Closed Bug 418779 Opened 16 years ago Closed 16 years ago

browser crashes on mathml site [@ gfxTextRun::ComputeLigatureData]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 423270

People

(Reporter: jsalter, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3

Browsing through bug 363240#28, i tried each of the URLs referenced and found the second one caused my browser to crash repeatedly:

http://xbeta.org/wiki/show/itex+punctuation


Reproducible: Always

Steps to Reproduce:
1. visit http://xbeta.org/wiki/show/itex+punctuation
2. report crash through crash manager
3. restart browser
Actual Results:  
browser crashes

Expected Results:  
browser shouldn't crash
Crash report information:

Add-ons: inspector@mozilla.org:1.9b3,{667e9f3d-0096-4d2b-b171-9a96afbabe20}:0.1.6,{972ce4c6-7e08-4474-a285-3208198ce6fd}:2.0
BuildID: 2008020514
CrashTime: 1203572648
InstallTime: 1203570117
ProductName: Firefox
SecondsSinceLastCrash: 936
StartupTime: 1203572635
Theme: classic/1.0
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=363240
UserID: 60b89760-d00d-4aee-a069-70fbfa0048b7
Vendor: Mozilla
Version: 3.0b3
can you please use about:crashes to provide the incident id?
No crash for me.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b4pre) Gecko/2008022021 Minefield/3.0b4pre

about:crashes reports the following:

1858fd8a-e040-11dc-8cdc-001a4bd43e5c	2/20/2008	9:44 PM
e37d7987-e03d-11dc-8f51-001a4bd46e84	2/20/2008	9:28 PM
bf9c4a61-e03d-11dc-acbb-001a4bd43e5c	2/20/2008	9:27 PM
It appears pretty obvious from the code what's going on - totalClusterCount is not being incremented, so the division in line 1127 divides by 0.

1114 roc+    1.61     PRUint32 totalClusterCount = 0;
1115                  PRUint32 partClusterIndex = 0;
1116                  PRUint32 partClusterCount = 0;
1117                  for (i = result.mLigatureStart; i < result.mLigatureEnd; ++i) {
1118                      if (charGlyphs[i].IsClusterStart()) {
1119                          ++totalClusterCount;
1120                          if (i < aPartStart) {
1121                              ++partClusterIndex;
1122                          } else if (i < aPartEnd) {
1123                              ++partClusterCount;
1124                          }

1125 roc+    1.22         }
1126                  }

1127 roc+    1.61     result.mPartAdvance = ligatureWidth*partClusterIndex/totalClusterCount;

This can happen in two separate situations:

  1) result.mLigatureStart >= result.mLigatureEnd
  2) charGlyphs[i].IsClusterStart() returns null or 0 for all values of i in [ result.mLigatureStart <-> result.mLigatureEnd ]

Since result.mLigatureStart is set to aPartStart, and then decremented; while result.mLigatureEnd is set to aPartStart + 1, and then incremented, the condition (1) appears impossible.

So the IsClusterStart() must return 0 or null for all charGlyphs[].
Signature	gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*)
UUID	1858fd8a-e040-11dc-8cdc-001a4bd43e5c
Time	2008-02-20 21:44:08-08:00
Uptime	0
Product	Firefox
Version	3.0b3
Build ID	2008020514
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 15 model 6 stepping 4
Crash Reason	EXCEPTION_INT_DIVIDE_BY_ZERO
Crash Address	0x6093e645
Comments	
Crashing Thread
Frame 	Signature 	Source
0 	gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) 	mozilla/gfx/thebes/src/gfxFont.cpp:1127
1 	gfxTextRun::AccumulatePartialLigatureMetrics(gfxFont*, unsigned int, unsigned int, int, gfxContext*, gfxTextRun::PropertyProvider*, gfxFont::RunMetrics*) 	mozilla/gfx/thebes/src/gfxFont.cpp:1389
2 	gfxTextRun::MeasureText(unsigned int, unsigned int, int, gfxContext*, gfxTextRun::PropertyProvider*) 	mozilla/gfx/thebes/src/gfxFont.cpp:1438
3 	GetTextRunBoundingMetrics 	mozilla/gfx/src/thebes/nsThebesFontMetrics.cpp:429
4 	nsThebesFontMetrics::GetBoundingMetrics(unsigned short const*, unsigned int, nsThebesRenderingContext*, nsBoundingMetrics&) 	mozilla/gfx/src/thebes/nsThebesFontMetrics.cpp:470
5 	nsThebesRenderingContext::GetBoundingMetricsInternal(unsigned short const*, unsigned int, nsBoundingMetrics&, int*) 	mozilla/gfx/src/thebes/nsThebesRenderingContext.cpp:994
6 	nsRenderingContextImpl::GetBoundingMetrics(unsigned short const*, unsigned int, nsBoundingMetrics&, int*) 	mozilla/gfx/src/shared/nsRenderingContextImpl.cpp:419
7 	nsMathMLChar::TryParts(nsPresContext*, nsIRenderingContext&, nsGlyphTable*, int, unsigned int, nsAString_internal const&) 	mozilla/layout/mathml/base/src/nsMathMLChar.cpp:1370
8 	nsMathMLChar::StretchResolverCallback(nsAString_internal const&, void*) 	mozilla/layout/mathml/base/src/nsMathMLChar.cpp:1512
9 	gfxWindowsPlatform::ResolveFontName(nsAString_internal const&, int (*)(nsAString_internal const&, void*), void*, int&) 	mozilla/gfx/thebes/src/gfxWindowsPlatform.cpp:394
10 	nsGlyphTableList::GetGlyphTableFor(nsAString_internal const&) 	mozilla/layout/mathml/base/src/nsMathMLChar.cpp:694
Severity: normal → critical
Component: General → GFX: Thebes
Keywords: crash
Product: Firefox → Core
QA Contact: general → thebes
Summary: browser crashes on mathml site → browser crashes on mathml site [@ gfxTextRun::ComputeLigatureData]
Version: unspecified → Trunk
Dupe / related to bug 415352?
Probably the same bug as bug 423270, but the stacks are slightly different.
Bug 423270 is blocking1.9+.
Status: UNCONFIRMED → NEW
Depends on: 423270
Ever confirmed: true
Jim, does this still crash for you now that bug 423270 is fixed?  You can
grab a nightly build containing that patch from
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/.
I can confirm that FF 3b5 crashes (http://cnx.org/content/m10656/latest/ is where I saw it) while "Gecko/2008042207 Minefield/3.0pre" works fine.
http://xbeta.org/wiki/show/itex+punctuation works for me with
Gecko/2008042106 Minefield/3.0pre.
Probably fixed in bug 423270.
Status: NEW → RESOLVED
Closed: 16 years ago
No longer depends on: 423270
Resolution: --- → DUPLICATE
problem does not manifest using 3.0 release candidate on windows xp sp 2.  thanks.
Status: RESOLVED → VERIFIED
Crash Signature: [@ gfxTextRun::ComputeLigatureData]
You need to log in before you can comment on or make changes to this bug.