Closed Bug 372639 Opened 18 years ago Closed 18 years ago

Segmentation fault in cairo font code loading png as HTML

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.9alpha8

People

(Reporter: bzbarsky, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

Just the image file as HTML
14.18 KB, text/html
Details
change from crash to assertion
1.71 KB, patch
pavlov
: review+
Details | Diff | Splinter Review
BUILD: Current trunk build STEPS TO REPRODUCE: Load URL in the URL bar ACTUAL RESULTS: An optimized build crashes with a SIGSEGV in: #0 0x008a3d8a in _int_malloc () from /lib/libc.so.6 #1 0x008a5587 in malloc () from /lib/libc.so.6 #2 0x00cf2ae0 in IA__g_malloc (n_bytes=16) at gmem.c:137 #3 0x0010f596 in pango_glyph_string_new () at glyphstring.c:36 #4 0x0066b7f6 in FontSelector::InitSegments () from /home/bzbarsky/mozilla/profile/obj-opt/dist/bin/libthebes.so A debug build aborts with a SIGABRT at: ../../../../../mozilla/gfx/cairo/cairo/src/cairo-ft-font.c:692: _cairo_ft_unscaled_font_set_scale: Assertion `error == 0' failed. #3 0x00ea6db1 in __assert_fail () from /lib/tls/libc.so.6 #4 0x078f45fa in _cairo_ft_unscaled_font_set_scale (unscaled=0x90cd958, scale=0x8f7aaf8) at ../../../../../mozilla/gfx/cairo/cairo/src/cairo-ft-font.c:692 #5 0x078f5ac4 in _cairo_ft_scaled_font_create (unscaled=0x90cd958, font_face=0x90cda08, font_matrix=0xbfe63220, ctm=0xbfe632b0, options=0x8f65520, ft_options= {base = {antialias = CAIRO_ANTIALIAS_NONE, subpixel_order = CAIRO_SUBPIXEL_ORDER_DEFAULT, hint_style = CAIRO_HINT_STYLE_DEFAULT, hint_metrics = CAIRO_HINT_METRICS_DEFAULT}, load_flags = 0, extra_flags = CAIRO_FT_OPTIONS_HINT_METRICS}) at ../../../../../mozilla/gfx/cairo/cairo/src/cairo-ft-font.c:1455 #6 0x078f6b83 in _cairo_ft_font_face_scaled_font_create (abstract_face=0x90cda08, font_matrix=0xbfe63220, ctm=0xbfe632b0, options=0x8f65520, scaled_font=0xbfe630ec) at ../../../../../mozilla/gfx/cairo/cairo/src/cairo-ft-font.c:2122 #7 0x078d379b in *INT__moz_cairo_scaled_font_create (font_face=0x90cda08, font_matrix=0xbfe63220, ctm=0xbfe632b0, options=0x8f65520) at ../../../../../mozilla/gfx/cairo/cairo/src/cairo-scaled-font.c:476 #8 0x078b0d47 in CreateScaledFont (aCR=0x8f695a0, aCTM=0xbfe632b0, aPangoFont=0x9226138) at ../../../../mozilla/gfx/thebes/src/gfxPangoFonts.cpp:1770 #9 0x078b0e4c in gfxPangoFont::SetupCairoFont (this=0x9244700, aCR=0x8f695a0) at ../../../../mozilla/gfx/thebes/src/gfxPangoFonts.cpp:1796
This aborts in the same place for me in a debug build; in opt it triggers a crash while deleting a text transformer, which suggests memory corruption to me.
Memory corruption is supported by the talkback for the original crash I ran into with this: TB29928586
Severity: normal → critical
Flags: blocking1.9?
It's a bug in font selection, it's calling AppendSegment too many times, presumably processing some characters multiple times. This patch detects this, fires an assertion and then safely exits. We'll have the wrong glyphs for some characters but we won't crash.
Attachment #258261 - Flags: review?(pavlov)
Attachment #258261 - Flags: review?(pavlov) → review+
checked that in. Leaving this bug open because the original problem is still there, it's just an assertion now.
Flags: blocking1.9? → blocking1.9+
Target Milestone: --- → mozilla1.9alpha5
Target Milestone: mozilla1.9alpha5 → mozilla1.9alpha6
The attachment in comment #3 now results in a SIGSEGV after WARNING: REASSIGNING MULTIFLOW TEXT RUN (not append)!: file /home/karl/moz/mozilla/layout/generic/nsTextFrameThebes.cpp, line 1908 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /home/karl/moz/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /home/karl/moz/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92
warning and assertions in comment #5 are no longer present but still a SIGSEGV: #0 0x00002aaaadae21d9 in nsTextFrameUtils::TransformText (aText=0x14fd3d8, aLength=4294967293, aOutput=0x7fff1b644000, aCompressWhitespace=1, aIncomingWhitespace=0x7fff1b63b17f "", aSkipChars=0x7fff1b6393b0, aAnalysisFlags=0x7fff1b63960c) at /home/karl/moz/mozilla/layout/generic/nsTextFrameUtils.cpp:153 #1 0x00002aaaadad3b62 in BuildTextRunsScanner::BuildTextRunForFrames ( this=0x7fff1b63ac90, aTextBuffer=0x7fff1b6397d0) at /home/karl/moz/mozilla/layout/generic/nsTextFrameThebes.cpp:1584 #2 0x00002aaaadad4bf4 in BuildTextRunsScanner::FlushFrames ( this=0x7fff1b63ac90, aFlushLineBreaks=0) at /home/karl/moz/mozilla/layout/generic/nsTextFrameThebes.cpp:1256 #3 0x0054fffd0140fffd in ?? () aLength shouldn't be -ve
Depends on: 386012
The patch in bug 386012 resolves the SIGSEGV that I was seeing. The assertion from comment #3 also doesn't fire, probably related to the font selection changes that fixed bug 375772. I think this can be marked WFM when the patch in 386012 is committed.
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: