Closed Bug 307577 Opened 19 years ago Closed 15 years ago

windows blue screens because of certain true type fonts [@ win32k!MAPPER::bNearMatch+0x6af]

Categories

(Core Graveyard :: GFX: Win32, defect)

Product:
Core Graveyard
Component:
GFX: Win32
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: djspleenbaby, Unassigned)

References

(
URL
)

Details

(Keywords: crash, qawanted, relnote)

Crash Data

Attachments

(9 files)

original wikipedia page
40.80 KB, text/html
Details
adding in chunks until firefox/system crashes
26.86 KB, text/html
Details
adding in individual lines of the responsible chunk
24.71 KB, text/html
Details
the line responsible in the original html header and body tags
1.86 KB, text/html
Details
finally using the incorrect character encoding doesn't crash firefox/system though only displays question marks
1.85 KB, text/html
Details
first of four dodgy fonts (don't install unless you want windows and firefox to crash)
240.07 KB, application/octet-stream
Details
second of four dodgy fonts (don't install unless you want windows and firefox to crash)
35.25 KB, application/octet-stream
Details
third of four dodgy fonts (don't install unless you want windows and firefox to crash)
41.62 KB, application/octet-stream
Details
fourth of four dodgy fonts (don't install unless you want windows and firefox to crash)
37.38 KB, application/octet-stream
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: 

numerous pages crash windows when browsing. wikipedia is one example which i 
can reproduce but the problem strikes all over the place (i can't spot a 
pattern other than that every page that has crashed continues to do so).

This happens in firefox, nightly builds and mozilla suite using windows xp sp2.

this is happening on 2 seperate systems now (both win xp sp2) - my desktop and 
my laptop computers whereas previously it was only happening on the desktop.

i have ran numerous virus and spyware checks (mcafee and adaware) so can 
conclude that this is not related to a virus spreading accross my home network.

it does appear to be linked to the recent installation of some software (i'll 
explain fully in a moment) but removing said software (including remaining 
registry values) and reinstalling firefox/mozilla (including removing all 
traces of previous profiles) doesn't fix things either.

sorry if i'm getting bogged down in details but they hoepfully go a long way to 
describe what is happening. about 6 months ago the problem appeared on the 
desktop pc. i had recently reinstalled windows but rather than formatting the 
drive partition i installed over the top of the old installation. upon noticing 
that firefox was crashing windows i concluded that some old debris from the 
original windows installation was corrupting things. the problems were 
infrequent (though reproducible) so i didn't worry too much at first but it 
became a constant pain.

throughout this the laptop was fine.

i completely formatted the drive partition and reinstalled windows earlier this 
week. i updated windows to sp2 and all the other fixes etc. then went about 
reinstalling all my old software. i installed the latest firefox release 
(public not beta etc.) and tested it out straight away. no problems what so 
ever, no crashes, evrything was good. i reinstalled all the extensions i used 
to use and again firefox worked well. i started reinstalling software and 
checked firefox at various stages of the way. i'm sure you get the picture but 
all was working fine.

the other day i reinstalled avery (the labelling people) 'design pro 
afterburner'. it's a peice of software to do cd labels and print them etc. 
which comes with there labelling system. i didn't put 2 and 2 together but not 
long after i started seeing the old crashes return when browsing with firefox.

the thing that points the finger though is that yesterday i needed to work on 
some cd labels on my laptop so installed the avery software. now firefox on my 
laptop crashes windows when browsing.

now i suspect that the pages doing the crashing may be to do with javascript 
but i can't be 100% certain - sorry that probably doesn't help much does it?

when windows does an error report upon recovery microsoft's online crash 
analysis claims 'error caused by device driver' and specifically 'Error 
Message: STOP 0X000000EA THREAD_STUCK_IN_DEVICE_DRIVER (Q293078)'

i've checked this out and can report the following:
- i tried microsoft's suggestions (reduce hardware acceleration to 'none' and 
turn off 'enable write combining') and they make no difference.
- i've tried this in safe mode and again no difference.
- i've checked for newer drivers - there are none, i'm up-to-date
- the laptop and desktop use different hardware and software devices yet the 
same problem is happening on both.

now i can only speculate that avery's software has altered a setting or 
registry value which is causing the errors. but the appearance of the problem 
after installing is compelling.

i suspect a java issue (how the above could affect this i do not know) but i 
can't prove this. http://en.wikipedia.org/wiki/Main_Page uses java though. 
another time it crashes is when i'm using my gmail account (i didn't make this 
the main bug report as i don't know if you could replicate the problem). if i 
open my inbox and open my contacts then choose show all contacts (rather than 
frequently mailed) it crashes. gmail will definately have been using java 
script before that without crashing but again it's a compelling coincedance.

none of these pages crash ie or opera browsers, it only happens with firefox 
and mozilla. also i'm experiencing no other crashes from any other software etc.

avery have no updates for their software.

i don't know how you could test this with their software but i could probably 
zip a copy for someone if they wanted to put this to the test.

also firefox and mozilla built in bug reporting doesn't appear to have time to 
work as windows shut's everything down straight away so i'm afraid i can report 
on what's going on inside firefox etc.

i'm sure there are lot's of tecnical details you need but i'm not really sure 
what to give so please ask and i'll try my best.

thanks.

Reproducible: Always

Steps to Reproduce:
1. open firefox (or mozilla)
2. search on google for wikipedia
3. open the link (or just enter http://en.wikipedia.org/wiki/Main_Page in the 
address bar)

Actual Results:  
windows crashes either rebooting without saying anything or displaying blue 
screen of death with aforementioned error.

Expected Results:  
display the site in all it's glory and definately not crash windows.

can't think of anything to add.
WFM on Firefox and the Suite.

This is a problem on your system. Please see
http://support.microsoft.com/default.aspx?scid=kb;en-us;293078 for details.


WORKSFORME on Firefox 1.4 rv:1.8b4 build 20050806 and Seamonkey 1.1a rv:1.9a1
build 2005090806 under XP Pro SP2 here

The provided URL shows no javascript error reported and has 0 markup error
(validation) at W3C's validator.

  

  



    
    

    
  


  

  

  



    
    

    
  


  

  

  



    
    

    
  


  

  

  



    
    

    
  
thanks for looking.

i appreciate that i'm getting widows system errors but 2 completely different 
systems with different hardware are getting the same problem and only when 
using firefox.

also i've been conducting some tests that may (or may not of course) help.

i viewed the source of the wikipedia front page and copied and pasted it into 
notepad to create a local html page (rather than the mess ie makes if you save 
an offline copy).

i've attached this as file 'bugtest.htm'

next i tried taking out all the meta data, css and script links out of the 
header and this made no difference - still crashed. then i took all of the 
content out from between the body tags and no crash happened.

so i started adding chunks of the content back in untill i got the crash again. 
this file is attached as 'bugtest2.htm'

the last chunk was the third definition table offering wikipedia articles in 
different languages. so i stripped out that chunk, added the definition list 
code, then the definition title code not getting any crashes at each stage. so 
i started adding in the list items one by one untill it crashed. this is 
in 'bugtest3.htm'

the line responsible was for the 'georgian' language (not sure waht character 
set it is or anything though).

i isolated this one line, keeping it between the original header block and body 
tags which is in file 'bugtest4.htm'. this caused a crash again.

finally, just as an experiment i changed the character encoding settings. this 
is in file 'bugtest5.htm'. this obviously didn't display the characters 
correctly (all question marks ??????) but it didn't crash the system.

now i agree that there is nothing wrong with the web page - it conforms to all 
the standards.

i also conceed that this doesn't appear to be afflicting anybody else so 
something on both of my systems could well be awry.

but i don't have these problems with either ie or opera browsers, it's only 
when firefox interacts with my system. i'm not having a go or anything but it's 
the only time i get the problem and the way it has migrated to another system 
just yesterday, which was working fine before (i use wikipedia all of the time 
and had no problems untill yesterday) seems strange and for me personally sheds 
doubt on the device driver stuff (which as i said i'd tried all of the 
recomendations and nothing made any difference).

thanks for your patience and hope this all helps.

  

  



    
    

    
  

*** This bug has been marked as a duplicate of 289064 ***

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

    
    

    
  
Let's try that again with the 8 that timeless meant, rather than a 0.

*** This bug has been marked as a duplicate of 289864 ***

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → DUPLICATE

    
    

    
  
I really sincerely doubt that fixing bug 289864 will fix this... is there a way
for the submitter to get a stack trace from the system minidump?

  

  



    
    

    
  
windbg.exe is 
http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.5.3.7.exe

.symfix+
.reload
!analyze -v

  

  



    
    

    
  
right this is all new to me but is this what you're after?

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated.  Data may be missing.
************************************************************
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntoskrnl.exe - 
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Fri Sep  9 18:48:52.562 2005 (GMT+1)
System Uptime: 0 days 0:02:35.109
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntoskrnl.exe - 
Loading Kernel Symbols
................................................................................
................................
Loading unloaded module list
..........
Loading User Symbols
..........................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {0, 0, 0, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
win32k.sys - 
*** ERROR: Module load completed but symbols could not be loaded for 
mssmbios.sys
Probably caused by : win32k.sys ( win32k!EngPaint+143f )

Followup: MachineOwner
---------

kd> .symfix+
No downstream store given, using C:\Program Files\Debugging Tools for 
Windows\sym
kd> .reload
Loading Kernel Symbols
................................................................................
................................
Loading unloaded module list
..........
Loading User Symbols
..........................................................
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

*** WARNING: Unable to verify checksum for FIREFOX.EXE
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
FIREFOX.EXE - 

BUGCHECK_STR:  0x7f_0

TRAP_FRAME:  b3cc19a4 -- (.trap ffffffffb3cc19a4)
ErrCode = 00000000
eax=00000011 ebx=b3cc1ac4 ecx=00000011 edx=00000000 esi=00000000 edi=00000001
eip=bf82e680 esp=b3cc1a18 ebp=b3cc1a30 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
win32k!MAPPER::bNearMatch+0x6af:
bf82e680 f7fe             idiv    esi
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

LAST_CONTROL_TRANSFER:  from bf82dadb to bf82e680

STACK_TEXT:  
b3cc1a30 bf82dadb b3cc1a6c 000001ef e2362bc0 win32k!MAPPER::bNearMatch+0x6af
b3cc1a80 bf82d613 e1000000 e14a4ab0 00000000 win32k!
MAPPER::bFoundExactMatch+0x169
b3cc1bc4 bf8115a2 b3cc1d0c e2caf750 e2caf70c win32k!ppfeGetAMatch+0x1a2
b3cc1c38 bf80735d b3cc1d0c b3cc1cac b3cc1c88 win32k!LFONTOBJ::ppfeMapFont+0x2c7
b3cc1cb0 bf80752c e2caf630 00000000 00000002 win32k!RFONTOBJ::bInit+0x15b
b3cc1cc8 bf8e88cd b3cc1d0c 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
b3cc1ce4 bf8e887c 00000000 656d616e 00000000 win32k!ulGetFontData2+0x17
b3cc1d04 bf8e883f e14a49c8 656d616e 00000000 win32k!ulGetFontData+0x48
b3cc1d48 804de7ec 03010552 656d616e 00000000 win32k!NtGdiGetFontData+0x26
b3cc1d48 7c90eb94 03010552 656d616e 00000000 nt!KiFastCallEntry+0xf8
001354d4 77f1c9db 004e7303 03010552 656d616e ntdll!KiFastSystemCallRet
00139554 004e712e 03010552 02dcec4c 0013957c GDI32!NtGdiGetFontData+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
00139588 004e840e 03010552 02da2fb4 00000000 FIREFOX!
nsPrintSession::operator=+0xcf4d
001395c0 004e9777 03010552 000010e5 00000003 FIREFOX!
nsPrintSession::operator=+0xe22d
001395f4 004ea2bb 03010552 000010e5 00139638 FIREFOX!
nsPrintSession::operator=+0xf596
00139628 004dfc12 03010552 00139a30 00000003 FIREFOX!
nsPrintSession::operator=+0x100da
001396f4 006310d4 02db0cdc 00139a30 00000012 FIREFOX!
nsPrintSession::operator=+0x5a31
001399dc 00631837 01bc14a8 00139d54 00139a08 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1e2f1
00139d2c 006d1b63 00000001 01bc14a8 00139e08 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1ea54
00139e90 0063306a 02df33c8 0013a2e4 00000000 FIREFOX!
nsPrintSettings::GetShrinkToFit+0x100ec
00139eb8 00632e67 01bc14a8 00139f58 00139f20 FIREFOX!
DeviceContextImpl::PrepareDocument+0x20287
00139ef8 00632d65 01bc14a8 00139f58 00139f20 FIREFOX!
DeviceContextImpl::PrepareDocument+0x20084
00139f30 006d1b63 02df3394 01bc14a8 0013a00c FIREFOX!
DeviceContextImpl::PrepareDocument+0x1ff82
0013a094 0063306a 02df3394 0013a2e4 00000000 FIREFOX!
nsPrintSettings::GetShrinkToFit+0x100ec
0013a0bc 00632e67 01bc14a8 0013a15c 0013a124 FIREFOX!
DeviceContextImpl::PrepareDocument+0x20287
0013a0fc 00632d65 01bc14a8 0013a15c 0013a124 FIREFOX!
DeviceContextImpl::PrepareDocument+0x20084
0013a134 006d1b63 02dab654 01bc14a8 0013a210 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1ff82
0013a298 00628aab 02dab654 0013a2e4 00000000 FIREFOX!
nsPrintSettings::GetShrinkToFit+0x100ec
0013a2d0 00628909 0013a8f0 0013a330 02dab688 FIREFOX!
DeviceContextImpl::PrepareDocument+0x15cc8
0013a304 00628792 0013a8f0 0013a330 02dab654 FIREFOX!
DeviceContextImpl::PrepareDocument+0x15b26
0013a770 00628676 0013a8f0 02dab688 0013a8d0 FIREFOX!
DeviceContextImpl::PrepareDocument+0x159af
0013a79c 006279c4 0013a8f0 02dab688 0213a8d0 FIREFOX!
DeviceContextImpl::PrepareDocument+0x15893
0013a848 00627442 02df4394 02dab688 0013a8d0 FIREFOX!
DeviceContextImpl::PrepareDocument+0x14be1
0013a8d8 0062665a 02dab688 0013ad14 0013abd0 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1465f
0013aab8 006d0d1f 00000000 01bc14a8 01ba6978 FIREFOX!
DeviceContextImpl::PrepareDocument+0x13877
0013aaec 00628326 000000ff 0013ad0c 0013acfc FIREFOX!
nsPrintSettings::GetShrinkToFit+0xf2a8
0013add0 0062775b 00000000 02df44c8 0013aefc FIREFOX!
DeviceContextImpl::PrepareDocument+0x15543
0013ae74 00627442 0013af1c 02df44c8 0013aefc FIREFOX!
DeviceContextImpl::PrepareDocument+0x14978
0013af04 0062665a 02df44c8 0013b340 0013b1fc FIREFOX!
DeviceContextImpl::PrepareDocument+0x1465f
0013b0e4 006d0d1f 00000000 01bc14a8 01ba6978 FIREFOX!
DeviceContextImpl::PrepareDocument+0x13877
0013b118 00628326 00000000 0013b338 0013b328 FIREFOX!
nsPrintSettings::GetShrinkToFit+0xf2a8
0013b3fc 0062775b 00000000 02df4594 0013b528 FIREFOX!
DeviceContextImpl::PrepareDocument+0x15543
0013b4a0 00627442 0013b548 02df4594 0013b528 FIREFOX!
DeviceContextImpl::PrepareDocument+0x14978
0013b530 0062665a 02df4594 0013b96c 0013b828 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1465f
0013b710 006d0d1f 00000000 01bc14a8 01ba6978 FIREFOX!
DeviceContextImpl::PrepareDocument+0x13877
0013b744 00628326 000004d3 0013b964 0013b954 FIREFOX!
nsPrintSettings::GetShrinkToFit+0xf2a8
0013ba28 0062775b 00000000 02df46c0 0013bb54 FIREFOX!
DeviceContextImpl::PrepareDocument+0x15543
0013bacc 00627442 0013bb74 02df46c0 0013bb54 FIREFOX!
DeviceContextImpl::PrepareDocument+0x14978
0013bb5c 0062665a 02df46c0 0013bf98 0013be54 FIREFOX!
DeviceContextImpl::PrepareDocument+0x1465f
0013bd3c 006d0d1f 00000000 01bc14a8 01ba6978 FIREFOX!
DeviceContextImpl::PrepareDocument+0x13877


FOLLOWUP_IP: 
win32k!MAPPER::bNearMatch+6af
bf82e680 f7fe             idiv    esi

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!MAPPER::bNearMatch+6af

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  422511a2

STACK_COMMAND:  .trap ffffffffb3cc19a4 ; kb

FAILURE_BUCKET_ID:  0x7f_0_win32k!MAPPER::bNearMatch+6af

BUCKET_ID:  0x7f_0_win32k!MAPPER::bNearMatch+6af

Followup: MachineOwner
---------

  

  


Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

    
    

    
  
sorry to bombard you all with more stuff but i ran the memory dump debugger 
after the previously mention gmail page crashed the system (display all 
contacts). it's pretty similar but not identical:

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated.  Data may be missing.
************************************************************
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntoskrnl.exe - 
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Fri Sep  9 22:14:49.984 2005 (GMT+1)
System Uptime: 0 days 3:16:20.539
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntoskrnl.exe - 
Loading Kernel Symbols
................................................................................
..............................
Loading unloaded module list
.........
Loading User Symbols
...........................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {0, 0, 0, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
win32k.sys - 
*** ERROR: Module load completed but symbols could not be loaded for 
mssmbios.sys
Probably caused by : win32k.sys ( win32k!EngPaint+143f )

Followup: MachineOwner
---------

kd> .symfix+
No downstream store given, using C:\Program Files\Debugging Tools for 
Windows\sym
kd> .reload
Loading Kernel Symbols
................................................................................
..............................
Loading unloaded module list
.........
Loading User Symbols
...........................................................
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

*** WARNING: Unable to verify checksum for firefox.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
firefox.exe - 

BUGCHECK_STR:  0x7f_0

TRAP_FRAME:  b4c969a4 -- (.trap ffffffffb4c969a4)
ErrCode = 00000000
eax=00000011 ebx=b4c96ac4 ecx=00000011 edx=00000000 esi=00000000 edi=00000001
eip=bf82e680 esp=b4c96a18 ebp=b4c96a30 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
win32k!MAPPER::bNearMatch+0x6af:
bf82e680 f7fe             idiv    esi
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

LAST_CONTROL_TRANSFER:  from bf82dadb to bf82e680

STACK_TEXT:  
b4c96a30 bf82dadb b4c96a6c 000001ef e1cfebc0 win32k!MAPPER::bNearMatch+0x6af
b4c96a80 bf82d613 e1000000 e1f93628 00000000 win32k!
MAPPER::bFoundExactMatch+0x169
b4c96bc4 bf8115a2 b4c96d0c e33ae498 e33ae454 win32k!ppfeGetAMatch+0x1a2
b4c96c38 bf80735d b4c96d0c b4c96cac b4c96c88 win32k!LFONTOBJ::ppfeMapFont+0x2c7
b4c96cb0 bf80752c e33ae378 00000000 00000002 win32k!RFONTOBJ::bInit+0x15b
b4c96cc8 bf8e88cd b4c96d0c 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
b4c96ce4 bf8e887c 00000000 656d616e 00000000 win32k!ulGetFontData2+0x17
b4c96d04 bf8e883f e1f93540 656d616e 00000000 win32k!ulGetFontData+0x48
b4c96d48 804de7ec 030105a1 656d616e 00000000 win32k!NtGdiGetFontData+0x26
b4c96d48 7c90eb94 030105a1 656d616e 00000000 nt!KiFastCallEntry+0xf8
00136768 77f1c9db 004e7303 030105a1 656d616e ntdll!KiFastSystemCallRet
0013a7e8 004e712e 030105a1 031a9c20 0013a810 GDI32!NtGdiGetFontData+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
0013a81c 004e840e 030105a1 034b92b8 00000000 firefox!
nsPrintSession::operator=+0xcf4d
0013a854 004e9777 030105a1 0000000b 00000002 firefox!
nsPrintSession::operator=+0xe22d
0013a888 004ea424 030105a1 0000000b 0013a8cc firefox!
nsPrintSession::operator=+0xf596
0013a8bc 004e0153 030105a1 0013ac20 00000002 firefox!
nsPrintSession::operator=+0x10243
0013a8f8 00630fad 031dd300 0013ac20 00000006 firefox!
nsPrintSession::operator=+0x5f72
0013abcc 00631837 03639fe8 0013af44 0013abf8 firefox!
DeviceContextImpl::PrepareDocument+0x1e1ca
0013af1c 006d1b63 00000000 03639fe8 0013aff8 firefox!
DeviceContextImpl::PrepareDocument+0x1ea54
0013b080 0063306a 030e16bc 0013b2d0 00000000 firefox!
nsPrintSettings::GetShrinkToFit+0x100ec
0013b0a8 00632e67 03639fe8 0013b148 0013b110 firefox!
DeviceContextImpl::PrepareDocument+0x20287
0013b0e8 00632d65 03639fe8 0013b148 0013b110 firefox!
DeviceContextImpl::PrepareDocument+0x20084
0013b120 006d1b63 030e1688 03639fe8 0013b1fc firefox!
DeviceContextImpl::PrepareDocument+0x1ff82
0013b284 00628aab 030e1688 0013b2d0 00000000 firefox!
nsPrintSettings::GetShrinkToFit+0x100ec
0013b2bc 00628909 0013b8dc 0013b31c 030e16f8 firefox!
DeviceContextImpl::PrepareDocument+0x15cc8
0013b2f0 00628792 0013b8dc 0013b31c 030e1688 firefox!
DeviceContextImpl::PrepareDocument+0x15b26
0013b75c 00628676 0013b8dc 030e16f8 0013b8bc firefox!
DeviceContextImpl::PrepareDocument+0x159af
0013b788 006279c4 0013b8dc 030e16f8 0213b8bc firefox!
DeviceContextImpl::PrepareDocument+0x15893
0013b834 00627442 030e16f8 030e16f8 0013b8bc firefox!
DeviceContextImpl::PrepareDocument+0x14be1
0013b8c4 0062665a 030e16f8 0013bf20 030e1638 firefox!
DeviceContextImpl::PrepareDocument+0x1465f
0013baa4 005f7a44 00000000 03639fe8 0013bbc4 firefox!
DeviceContextImpl::PrepareDocument+0x13877
0013bacc 00625600 030e1638 03639fe8 0013bbc4 firefox!
nsRegionRectIterator::Reset+0x17a9c
0013bc78 005f7a44 0000000f 03639fe8 0013bea0 firefox!
DeviceContextImpl::PrepareDocument+0x1281d
0013bca0 00623ac5 030e15dc 03639fe8 0013bea0 firefox!
nsRegionRectIterator::Reset+0x17a9c
0013bf70 0062460d 030e1444 03639fe8 0013c0b4 firefox!
DeviceContextImpl::PrepareDocument+0x10ce2
0013bfa4 005f7a44 030e1444 03639fe8 0013c0b4 firefox!
DeviceContextImpl::PrepareDocument+0x1182a
0013bfcc 0061fe5c 030e1444 03639fe8 0013c0b4 firefox!
nsRegionRectIterator::Reset+0x17a9c
0013c130 006215e0 030cdcb8 03639fe8 0013c324 firefox!
DeviceContextImpl::PrepareDocument+0xd079
0013c17c 00621296 030debc0 03639fe8 0013c324 firefox!
DeviceContextImpl::PrepareDocument+0xe7fd
0013c1ac 006210db 030cdcb8 03639fe8 0013c324 firefox!
DeviceContextImpl::PrepareDocument+0xe4b3
0013c204 005f7a44 030cdcb8 03639fe8 0013c324 firefox!
DeviceContextImpl::PrepareDocument+0xe2f8
0013c22c 006193e8 030cdcb8 03639fe8 0013c324 firefox!
nsRegionRectIterator::Reset+0x17a9c
0013c398 00618b98 030cd758 03639fe8 0013c3c0 firefox!
DeviceContextImpl::PrepareDocument+0x6605
0013c3e0 00617be8 031da9dc 03639fe8 0013c4c4 firefox!
DeviceContextImpl::PrepareDocument+0x5db5
0013c468 005f7a44 00000001 03639fe8 0013c61c firefox!
DeviceContextImpl::PrepareDocument+0x4e05
0013c490 00614a59 030cd758 03639fe8 0013c61c firefox!
nsRegionRectIterator::Reset+0x17a9c
0013c588 006152c0 030cd628 03639fe8 030cd758 firefox!
DeviceContextImpl::PrepareDocument+0x1c76
0013c728 00614c8d 00000001 03639fe8 0013cbfc firefox!
DeviceContextImpl::PrepareDocument+0x24dd
0013c744 00614c6d 030cd628 03639fe8 0013cbfc firefox!
DeviceContextImpl::PrepareDocument+0x1eaa
0013c764 00614be3 030cd628 03639fe8 0013cbfc firefox!
DeviceContextImpl::PrepareDocument+0x1e8a


FOLLOWUP_IP: 
win32k!MAPPER::bNearMatch+6af
bf82e680 f7fe             idiv    esi

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!MAPPER::bNearMatch+6af

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  422511a2

STACK_COMMAND:  .trap ffffffffb4c969a4 ; kb

FAILURE_BUCKET_ID:  0x7f_0_win32k!MAPPER::bNearMatch+6af

BUCKET_ID:  0x7f_0_win32k!MAPPER::bNearMatch+6af

Followup: MachineOwner
---------

cheers all.

  

  



    
    

    
  
ok, so i believe this means one of your fonts is bad. i suppose we could 
eventually black list it, the x11 toolkits did add blacklists....

so sure, let's chase.
a few things:
1. if you are willing to build mozilla, that'd help. (eventually we'd probably 
add logging to print out each font to a file - flush()d before asking windows 
about it).
2. if you could switch to a non static build (esp one of ctho's builds for 
which we will hopefully have a symbol server soon), that'd be good.

also, it'd help if we could find a real windows expert. i've only been doing 
kernel backtracing for about two months.

anyway. i believe the next step is to follow the kv instructions from analyze -
v.

  

  


Assignee: general → win32
Component: General → GFX: Win32
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Version: unspecified → Trunk

    
    

    
  
cheers timeless.

sure i'd be hapy to build mozilla. where do i get the sources? and
what do i need to compile them (never done it before you see).

non static build?
one of ctho's?

since using windbg i think i know what you mean about the symbol
server but the rest of point 2 goes straight over my head i'm afraid.

also which bit is the kv instructions. sorry i'm asking a lot of questions.

one other thought, is it likely that another peice of software (avery
design pro as i mentioned at the begining) could have caused this? i'm
going to test the theory on my dad's computer tomorrow. he doesn't use
firefox so i'll install the latest version and test it. then i'll
install this avery stuff and test again. see what happens.

if it's that software avery really should be fixing their product
imho. especially since they're paid to do that.

anyway, thanks for all the help.


  

  



    
    

    
  
my first bet is that you have an unhappy font. but i could be wrong.

ok, disregard the kv stuff, i believe analyze -v did that for us.

http://www.mozilla.org/build/ has instructions

since you're willing to build, ignore the bit about ctho's builds. one further
suggestion: when you use the build configurator, specify an objdir.

  

  



    
    

    
  
i tested that avery software on my dad's computer (it installs some fonts aswell
you see) but it didn't cause the same problems as me.

then i realised that at the same time i installed avery on my laptop i installed
a load of fonts from the desktop.

i deleted all but a few basic fonts and it's cured the problem.

i'm going to install the fonts back one at a time and see if i can find the culprit.

  

  



    
    

    
  


  
first of four dodgy fonts (don't install unless you want windows and firefox to
crash)

  

  



    
    

    
  


  
second of four dodgy fonts (don't install unless you want windows and firefox
to crash)

  

  



    
    

    
  


  
third of four dodgy fonts (don't install unless you want windows and firefox to
crash)

  

  



    
    

    
  


  
fourth of four dodgy fonts (don't install unless you want windows and firefox
to crash)

  

  



    
    

    
  
i've found a total of four fonts on my system which were causing the crashes.

i've attached these incase anybody want's to find a workaround (presuming of
course that the font's aren't actually screwed themselves).

they're all from the same (free) font foundry but i've got other fonts from this
foundry installed which don't cause crashes.

also they're all true types. i went and fount the non true type windows versions
of the attached fonts and they install without causing crashes too so it appears
to be a small selection of true type fonts from one foundry.

don't know therefore if anybody wants to bother looking into this any further (i
can't help but wonder what it is in mozilla that crashes where as ie and opera
don't?) but if you do i'd be happy to help in anyway i can (go ahead with
building mozilla on my system etc.) and if you don't, thanks very much for
evryone's help. never would have found the fault otherwise.

cheers.

  

  



    
    

    
  
you might try http://www.microsoft.com/typography/TrueTypeProperty21.mspx to see
if it happens to give any useful information (i don't really feel like
installing fonts that cause blue screens, i have antivirus software and file
change reverting software that causes enough blue screens...).

anyway. we can blacklist the individual fonts. at the very least we should
report the problem to microsoft so that they can fix gdi to not crash. and we
should report the problem to the foundry so that they can fix their bad fonts.

you should be able to make an html testcase with css that explicitly specifies
those fonts (to make it easier to force the crashes).

could you indicate the name of these dodgy fonts and where they can be obtained?

btw thanks for your efforts. once you get a build, we can perhaps find out if
there's a way to get the font metrics we need w/o bluescreening (that should be
fairly exciting)

  

  


Keywords: crash
Summary: windows crashes (reboots/blue screen of death) when opening certain web pages (e.g. wikipedia) in firefox (and mozilla hence reporting here) → windows blue screens because of certain true type fonts [@ win32k!MAPPER::bNearMatch+0x6af]

    
    

    
  
The fonts are all from Astigmatic One Eye Fonts:

Futhark, Futhark Inline: http://www.astigmatic.com/futhark.html
AmphibiPrint: http://www.astigmatic.com/amphibi.html
Senth: http://www.astigmatic.com/senth.html

They are all symbol fonts, but have Unicode format CMAP tables, which may or may
not be relevant.

  

  



    
    

    
  
i'll work on the html test case.

simon's already listed where the fonts are from (cheers).

can i just clarify something about the build process.

i'm getting the tools together and just mapping out exactly what i need to do
before i go and do it but one thing confuses me. how the fonts fit in.

i've removed the fonts at the moment but i presume i should reinstall them to
build to the system that is crashing rather than one which isn't? however could
you please confirm this for me (sorry if i'm being dumb).

  

  



    
    

    
  
you can install the fonts long after you build (and should).

  

  



    
    

    
  
i would just like to conform this bug. i also was having crashes with firefox on an system for several months (so actualy i was not able to use firefox on that machine) before i found out the it is because of an font.

from my research i can add this info:

1. i have tested version of firefox from 1.0.x to 1.6 alpha2 (latest build as of today 5.12.2005) and they all crash with an BSOD 0x0000007F
2. from my test the crash will happen only if i have installed _both_ of the two fonts AMPHPA__.FON and AMPHPA__.TTF, if i have installed only one of them i FF dos not crash (at least in my tests)
3. additionaly to the two above fonts installed, there must also be a special html code in the site that we open, to get the crash. from my tests some of the so called excape codes will crash it (for example &#65533;)

if needed i have several minidumps of this crash, an full memory dump, samples of the AMPHPA__.FON and AMPHPA__.TTF fonts, sample of an html page and an avi movie that shows the crash

  

  


Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
relnote in one part, draft included at no extra charge.

relnote: the following fonts <Futhark, Futhark Inline, AmphibiPrint, 
Senth> from vendor <Astigmatic> when installed on your system can cause your system to bluescreen, it is not recommended to have these fonts available if you want to run <insert gecko derived product name here>

qawanted in three parts, note that each part can be done independently, when all 3 are done, the keyword can be removed.

qawanted (part 0): could someone spend some time and inform the font vendor <Astigmatic> that these fonts are dangerous? :)

qawanted (part 1): does this happen in w2k3svr [nt5.2], and windows vista [nt6]?
obviously part 1 has some influence on 2.

qawanted (part 2): would someone please work on a simple html testcase? (yes this involves bluescreening your windows computer repeatedly, not for the faint of heart) i'd like to send this report to microsoft, i'm sorry it got lost. the goal is to be able to give microsoft:
1. the url for any of the attached truetype files
2. the url for a testcase to be used with any of the attached truetype files
3. a mozilla/firefox that causes windows to bluescreen when loading 2.

ideally both a shipping version of firefox and the symbol'd version from mcsmurf's site, realistically it won't matter, whatever you do, any recent version of gecko should be able to trigger this blue screen, but the goal is to make it easy for ms to figure out how to fix this problem.

  

  


Keywords: qawanted, 
          
            relnote

    
    

    
  
stuart "volunteered" to add blacklisting ;-)

  

  


Assignee: win32 → pavlov

    
    

    
  
eh, i'll look at it some day

  

  


Assignee: pavlov → win32

    
    

    
  
Okay, I tried to reproduce the BSoD but can't on trunk.   I managed it once using a old Firefox 1.0.7... But I can't reproduce it anymore.  Maybe it's related to using things after they were freed?  It certainly seems to be a Heisenbug... :(

But then I managed to do it, very repeatably, using charmap... and that's a Microsoft app, so hopefully they've got better symbols.  The stack isn't quite the same though.

