Closed
Bug 423270
Opened 16 years ago
Closed 16 years ago
Crash [@ gfxTextRun::ComputeLigatureData]
Categories
(Core Graveyard :: GFX: Win32, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: zeniko, Assigned: roc)
References
()
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
77 bytes,
text/html
|
Details | |
6.13 KB,
patch
|
vlad
:
review+
|
Details | Diff | Splinter Review |
Steps to Reproduce: 1. Open about:config 2. Scroll down (e.g. by tabbing to the tree and then keeping [PgDn] pressed) Incident samples: 917d3630-f368-11dc-8263-001a4bd43ed6 32896b9e-f368-11dc-aa96-001a4bd43e5c 03980097-f368-11dc-be61-001a4bd43ed6 f9dc534a-f30a-11dc-a2f7-001a4bd43ef6 f5b9e430-f30a-11dc-aa22-001a4bd43e5c 5ff6945e-f2d9-11dc-b31e-001a4bd46e84
Flags: blocking1.9?
Signature gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) UUID 917d3630-f368-11dc-8263-001a4bd43ed6 Time 2008-03-16 07:51:59-07:00 Uptime 0 Product Firefox Version 3.0b5pre Build ID 2008031506 OS Windows NT OS Version 5.1.2600 Service Pack 2 CPU x86 CPU Info GenuineIntel family 6 model 15 stepping 11 Crash Reason EXCEPTION_INT_DIVIDE_BY_ZERO Crash Address 0x60813464 Comments Crashing Thread Frame Signature Source 0 gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) mozilla/gfx/thebes/src/gfxFont.cpp:1146 1 xul.dll@0x24ce86 2 nsThebesFontMetrics::GetWidth(unsigned short const*, unsigned int, int&, int*, nsThebesRenderingContext*) mozilla/gfx/src/thebes/nsThebesFontMetrics.cpp:315 3 nsThebesRenderingContext::GetWidthInternal(unsigned short const*, unsigned int, int&, int*) mozilla/gfx/src/thebes/nsThebesRenderingContext.cpp:934 4 nsRenderingContextImpl::GetWidth(unsigned short const*, unsigned int, int&, int*) mozilla/gfx/src/shared/nsRenderingContextImpl.cpp:184 5 nsThebesRenderingContext::GetWidth(unsigned short, int&, int*) mozilla/gfx/src/thebes/nsThebesRenderingContext.cpp:901 6 nsTreeBodyFrame::AdjustForCellText(nsAutoString&, int, nsTreeColumn*, nsIRenderingContext&, nsRect&) mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:1411 7 nsTreeBodyFrame::PaintText(int, nsTreeColumn*, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, int&) mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3547 8 nsTreeBodyFrame::PaintCell(int, nsTreeColumn*, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, int&, nsPoint) mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3217 9 nsTreeBodyFrame::PaintRow(int, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, nsPoint) mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3019 10 nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:2822 11 PaintTreeBody mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:2750 12 nsDisplayGeneric::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/base/nsDisplayList.h:838 13 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/base/nsDisplayList.cpp:294 14 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/base/nsDisplayList.cpp:883 15 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/base/nsDisplayList.cpp:294 16 nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned int) mozilla/layout/base/nsLayoutUtils.cpp:875 17 PresShell::Paint(nsIView*, nsIRenderingContext*, nsRegion const&) mozilla/layout/base/nsPresShell.cpp:5436 18 nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&) mozilla/view/src/nsViewManager.cpp:607 19 nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned int) mozilla/view/src/nsViewManager.cpp:495 20 xul.dll@0x2dd775 21 HandleEvent mozilla/view/src/nsView.cpp:168 22 nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&) mozilla/widget/src/windows/nsWindow.cpp:973 23 nsWindow::DispatchWindowEvent(nsGUIEvent*, nsEventStatus&) mozilla/widget/src/windows/nsWindow.cpp:998 24 xul.dll@0x240294 25 nsWindow::ProcessMessage(unsigned int, unsigned int, long, long*) mozilla/widget/src/windows/nsWindow.cpp:4074 26 nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) mozilla/widget/src/windows/nsWindow.cpp:1188 27 InternalCallWinProc
Keywords: crash
Summary: Crash @ gfxTextRun::ComputeLigatureData → Crash [@ gfxTextRun::ComputeLigatureData]
Stuart, can you take a look at this?
