crash [@ _moz_cairo_win32_scaled_font_select_font]

VERIFIED FIXED

Status

()

Core
SVG
--
critical
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: jwatt, Assigned: longsonr)

Tracking

({crash, testcase})

Trunk
x86
Windows XP
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

We have a null dereference in the small testcase I'll attach in a sec. In the console I see:

_win32_scaled_font_set_world_transform: The operation completed successfully.
0[b55708]: ###!!! ASSERTION: Failed to make scaled font: 'mScaledFont', file c:/mozilla/trees/trunk/mozilla/gfx/thebes/src/gfxWindowsFonts.cpp, line 156
###!!! ASSERTION: Failed to make scaled font: 'mScaledFont', file c:/mozilla/trees/trunk/mozilla/gfx/thebes/src/gfxWindowsFonts.cpp, line 156

before crashing with the following stack.

>	thebes.dll!_moz_cairo_win32_scaled_font_select_font(_cairo_scaled_font * scaled_font=0x00000000, HDC__ * hdc=0xac0138a4)  Line 1618 + 0x3 bytes	C
 	thebes.dll!gfxWindowsTextRun::MeasureOrDrawFast(gfxContext * aContext=0x04d2d400, int aDraw=1, gfxPoint pt={...})  Line 702 + 0xd bytes	C++
 	thebes.dll!gfxWindowsTextRun::Draw(gfxContext * aContext=0x04d2d400, gfxPoint pt={...})  Line 502 + 0x1c bytes	C++
 	thebes.dll!gfxContext::DrawTextRun(gfxTextRun * text=0x04284b68, gfxPoint pt={...})  Line 628	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::DrawString(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000, nsThebesRenderingContext * aContext=0x0344a5f0)  Line 441	C++
 	gkgfxthebes.dll!nsThebesRenderingContext::DrawStringInternal(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000)  Line 1271	C++
 	gkgfxthebes.dll!nsRenderingContextImpl::DrawString(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000)  Line 893 + 0x29 bytes	C++
 	gklayout.dll!nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x04445508, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x04d4e1f0, nsTextPaintStyle & aTextStyle={...}, int dx=0, int dy=0)  Line 2915	C++
 	gklayout.dll!nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...})  Line 2015	C++
 	gklayout.dll!nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012ec80, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 1948	C++
 	gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012ec80, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 302 + 0x19 bytes	C++
 	gklayout.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x0344a5f4, nsIFrame * aFrame=0x04d4dfac, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=0)  Line 721	C++
 	gklayout.dll!nsSVGForeignObjectFrame::PaintSVG(nsSVGRenderState * aContext=0x0012eec0, nsRect * aDirtyRect=0x0012eeb0)  Line 240 + 0x2c bytes	C++
 	gklayout.dll!nsSVGUtils::PaintChildWithEffects(nsSVGRenderState * aContext=0x0012eec0, nsRect * aDirtyRect=0x0012eeb0, nsIFrame * aFrame=0x04d4de2c)  Line 701	C++
 	gklayout.dll!nsSVGOuterSVGFrame::Paint(nsIRenderingContext & aRenderingContext={...}, const nsRect & aDirtyRect={...}, nsPoint aPt={...})  Line 500 + 0x11 bytes	C++
 	gklayout.dll!nsDisplaySVG::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 408	C++
 	gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 302 + 0x19 bytes	C++
 	gklayout.dll!nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 711	C++
 	gklayout.dll!nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 943	C++
 	gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...})  Line 302 + 0x19 bytes	C++
 	gklayout.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x0344a5f4, nsIFrame * aFrame=0x04cbe45c, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295)  Line 721	C++
 	gklayout.dll!PresShell::Paint(nsIView * aView=0x04d349a8, nsIRenderingContext * aRenderingContext=0x0344a5f4, const nsRegion & aDirtyRegion={...})  Line 5668 + 0x15 bytes	C++
 	gklayout.dll!nsViewManager::RenderViews(nsView * aView=0x04c65b00, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000)  Line 816	C++
 	gklayout.dll!nsViewManager::Refresh(nsView * aView=0x04c65b00, nsIRenderingContext * aContext=0x0344a5f4, nsIRegion * aRegion=0x0344a690, unsigned int aUpdateFlags=1)  Line 580	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f464, nsEventStatus * aStatus=0x0012f310)  Line 1448	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f464)  Line 174	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f464, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1113 + 0xc bytes	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f464, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1139	C++
 	gkwidget.dll!nsWindow::OnPaint(HDC__ * aDC=0x00000000)  Line 5952 + 0x1e bytes	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012f950)  Line 4439 + 0x15 bytes	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x002a0dac, unsigned int msg=15, unsigned int wParam=0, long lParam=0)  Line 1302 + 0x1d bytes	C++
 	user32.dll!77d48734() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!77d48816() 	
 	MSCTF.dll!74730e71() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4ebf3() 	
 	user32.dll!77d4b50c() 	
 	ntdll.dll!7c90eae3() 	
 	user32.dll!77d494d2() 	
 	user32.dll!77d4b530() 	
 	user32.dll!77d49402() 	
 	user32.dll!77d48a10() 	
 	gkwidget.dll!nsAppShell::ProcessNextNativeEvent(int mayWait=1)  Line 149	C++
 	gkwidget.dll!nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=1)  Line 136 + 0x11 bytes	C++
 	gkwidget.dll!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b5c7e0, int mayWait=1, unsigned int recursionDepth=0)  Line 231 + 0xf bytes	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fbc4)  Line 472	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b5c7e0, int mayWait=1)  Line 225 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 153 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 171 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=4, char * * argv=0x00b590a0, const nsXREAppData * aAppData=0x004036b0)  Line 2513 + 0x25 bytes	C++
 	firefox.exe!main(int argc=4, char * * argv=0x00b590a0)  Line 61 + 0x13
(Reporter)

Comment 1

11 years ago
Created attachment 246767 [details]
testcase - LIVE CRASHER
(Reporter)

Comment 2

11 years ago
Oh. The reason we're crashing is because I set the Y-axis scale to zero instead of one by mistake. Nevertheless, we shouldn't crash. Putting a conditional break point in gfxWindowsFont::UpdateCTM with the condition |aMatrix.mat.xx==2.0| catches when the invalid matrix is set on the gfxWindowsFont.

Comment 3

11 years ago
Looks like the same crash as in bug 358732.
Keywords: crash, testcase
(Assignee)

Comment 4

11 years ago
Created attachment 249241 [details] [diff] [review]
patch
Assignee: general → longsonr
Status: NEW → ASSIGNED
Attachment #249241 - Flags: review?(jwatt)
(Reporter)

Comment 5

11 years ago
Comment on attachment 249241 [details] [diff] [review]
patch

thanks
Attachment #249241 - Flags: review?(jwatt) → review+
(Assignee)

Updated

11 years ago
Attachment #249241 - Flags: superreview?(roc)
Comment on attachment 249241 [details] [diff] [review]
patch

OK, but wouldn't it make more sense for drawing operations to not crash on a singular matrix?
Attachment #249241 - Flags: superreview?(roc) → superreview+
(Assignee)

Comment 7

11 years ago
Patch checked in.

Will investigate fixing cairo upstream not to crash.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 8

11 years ago
VERIFIED FIXED

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a2pre) Gecko/20070102 Minefield/3.0a2pre ID:2007010206 [cairo]
Status: RESOLVED → VERIFIED
Crash Signature: [@ _moz_cairo_win32_scaled_font_select_font]
You need to log in before you can comment on or make changes to this bug.