Steps to reproduce:
1. Grab the AmphibiPrint zip (comment 25)
2. Install the .fon (not the TTF)
3. Open charmap, choose AmphibiPrint AOE, close.
4. Install the .ttf
5. Open charmap again

ChildEBP RetAddr  Args to Child              
a9bf6940 8059754b 0000007f bf82e714 00000000 nt!KeBugCheck+0x14
a9bf6998 8053e3ef a9bf69a4 a9bf6a30 bf82e714 nt!Ki386CheckDivideByZeroTrap+0x41
a9bf6998 bf82e714 a9bf69a4 a9bf6a30 bf82e714 nt!KiTrap00+0x83
a9bf6a30 bf82db6f a9bf6a6c 00000834 e4c215fc win32k!MAPPER::bNearMatch+0x6af
a9bf6a80 bf82d6a7 e1000000 e4adc0f0 00000000 win32k!MAPPER::bFoundExactMatch+0x169
a9bf6bc4 bf81161c a9bf6d0c e368b128 e368b0e4 win32k!ppfeGetAMatch+0x1a2
a9bf6c38 bf80736d a9bf6d0c a9bf6cac a9bf6c88 win32k!LFONTOBJ::ppfeMapFont+0x2c7
a9bf6cb0 bf80753c e368b008 00000000 00000002 win32k!RFONTOBJ::bInit+0x15b
a9bf6cc8 bf8eb639 a9bf6d0c 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
a9bf6ce4 bf8eb5e8 00000000 70616d63 00000000 win32k!ulGetFontData2+0x17
a9bf6d04 bf8eb5ab e4adc008 70616d63 00000000 win32k!ulGetFontData+0x48
a9bf6d48 8053d808 01010674 70616d63 00000000 win32k!NtGdiGetFontData+0x26
a9bf6d48 7c92eb94 01010674 70616d63 00000000 nt!KiFastCallEntry+0xf8
0007f420 77f0c1b9 01007ae1 01010674 70616d63 ntdll!KiFastSystemCallRet
0007f464 77efbd5b 000e73bc 00000004 01010674 GDI32!NtGdiGetFontData+0xc
0007f498 77efbc82 0601070a 00000000 000b1d20 GDI32!EnumFontsInternalW+0x111
0007f4bc 01007efa 0601070a 0007f4e0 01007a0a GDI32!EnumFontFamiliesExW+0x35
0007f53c 01006464 0006039c 0007fc3c 010055d2 charmap!Font_InitList+0x4d
0007fbd4 77d18734 0006039c 00000110 000703ae charmap!UCEDlgProc+0xe92
0007fc00 77d2418d 010055d2 0006039c 00000110 USER32!InternalCallWinProc+0x28
0007fc6c 77d23fd9 00000000 010055d2 0006039c USER32!UserCallDlgProcCheckWow+0x146
0007fcb4 77d24204 00000000 00000110 000703ae USER32!DefDlgProcWorker+0xa8
0007fcd0 77d18734 0006039c 00000110 000703ae USER32!DefDlgProcW+0x22
0007fcfc 77d18816 77d241e2 0006039c 00000110 USER32!InternalCallWinProc+0x28
0007fd64 77d1b89b 00000000 77d241e2 0006039c USER32!UserCallWinProcCheckWow+0x150
0007fda0 77d24e28 005f38b0 005f3470 000703ae USER32!SendMessageWorker+0x4a5
0007fe58 77d2514c 00000000 005f38b0 00000348 USER32!InternalCreateDialog+0x9df
0007fe7c 77d28537 01000000 01034900 00000000 USER32!CreateDialogIndirectParamAorW+0x33
0007fea8 010067ed 01000000 01001640 00000000 USER32!CreateDialogParamW+0x49
0007feec 010068d3 01000000 00000001 7c80b529 charmap!InitInstance+0x7b
0007ff1c 0100aca1 01000000 00000000 000a2332 charmap!WinMain+0x50
0007ffc0 7c816d4f 00350030 00310031 7ffdb000 charmap!WinMainCRTStartup+0x174
0007fff0 00000000 0100ab2d 00000000 78746341 kernel32!BaseProcessStart+0x23

I think the charmap case might have something to do with shims, since if I'm reading things correctly it's asking for ANSI_CHARSET but gets all fonts anyway, which I can't duplicate by calling EnumFontFamiliesExW myself.

Also, charmap is crashing on AmphibiPrint AOE with charset MAC_CHARSET.

  

  



    
    

    
  
We no longer use GetFontData() which appeared to be in the stacks -- I would bet that charmap does.  We may need to use it again in the future for getting the cmaps out of the font, but probably not for a while.

  

  


Product: Core → Core Graveyard

    
    

    
  
Sounds like WFM for now.  Btw, I'd rather us contact secure@microsoft.com than quietly blacklist fonts, especially now that most browsers support @font-face.

  

  


Status: NEW → RESOLVED
Closed: 19 years ago15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ win32k!MAPPER::bNearMatch+0x6af]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: