Closed Bug 390032 Opened 17 years ago Closed 17 years ago

Crash viewing PNG as text/plain [@ gfxTextRun::SetMissingGlyph][@ gfxTextRun::ShrinkToLigatureBoundaries]

Categories

(Core :: Layout: Text and Fonts, defect, P4)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.9alpha8

People

(Reporter: bzbarsky, Unassigned)

Details

(Keywords: crash, Whiteboard: [dbaron-1.9:R?])

Crash Data

Attachments

(1 file)

Attachment to crash with
645.37 KB, patch
Details | Diff | Splinter Review
BUILD: Current trunk on Mac STEPS TO REPRODUCE: 1) Edit the attachment coming up (it's a PNG, but attached as a patch). 2) Crash CRASH REPORT: http://crash-stats.mozilla.com/report/index/903df6a3-3dd5-11dc-980a-001a4bd43e5c?date=2007-07-29-13 STACK: 0 gfxTextRun::SetMissingGlyph(unsigned int, unsigned short) 1 SetGlyphsForCharacterGroup(ATSLayoutRecord*, unsigned int, long*, unsigned int, gfxTextRun*, unsigned int, unsigned char const*, unsigned short const*) 2 PostLayoutOperationCallback(unsigned long, ATSGlyphVector*, unsigned long, void*, unsigned long*) 3 InvokeLayoutCallback 4 _eLLCLayoutText 5 LLCLayoutText 6 ATSULayoutGlyphs(TATSUGlyphRecordArray*, ATSLineLayoutLineParams*, long, ATSUTab const*, unsigned long, __CFString const*, unsigned short const*, unsigned long, unsigned long) 7 TTextLineLayout::LayoutGlyphVector(TATSUGlyphRecordArray*, ATSLineLayoutLineParams*, TLayoutControls*, long, unsigned long) 8 TTextLineLayout::EnsureLayoutIsUpToDate(unsigned long, unsigned char, unsigned long, TATSUGlyphRecordArray**) 9 TTextLineLayout::GetGlyphBounds(unsigned long, unsigned long, long, long, unsigned short, unsigned long, ATSTrapezoid*, unsigned long*) Top frame is: 0|0|XUL|gfxTextRun::SetMissingGlyph(unsigned int, unsigned short)|cvs:cvs.mozilla.org/cvsroot:mozilla/gfx/thebes/src/gfxFont.cpp:1.58|1623|0xe So that's line 1623. Doesn't crash on Linux, for what it's worth.
Flags: blocking1.9?
Er, maybe it does crash on Linux. I didn't actually check, apparently..
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a7pre) Gecko/2007072904 Minefield/3.0a7pre ID:2007072904 This crashes for me on win2k too. No crash data of course, breakpad doesn't run on win2k!
Severity: normal → critical
Keywords: crash
Also crashes with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007072905 Minefield/3.0a7pre, breakpad submitted something, but I'm not able to find it. In a self compiled suiterunner debug build I got the following before the crash: ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file d:/seamonkeysource/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file d:/seamonkeysource/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92
OS: Mac OS X → All
Here's the stack of the crash I'm seeing on win32: xul.dll!gfxTextRun::ShrinkToLigatureBoundaries(unsigned int * aStart=0x0012deb4, unsigned int * aEnd=0x0012dee8) Line 933C++ xul.dll!gfxTextRun::BreakAndMeasureText(unsigned int aStart=4294966794, unsigned int aMaxLength=173, int aLineBreakBefore=1, double aWidth=54780.000000000000, gfxTextRun::PropertyProvider * aProvider=0x0012dfcc, int aSuppressInitialBreak=1, double * aTrimWhitespace=0x00000000, gfxFont::RunMetrics * aMetrics=0x0012e0b8, int aTightBoundingBox=0, int * aUsedHyphenation=0x0012e114, unsigned int * aLastBreak=0x0012e118) Line 1315C++ xul.dll!nsTextFrame::Reflow(nsPresContext * aPresContext=0x0000001b, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=135898264) Line 5376 + 0x45 bytesC++ xul.dll!nsLineLayout::ReflowFrame(nsIFrame * aFrame=0x0819a498, unsigned int & aReflowStatus=135898264, nsHTMLReflowMetrics * aMetrics=0x00000000, int & aPushedFrame=0) Line 892C++ xul.dll!nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & aState={...}, nsLineLayout & aLineLayout={...}, nsLineList_iterator aLine={...