Closed Bug 423270 Opened 17 years ago Closed 17 years ago

Crash [@ gfxTextRun::ComputeLigatureData]


(Core Graveyard :: GFX: Win32, defect, P2)

Windows XP


(Not tracked)



(Reporter: zeniko, Assigned: roc)




(Keywords: crash, regression)

Crash Data


(2 files)

Steps to Reproduce:
1. Open about:config
2. Scroll down (e.g. by tabbing to the tree and then keeping [PgDn] pressed)

Incident samples:
Flags: blocking1.9?
Signature	gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*)
UUID	917d3630-f368-11dc-8263-001a4bd43ed6
Time	2008-03-16 07:51:59-07:00
Uptime	0
Product	Firefox
Version	3.0b5pre
Build ID	2008031506
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 11
Crash Address	0x60813464
Crashing Thread
Frame 	Signature 	Source
0 	gfxTextRun::ComputeLigatureData(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) 	mozilla/gfx/thebes/src/gfxFont.cpp:1146
1 	xul.dll@0x24ce86 	
2 	nsThebesFontMetrics::GetWidth(unsigned short const*, unsigned int, int&, int*, nsThebesRenderingContext*) 	mozilla/gfx/src/thebes/nsThebesFontMetrics.cpp:315
3 	nsThebesRenderingContext::GetWidthInternal(unsigned short const*, unsigned int, int&, int*) 	mozilla/gfx/src/thebes/nsThebesRenderingContext.cpp:934
4 	nsRenderingContextImpl::GetWidth(unsigned short const*, unsigned int, int&, int*) 	mozilla/gfx/src/shared/nsRenderingContextImpl.cpp:184
5 	nsThebesRenderingContext::GetWidth(unsigned short, int&, int*) 	mozilla/gfx/src/thebes/nsThebesRenderingContext.cpp:901
6 	nsTreeBodyFrame::AdjustForCellText(nsAutoString&, int, nsTreeColumn*, nsIRenderingContext&, nsRect&) 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:1411
7 	nsTreeBodyFrame::PaintText(int, nsTreeColumn*, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, int&) 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3547
8 	nsTreeBodyFrame::PaintCell(int, nsTreeColumn*, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, int&, nsPoint) 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3217
9 	nsTreeBodyFrame::PaintRow(int, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, nsPoint) 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:3019
10 	nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:2822
11 	PaintTreeBody 	mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:2750
12 	nsDisplayGeneric::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) 	mozilla/layout/base/nsDisplayList.h:838
13 	nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) 	mozilla/layout/base/nsDisplayList.cpp:294
14 	nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) 	mozilla/layout/base/nsDisplayList.cpp:883
15 	nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) 	mozilla/layout/base/nsDisplayList.cpp:294
16 	nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned int) 	mozilla/layout/base/nsLayoutUtils.cpp:875
17 	PresShell::Paint(nsIView*, nsIRenderingContext*, nsRegion const&) 	mozilla/layout/base/nsPresShell.cpp:5436
18 	nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&) 	mozilla/view/src/nsViewManager.cpp:607
19 	nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned int) 	mozilla/view/src/nsViewManager.cpp:495
20 	xul.dll@0x2dd775 	
21 	HandleEvent 	mozilla/view/src/nsView.cpp:168
22 	nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&) 	mozilla/widget/src/windows/nsWindow.cpp:973
23 	nsWindow::DispatchWindowEvent(nsGUIEvent*, nsEventStatus&) 	mozilla/widget/src/windows/nsWindow.cpp:998
24 	xul.dll@0x240294 	
25 	nsWindow::ProcessMessage(unsigned int, unsigned int, long, long*) 	mozilla/widget/src/windows/nsWindow.cpp:4074
26 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	mozilla/widget/src/windows/nsWindow.cpp:1188
27 	InternalCallWinProc 	
Keywords: crash
Summary: Crash @ gfxTextRun::ComputeLigatureData → Crash [@ gfxTextRun::ComputeLigatureData]
Stuart, can you take a look at this?
Assignee: nobody → pavlov
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
roc knows this code better than I do.
Assignee: pavlov → roc
Simpler StR:
1. Open about:config
2. Filter for network.IDN.blacklist_chars

There's no crash when using the opposite filter:
Doesn't crash for me on Windows XP. Who can reproduce this to debug it? It may depend on the exact Uniscribe version or fonts installed.

you can use that to get symbols. it might be more useful to use process explorer or file monitor/process monitor to get a list of fonts that have been opened.
Seems to depend on the font:

Uniscribe: version 1.420.2600.2180 (SHA1:213e29b945e906b9094295e8c90bf5e2c9bf4c1a)
Font: Segoe UI 1.00 (OpenType, shipped with Office 2007, SHA1:280935e382b62fe953a4efe09b2bbf8d34b0f14a)

Using a different font keeps Firefox from crashing...
Bug 424721 – Crash with IPA combining characters [@ gfxTextRun::ComputeLigatureData]

Maybe 424721 is a dupe of this bug. In that bug, DejaVu Sans crashes Firefox while Arial Unicode MS doesn't. Testcase is attached.
(In reply to comment #8)
> In that bug, DejaVu Sans crashes Firefox while Arial Unicode MS doesn't.

Probably the same, at least Segoe UI crashes as well (cf. incident 8e1900b0-fab0-11dc-9df1-001a4bd43e5c ).
Added a minimal crashing testcase in the URL. This make a remote DOS trivial.
Blocks: 418779
Blocks: 415352
I'll get this font and look into it.
Whiteboard: [need Segoe font]
Maybe it would be easier to get Doulos SIl, Charis SIL or Junicode, which cause similar crashes. (They're all in Debian, for example.)
Attached file testcase
My version of the testcase
gfxTextRunWordCache puts a space before the ̮ before passing it down to create the real textrun --- this is so that we can check whether the ̮ acts as a combining mark with the space. What seems to happen is that we decide the space and the ̮ are separate clusters because both of them are marked as fCharStop by ScriptBreak. However, Uniscribe using this font returns a single glyph covering both characters (via the confusingly named pwLogClust in ScriptShape), so we interpret this as meaning there's a ligature for space followe by ̮. gfxTextRunWordCache sees that the space it added did not cluster with &#814 and rips it off, and this leaves us with half a ligature at the start of the textrun, which is bad and causes crashes.

The fix is to make gfxTextRunWordCache check for words where the first character of the word formed a ligature with the preceding space, and handle that case by creating a textrun just for that word with no preceding space, same as we do for text that starts with a combining mark.
Whiteboard: [need Segoe font]
Attached patch fixSplinter Review
Protect gfxTextRunWordCache against words that start inside a ligature (with the preceding space), as described above. This fixes my testcase, the testcase in the URL, and the testcases in the bugs this blocks don't crash. I can't reproduce the crash in about:config so I'm not sure if it fixes that.
Attachment #312709 - Flags: review?
Attachment #312709 - Flags: review? → review?(vladimir)
Whiteboard: [needs review]
Checked in, with crashtest
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs review]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041206
-> VERIFIED with the original steps to reproduce. Thanks, Robert!
No longer blocks: 418779
Product: Core → Core Graveyard
Crash Signature: [@ gfxTextRun::ComputeLigatureData]
You need to log in before you can comment on or make changes to this bug.