Closed
Bug 503784
Opened 15 years ago
Closed 15 years ago
nsFontCache::Compact crashes on heap-minimize notification [@ nsFontCache::Compact]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | unaffected |
fennec | 1.0+ | --- |
People
(Reporter: romaxa, Assigned: timeless)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
1.02 KB,
patch
|
pavlov
:
review+
|
Details | Diff | Splinter Review |
970 bytes,
patch
|
pavlov
:
review+
pavlov
:
superreview+
pavlov
:
approval1.9.2+
|
Details | Diff | Splinter Review |
#0 0x00000049 in ?? () #1 0xb4d38da4 in nsFontCache::Compact (this=0x9ba1530) at mozilla/gfx/src/thebes/nsThebesDeviceContext.cpp:272 #2 0xb4d3976c in nsThebesDeviceContext::Observe (this=0x9b33968, aSubject=0x0, aTopic=0xb77db50a "memory-pressure", aSomeData=0xb77dbda0) at mozilla/gfx/src/thebes/nsThebesDeviceContext.cpp:356 #3 0xb7607b9a in nsObserverList::NotifyObservers (this=0x9c0fdb0, aSubject=0x0, aTopic=0xb77db50a "memory-pressure", someData=0xb77dbda0) at mozilla/xpcom/ds/nsObserverList.cpp:128 #4 0xb760802f in nsObserverService::NotifyObservers (this=0x9763e70, aSubject=0x0, aTopic=0xb77db50a "memory-pressure", someData=0xb77dbda0) at mozilla/xpcom/ds/nsObserverService.cpp:181 #5 0xb77bbc43 in g_mozilla_engine_observe (service_id=0x0, object=0x0, topic=0xb77db50a "memory-pressure", data=0xb77dbda0) at ../../../src/gecko/gmozillacppwrapper.cpp:630 #6 0xb77aabf5 in load_finished_cb (embed=0x96c8180, self=0x96e0010) at ../../src/gmozillaengine.c:2330 #7 0xb7ed641d in IA__g_cclosure_marshal_VOID__VOID (closure=0x9823f68, return_value=0x0, n_param_values=1, param_values=0x9998a80, invocation_hint=0xbfba691c, marshal_data=0xb77aaaf0) at /home/bifh5/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.1/gobject/gmarshal.c:77 #8 0xb7ec94ec in IA__g_closure_invoke (closure=0x9823f68, return_value=0x0, n_param_values=1, param_values=0x9998a80, invocation_hint=0xbfba691c) at /home/bifh5/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.1/gobject/gclosure.c:767 #9 0xb7edd8e4 in signal_emit_unlocked_R (node=0x96df100, detail=0, instance=0x96c8180, emission_return=0x0, instance_and_params=0x9998a80) at /home/bifh5/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.1/gobject/gsignal.c:3247 #10 0xb7edf5ca in IA__g_signal_emit_valist (instance=0x96c8180, signal_id=155, detail=0,
Reporter | ||
Comment 1•15 years ago
|
||
Problem is next: nsIFontMetrics* fm = mFontMetrics[i]; nsIFontMetrics* oldfm = fm; >>>> oldfm and fm - is not null // Destroy() isn't here because we want our device context to be // notified NS_RELEASE(fm); // this will reset fm to nsnull >>>>fm - is null, and oldfm - pointer to destroyed fm data. not valid // if the font is really gone, it would have called back in // FontMetricsDeleted() and would have removed itself if (mFontMetrics.IndexOf(oldfm) >= 0) { // nope, the font is still there, so let's hold onto it too >>>> addrefing not valid pointer. NS_ADDREF(oldfm); }
the problem seems to be: http://mxr.mozilla.org/mozilla-central/ident?i=FontMetricsDeleted the comment expects that to be called this code worked in 1.8 times and died with thebes.
Severity: normal → critical
Keywords: crash
Summary: nsFontCache::Compact crashes on heap-minimize notification → nsFontCache::Compact crashes on heap-minimize notification [@ nsFontCache::Compact]
Attachment #388239 -
Flags: review?(vladimir) → review?(jdaggett)
Updated•15 years ago
|
Severity: normal → critical
Flags: blocking1.9.2?
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Attachment #388239 -
Flags: review?(pavlov)
Updated•15 years ago
|
Attachment #388239 -
Flags: review?(pavlov) → review+
Comment 6•15 years ago
|
||
reopening since this has a patch
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 7•15 years ago
|
||
When I discussed this patch with karlt, I recall him suggesting that it might not be a good thing, but I don't remember precisely why.
Comment 8•15 years ago
|
||
My concern was that fonts that are still in use get removed from the cache, so the next time the same font is needed a new (duplicate) font will be instantiated. The bug is that mFontMetrics.IndexOf(oldfm) returns PRUint32, which is always >= 0. The comparison needs to be with mFontMetrics.NoIndex.
Comment 9•15 years ago
|
||
-Wtype-limits with gcc-4.3 or -W(extra) on earlier versions would have found this: /home/karl/moz/dev/gfx/src/thebes/nsThebesDeviceContext.cpp: In member function 'nsresult nsFontCache::Compact()': /home/karl/moz/dev/gfx/src/thebes/nsThebesDeviceContext.cpp:270: warning: comparison of unsigned expression >= 0 is always true
Comment 10•15 years ago
|
||
Attachment #397379 -
Flags: review?
Updated•15 years ago
|
Attachment #397379 -
Flags: review? → review?(jdaggett)
Updated•15 years ago
|
Attachment #397379 -
Flags: superreview+
Attachment #397379 -
Flags: review?(jdaggett)
Attachment #397379 -
Flags: review+
Attachment #397379 -
Flags: approval1.9.2+
Updated•15 years ago
|
tracking-fennec: --- → 1.0+
Flags: blocking1.9.2? → blocking1.9.2+
Comment 11•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/52abed9ff3d3 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ee3bcae652e9
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Keywords: fixed1.9.2
Resolution: --- → FIXED
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
Comment 12•15 years ago
|
||
Should we land this on the older branches as well?
Updated•15 years ago
|
blocking1.9.1: ? → ---
Comment 13•15 years ago
|
||
Not needed on other branches. This was a regression from http://hg.mozilla.org/mozilla-central/rev/7366df357e91 nsVoidArray::IndexOf() returned PRInt32 (not PRUint32).
Flags: wanted1.9.0.x?
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Updated•15 years ago
|
Attachment #388239 -
Flags: review?(jdaggett)
Updated•13 years ago
|
Crash Signature: [@ nsFontCache::Compact]
You need to log in
before you can comment on or make changes to this bug.
Description
•