}, nsIFrame * aFrame=0x0819a498, LineReflowStatus * aLineReflowStatus=0x0012e328) Line 3524C++ xul.dll!nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & aState={...}, nsLineLayout & aLineLayout={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012e530, LineReflowStatus * aLineReflowStatus=0x0012e40c, int aAllowPullUp=1) Line 3344C++ xul.dll!nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012e530) Line 3188C++ xul.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012e530) Line 2224C++ xul.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...}) Line 1828C++ xul.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 925C++ xul.dll!nsBlockReflowContext::ReflowBlock(const nsRect & aSpace={...}, int aApplyTopMargin=0, nsCollapsingMargin & aPrevMargin={...}, int aClearance=0, int aIsAdjacentWithTop=1, nsMargin & aComputedOffsets={...}, nsHTMLReflowState & aFrameRS={...}, unsigned int & aFrameReflowStatus=0) Line 370 + 0x19 bytesC++ xul.dll!nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012ebb4) Line 2930C++ xul.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012ebb4) Line 2167 + 0xf bytesC++ xul.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...}) Line 1828C++ xul.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 925C++ xul.dll!nsBlockReflowContext::ReflowBlock(const nsRect & aSpace={...}, int aApplyTopMargin=1, nsCollapsingMargin & aPrevMargin={...}, int aClearance=480, int aIsAdjacentWithTop=1, nsMargin & aComputedOffsets={...}, nsHTMLReflowState & aFrameRS={...}, unsigned int & aFrameReflowStatus=0) Line 370 + 0x19 bytesC++ xul.dll!nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012f238) Line 2930C++ xul.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012f238) Line 2167 + 0xf bytesC++ xul.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...}) Line 1828C++ xul.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 925C++ xul.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x04eb2088, nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 715 + 0x16 bytesC++ xul.dll!CanvasFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 582C++ xul.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x0533353c, nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=3, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 715 + 0x16 bytesC++ xul.dll!nsHTMLScrollFrame::ReflowScrolledFrame(const ScrollReflowState & aState={...}, int aAssumeHScroll=0, int aAssumeVScroll=1, nsHTMLReflowMetrics * aMetrics=0x0012f770, int aFirstPass=1) Line 464C++ xul.dll!nsHTMLScrollFrame::ReflowContents(ScrollReflowState * aState=0x0012f85c, const nsHTMLReflowMetrics & aDesiredSize={...}) Line 539C++ xul.dll!nsHTMLScrollFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 750C++ xul.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x0533367c, nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 715 + 0x16 bytesC++ xul.dll!ViewportFrame::Reflow(nsPresContext * aPresContext=0x0531d440, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 287C++ xul.dll!PresShell::DoReflow(nsIFrame * target=0x053334ac) Line 6101C++ xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0) Line 6201C++ xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_OnlyReflow) Line 4406C++ xul.dll!nsGfxScrollFrameInner::AsyncScrollPortEvent::Run() Line 1883C++ xul.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc9c) Line 491C++ xul.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00000001, int mayWait=1) Line 227 + 0xd bytesC++ xul.dll!nsBaseAppShell::Run() Line 154 + 0x8 bytesC++ xul.dll!nsAppStartup::Run() Line 171C++ xul.dll!XRE_main(int argc=1, char * * argv=0x00307ae0, const nsXREAppData * aAppData=0x00307e88) Line 3059C++ firefox.exe!main(int argc=1, char * * argv=0x00307ae0) Line 154C++ firefox.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * __formal=0x00400000, char * args=0x0015233f, HINSTANCE__ * __formal=0x00400000) Line 166 + 0x13 bytesC++ firefox.exe!__tmainCRTStartup() Line 589 + 0x1d bytesC kernel32.dll!7c816ff7() gfxfont.cpp line 933: if (charGlyphs[*aStart].IsLigatureContinuation()) { LigatureData data = ComputeLigatureData(*aStart, nsnull); *aStart = PR_MIN(*aEnd, data.mEndOffset);
Summary: Crash viewing PNG as text file → Crash viewing PNG as text file [@ gfxTextRun::SetMissingGlyph][@ gfxTextRun::ShrinkToLigatureBoundaries]
This signature accounts for 3-5% of crashes on trunk, and IMO should block M7: http://crash-stats.mozilla.com/report/list?range_unit=weeks&branch=1.9&range_value=2&signature=gfxTextRun%3A%3AShrinkToLigatureBoundaries(unsigned+int+*%2Cunsigned+int+*)
Flags: blocking1.9? → blocking1.9+
Target Milestone: --- → mozilla1.9 M7
When did it this crash start happening?
Er, I think benjamin's URL was mangled somehow, but http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&product=Firefox&branch=1.9&signature=gfxTextRun%3A%3AShrinkToLigatureBoundaries(unsigned+int+*%2Cunsigned+int+*)&range_value=1 (on the chance the URL survives) shows that the crash started on 2007072400 builds and was not present in 2007072300 builds, and that that signature is showing up on Windows only. (What's the "00" at the end of the build id?)
Please ignore the "00", it's a result of buildid-rounding we use to get reasonable graph data. Also, because MSVC and GCC demangle symbols with different whitespace, don't assume that because a crash only shows up on Windows means it only happens on Windows. I have a socorro fix in place to unify the whitespace, but it will only take effect for new crashes processed from now on.
I just checked in a backout which included backout of a patch checked in on the 23rd --- so that may affect things. Although I still crash on Mac ... but the Mac stack looks like ATSUI-specific stuff being triggered.
The backout fixed the win32 crashing
All of the breakpad crashes were win32, moving out for the mac fix.
Target Milestone: mozilla1.9 M7 → mozilla1.9 M8
WFM, Mac trunk debug. I see two warnings and one assertion (each repeated many times), but no crash. ###!!! ASSERTION: Started word in the middle of a cluster...: 'aSource->IsClusterStart(start)', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxFont.cpp, line 1950 WARNING: Font mismatch inside cluster: file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxAtsuiFonts.cpp, line 1260 WARNING: Invalid font: file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxQuartzFontCache.mm, line 782 Bug 385417 / bug 394246 should take case of the assertion and one of the warnings.
Works for me too. I'm going to close this as WFM. Jesse, if you want to file a bug on the warning that's not addressed by the other bugs, please do. It'll need to be retriaged (and won't block, I'd guess).
Status: NEW → RESOLVED
Closed: 17 years ago
Priority: -- → P4
Resolution: --- → WORKSFORME
I usually file bugs on assertions but not warnings.
Flags: in-testsuite?
This crashes now. I filed bug 402990.
Now I only get WARNING: Invalid font: file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxQuartzFontCache.mm, line 782 roc, tell me if you want a reduced testcase for the warning.
If it's not much effort, that would be useful. I'd like to know what's causing it.
Ok, I filed bug 403270 with a testcase that triggers that warning. (It was not derived from the testcase in this bug.)
Summary: Crash viewing PNG as text file [@ gfxTextRun::SetMissingGlyph][@ gfxTextRun::ShrinkToLigatureBoundaries] → Crash viewing PNG as text/plain [@ gfxTextRun::SetMissingGlyph][@ gfxTextRun::ShrinkToLigatureBoundaries]
Crash Signature: [@ gfxTextRun::SetMissingGlyph] [@ gfxTextRun::ShrinkToLigatureBoundaries]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: