QuickTime
0x94921000 - 0x94940fff com.apple.vecLib 3.1 (vecLib 3.1)	/System/Library/Frameworks/
vecLib.framework/Versions/A/vecLib
0x97a71000 - 0x97a7efff com.apple.agl 2.5.6 (AGL-2.5.6)	/System/Library/Frameworks/
AGL.framework/Versions/A/AGL
0x99414000 - 0x99ba6fff com.apple.QuickTimeComponents.component 7.0
	/System/Library/QuickTime/QuickTimeComponents.component/Contents/MacOS/
QuickTimeComponents
0x9b2f9000 - 0x9b32efff libOpenGLContext.A.dylib 	/System/Library/Frameworks/
ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/
Resources/libOpenGLContext.A.dylib

Model: PowerBook5,2, BootROM 4.7.1f1, 1 processors, PowerPC G4  (1.1), 1.25 GHz, 768 MB
Graphics: ATI Mobility Radeon 9600, ATY,RV350M10, AGP, 64 MB
Memory Module: SODIMM0/J25LOWER, 256 MB, DDR SDRAM, PC2700U-25330
Memory Module: SODIMM1/J25UPPER, 512 MB, DDR SDRAM, PC2700U-25330
AirPort: AirPort Extreme, 3.5f1 (3.50.37.p6)
Modem: LastDash, Euro, V.92, 4.0, APPLE VERSION 2.6.4
Bluetooth: Version 1.6.0f2, 2 service, 0 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
PCI Card: TXN,PCIXXXX-00, cardbus, PC Card
Parallel ATA Device: MATSHITACD-RW  CW-8122, 
Parallel ATA Device: FUJITSU MHT2060AT, 55.89 GB
USB Device: Bluetooth HCI, , Up to 12 Mb/sec, 500 mA

Updated

14 years ago
Keywords: crash
Summary: Crash when loading SVG → Crash when loading SVG [@ SelectAndVendDataForGlyphVector]
(Reporter)

Comment 1

14 years ago
Created attachment 183906 [details]
File that demonstrates the crash

This seems to be the simplest file that demonstrates the crash. Looks like it
is triggered by the clipPath.
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 3

13 years ago
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051026 Firefox/1.6a1

I think this might've been fixed by the check-in for bug 298914. It's not crashing for me on Linux. Can anyone verify it's fixed on Mac?
(Reporter)

Comment 4

13 years ago
It no longer crashes for me on the Mac (OSX 10.4).

Updated

13 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME

Comment 5

13 years ago
Firefox trunk 13 nov, Mac OS 10.3.9

I'm reopening this bug - loading the testcase in comment #1 crashes for me. The stack is not identical, but the crash do occur in SelectAndVendDataForGlyphVector.

Talkback ID: TB11801057Y

I'll attach a log from crashreporter. I also get a similar crash by loading http://www.w3.org/Consortium/Offices/Presentations/SVG/0.svg - stack looks pretty much the same (at least to me).

Talbacks from the w3 svg tutorial: TB11799958G, TB11800742W. 
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

Comment 6

13 years ago
Created attachment 202929 [details]
Crashlog

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
I just saw this on an SVG file in the W3C test suite in the most recent Camino nightly (2005-12-15), though I'm not sure which one it was.
Actually, a whole bunch of the text ones seem to crash for me; one of them being http://www.w3.org/Graphics/SVG/Test/20030813/htmlframe/full-text-tref-01-b.html .

Comment 9

13 years ago
Wevah, I assume the stacktrace for all of the crashes is the same as this one? If they're not they could be different bugs.
The stacks are identical, line-for-line (with the exception of org.mozilla.firefox changing to org.mozilla.camino, of course).

Comment 11

13 years ago
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060108 Firefox/1.6a1

I am seeing something very similar at http://www.skolelinux.no/mascot/tux_bag.svg 
, looking at the source 'cairo-atsui-font.c', Apple's documentation, e.g.
http://developer.apple.com/documentation/Carbon/Reference/ATSUI_Reference/index.html
and this bug report http://lists.freedesktop.org/archives/cairo-bugs/2005-November/000501.html ,
I suspect that the mechanism is the same as Bug 298914 "[mac] Firefox crashing while trying to view http://www.opera.com/features/svg/index.dml" in that
we are passing a zero length unicode string to 
ATSUDirectGetLayoutDataArrayPtrFromTextLayout( ) .

This spackle hides the problem:
Index: cairo-atsui-font.c
===================================================================
RCS file: /cvsroot/mozilla/gfx/cairo/cairo/src/cairo-atsui-font.c,v
retrieving revision 1.11
diff -U8 -r1.11 cairo-atsui-font.c
--- cairo-atsui-font.c  6 Oct 2005 04:32:44 -0000       1.11
+++ cairo-atsui-font.c  8 Jan 2006 20:59:44 -0000
@@ -507,24 +507,42 @@
     cairo_atsui_font_t *font = abstract_font;
     ItemCount glyphCount;
     int i;
 
     status = _cairo_utf8_to_utf16 ((unsigned char *)utf8, -1, &utf16, &n16);
     if (status)
        return status;
 
+// Curious bug in ATSU with zero-length strings
+       if( n16 == 0 ) {
+               fprintf( stderr, "Early return to avoid presenting ATSUDirectGetLayoutDataArrayPtrFromTextLayout( ) with a zero-lngth string\n" );
+               return CAIRO_STATUS_NULL_POINTER; // Actually it is an internal error, 'Parameter error' or some such
+       };
+
     err = ATSUCreateTextLayout(&textLayout);

Comment 12

13 years ago
*** Bug 323585 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Flags: blocking1.8.0.2?

Updated

13 years ago
Blocks: 306663

Comment 13

13 years ago
Adding a note that this bug is still apparent in Tiger OS 10.4.4. (I have not
seen it in 10.2 or 10.3) 
(Assignee)

Comment 14

13 years ago
This isn't crashing for me on either the trunk or 1.8 branch, with OS-X 10.4.4.

Comment 15

13 years ago
Odd.  The testcase here still crashes for me with today's trunk nightly on Mac OS X 10.4.4 (PPC).
Keywords: testcase
(Assignee)

Comment 16

13 years ago
Created attachment 209722 [details] [diff] [review]
avoid passing empty string to cairo

Comment 17

13 years ago
I think you're supposed to use IsEmpty() instead of comparing Length() to zero.

Does this patch fix the case in bug 323585, which involved a string consisting only of spaces?

Isn't this really a cairo bug?
(Assignee)

Comment 18

13 years ago
Created attachment 209742 [details] [diff] [review]
use IsEmpty(), patch right location
Attachment #209722 - Attachment is obsolete: true
(Assignee)

Comment 19

13 years ago
(In reply to comment #17)
> Does this patch fix the case in bug 323585, which involved a string consisting
> only of spaces?

323585 ends up trying to work with an empty string, so it is the same bug.

> Isn't this really a cairo bug?

I don't belive cairo has a documented policy on what it does with degenerate objects, but generally it tends to loose its mind.  Both the win32 and atsui font backends have problems with empty strings in our experience, and our code tries to avoid handing them to cairo.  This was just a missed case.
Assignee: general → tor
(Assignee)

Updated

13 years ago
Attachment #209742 - Flags: review?(scootermorris)

Updated

13 years ago
Attachment #209742 - Flags: review?(scootermorris) → review+

Comment 20

13 years ago
(In reply to comment #17)
> 
> Isn't this really a cairo bug?
> 

If cairo is crashing on empty strings, then yes that is a bug in cairo.

(That might not change the need for a workaround in mozilla, but it is definitely the case that we over in cairo land want to see bug reports (http://bugs.freedesktop.org about things like this.)

Thanks,

-Carl
(Assignee)

Comment 21

13 years ago
Checked in.
Status: NEW → RESOLVED
Last Resolved: 13 years ago13 years ago
Resolution: --- → FIXED
Comment on attachment 209742 [details] [diff] [review]
use IsEmpty(), patch right location

a=dveditz for drivers
Attachment #209742 - Flags: approval1.8.0.2+
Flags: blocking1.8.0.2? → blocking1.8.0.2+
(Assignee)

Comment 23

13 years ago
1.8.0/1.8.0.x already have similar code, so this patch isn't needed there.
Keywords: fixed1.8
Flags: blocking1.8.0.2+
Attachment #209742 - Flags: approval1.8.0.2+

Comment 24

10 years ago
layout/svg/crashtests/294022-1.svg
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ SelectAndVendDataForGlyphVector]
You need to log in before you can comment on or make changes to this bug.