Assignee: nobody → pavlov
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Reporter | ||
Comment 4•16 years ago
|
||
Simpler StR: 1. Open about:config 2. Filter for network.IDN.blacklist_chars There's no crash when using the opposite filter: /^(?!network\.IDN\.blacklist_chars;)/
Assignee | ||
Comment 5•16 years ago
|
||
Doesn't crash for me on Windows XP. Who can reproduce this to debug it? It may depend on the exact Uniscribe version or fonts installed.
http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg you can use that to get symbols. it might be more useful to use process explorer or file monitor/process monitor to get a list of fonts that have been opened.
Reporter | ||
Comment 7•16 years ago
|
||
Seems to depend on the font: Uniscribe: version 1.420.2600.2180 (SHA1:213e29b945e906b9094295e8c90bf5e2c9bf4c1a) Font: Segoe UI 1.00 (OpenType, shipped with Office 2007, SHA1:280935e382b62fe953a4efe09b2bbf8d34b0f14a) Using a different font keeps Firefox from crashing...
Comment 8•16 years ago
|
||
Bug 424721 – Crash with IPA combining characters [@ gfxTextRun::ComputeLigatureData] Maybe 424721 is a dupe of this bug. In that bug, DejaVu Sans crashes Firefox while Arial Unicode MS doesn't. Testcase is attached.
Reporter | ||
Comment 9•16 years ago
|
||
(In reply to comment #8) > In that bug, DejaVu Sans crashes Firefox while Arial Unicode MS doesn't. Probably the same, at least Segoe UI crashes as well (cf. incident 8e1900b0-fab0-11dc-9df1-001a4bd43e5c ).
Reporter | ||
Comment 10•16 years ago
|
||
Added a minimal crashing testcase in the URL. This make a remote DOS trivial.
Assignee | ||
Comment 12•16 years ago
|
||
I'll get this font and look into it.
Whiteboard: [need Segoe font]
Comment 13•16 years ago
|
||
Maybe it would be easier to get Doulos SIl, Charis SIL or Junicode, which cause similar crashes. (They're all in Debian, for example.)
Assignee | ||
Comment 14•16 years ago
|
||
My version of the testcase
Assignee | ||
Comment 15•16 years ago
|
||
gfxTextRunWordCache puts a space before the ̮ before passing it down to create the real textrun --- this is so that we can check whether the ̮ acts as a combining mark with the space. What seems to happen is that we decide the space and the ̮ are separate clusters because both of them are marked as fCharStop by ScriptBreak. However, Uniscribe using this font returns a single glyph covering both characters (via the confusingly named pwLogClust in ScriptShape), so we interpret this as meaning there's a ligature for space followe by ̮. gfxTextRunWordCache sees that the space it added did not cluster with ̮ and rips it off, and this leaves us with half a ligature at the start of the textrun, which is bad and causes crashes. The fix is to make gfxTextRunWordCache check for words where the first character of the word formed a ligature with the preceding space, and handle that case by creating a textrun just for that word with no preceding space, same as we do for text that starts with a combining mark.
Whiteboard: [need Segoe font]
Assignee | ||
Comment 16•16 years ago
|
||
Protect gfxTextRunWordCache against words that start inside a ligature (with the preceding space), as described above. This fixes my testcase, the testcase in the URL, and the testcases in the bugs this blocks don't crash. I can't reproduce the crash in about:config so I'm not sure if it fixes that.
Attachment #312709 -
Flags: review?
Assignee | ||
Updated•16 years ago
|
Attachment #312709 -
Flags: review? → review?(vladimir)
Assignee | ||
Updated•16 years ago
|
Whiteboard: [needs review]
Attachment #312709 -
Flags: review?(vladimir) → review+
Assignee | ||
Comment 17•16 years ago
|
||
Checked in, with crashtest
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs review]
Reporter | ||
Comment 18•16 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041206 -> VERIFIED with the original steps to reproduce. Thanks, Robert!
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Product: Core → Core Graveyard
Updated•13 years ago
|
Crash Signature: [@ gfxTextRun::ComputeLigatureData]
You need to log in
before you can comment on or make changes to this bug.
Description
•