Closed Bug 538628 Opened 16 years ago Closed 16 years ago

Crash loading some pages [@ nsAString_internal::Assign(nsAString_internal const&) ]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: fehe, Assigned: jfkthame)

References

(
URL
)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files, 1 obsolete file)

test case: Loading this will crash the browser
102.55 KB, text/html
Details
initialize the family back-pointer when adding faces to families
2.50 KB, patch
jtd
: review+
Details | Diff | Splinter Review
Reduced test case
923 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) Crash on loading linked page. Regression Window: Works: http://hg.mozilla.org/mozilla-central/rev/6ce98ed11af8 1262940916-20100108005516-6ce98ed11af8-firefox-3.7a1pre Crashes: http://hg.mozilla.org/mozilla-central/rev/99bb0c6877f0 1262950468-20100108033428-99bb0c6877f0-firefox-3.7a1pre Caused by: Bug 493280: restructure Windows font management based on cross-platform font-list classes. Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll nsAString_internal::Assign xpcom/string/src/nsTSubstring.cpp:398 1 xul.dll gfxPlatformFontList::FindFontForChar gfx/thebes/src/gfxPlatformFontList.cpp:351 2 xul.dll gfxWindowsFontGroup::WhichSystemFontSupportsChar gfx/thebes/src/gfxWindowsFonts.cpp:1879 3 xul.dll gfxFontGroup::FindFontForChar 4 xul.dll gfxFontGroup::ComputeRanges gfx/thebes/src/gfxFont.cpp:1641 5 xul.dll gfxWindowsFontGroup::InitTextRunUniscribe gfx/thebes/src/gfxWindowsFonts.cpp:1920 6 xul.dll gfxWindowsFontGroup::InitTextRunGDI 7 xul.dll gfxWindowsFontGroup::MakeTextRun gfx/thebes/src/gfxWindowsFonts.cpp:741 8 xul.dll TextRunWordCache::MakeTextRun gfx/thebes/src/gfxTextRunWordCache.cpp:683 9 xul.dll MakeTextRun layout/generic/nsTextFrameThebes.cpp:436 10 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrameThebes.cpp:1798 11 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrameThebes.cpp:1229 12 xul.dll BuildTextRuns layout/generic/nsTextFrameThebes.cpp:1160 13 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrameThebes.cpp:1987 14 xul.dll nsTextFrame::Reflow layout/generic/nsTextFrameThebes.cpp:6208 15 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:852 16 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 17 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 18 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 19 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 20 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 21 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 22 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 23 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3119 24 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2384 25 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 26 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 27 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 28 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3119 29 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2384 30 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 31 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 32 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 33 xul.dll nsBlockFrame::ReflowFloat layout/generic/nsBlockFrame.cpp:5677 34 xul.dll nsBlockReflowState::FlowAndPlaceFloat layout/generic/nsBlockReflowState.cpp:767 35 xul.dll nsBlockReflowState::AddFloat layout/generic/nsBlockReflowState.cpp:580 36 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:890 37 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 38 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 39 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 40 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 41 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 42 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 43 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 44 xul.dll nsBlockFrame::ReflowFloat layout/generic/nsBlockFrame.cpp:5677 45 xul.dll nsBlockReflowState::FlowAndPlaceFloat layout/generic/nsBlockReflowState.cpp:767 46 xul.dll nsBlockReflowState::AddFloat layout/generic/nsBlockReflowState.cpp:580 47 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:890 48 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 49 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 50 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 51 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 52 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 53 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 54 xul.dll nsAbsoluteContainingBlock::ReflowAbsoluteFrame layout/generic/nsAbsoluteContainingBlock.cpp:466 55 xul.dll nsAbsoluteContainingBlock::Reflow layout/generic/nsAbsoluteContainingBlock.cpp:156 Reproducible: Always Steps to Reproduce: 1. Load the linked URL 2. 3.
Component: General → Graphics
Keywords: crash, regression
Product: Firefox → Core
Version: unspecified → Trunk
Blocks: 493280
also majorly affecting thunderbird trunk bp-dda49921-ff6b-41be-bd6e-8b7d52100108
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: topcrash
(In reply to comment #2) > Created an attachment (id=420779) [details] > test case: Loading this will crash the browser This does not crash for me (running latest nightly build on Vista). I suspect it may depend on particular fonts, or on some unpredictable dynamic text that's part of the page. It would be helpful if you can cut this down to a *minimal* testcase, containing just the actual fragment of text that's triggering the crash (it's clearly text-related), and does not depend on a bunch of external stylesheets and other resources.
I believe the crash is caused by an uninitialized field in the font fallback search structure, which can lead to us using an undefined value as a gfxFontEntry pointer. This should fix it.
Assignee: nobody → jfkthame
Comment on attachment 420830 [details] [diff] [review] fix uninitialized structure field leading to potential crash No, that was not the real issue - forget that patch.
Attachment #420830 - Attachment is obsolete: true
Font entries in the platform font-list are supposed to have a pointer back to their owning family; this was not being set in the GDI (or FT2) font lists. The result is a null dereference when we try to access the family name from a font entry.
Attachment #420838 - Flags: review?(jdaggett)
Attached file Reduced test case
Attachment #420838 - Flags: review?(jdaggett) → review+
Just to clarify, the crash occurs if you have a font installed that supports the character U+FFFD (the Unicode REPLACEMENT CHARACTER), and you view a page where font fallback is used to render this character, either because there's a literal U+FFFD (or an entity reference) in the page, or an encoding error that gets replaced by this. It will not crash if the U+FFFD is explicitly formatted in a font that actually supports it (so fallback does not occur), nor if you have no such font and we fall back to displaying a hexbox.
(In reply to comment #9) > Created an attachment (id=420840) [details] > Reduced test case Thanks for this - as you'll see from the other comments, I believe we have isolated the issue. Your testcase hits this issue because it is not served with correct charset information, and so if the default encoding is set to UTF-8, then the intended "»" after Browse All Shows will be replaced by U+FFFD (because it is encoded as a single Windows-1252 byte that is not a valid UTF-8 sequence).
Just noticed this with Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20100108043818.
Steps to reproduce: 1. Install Charis SIL font locally: http://scripts.sil.org/CharisSIL_download 2. Open "Reduced test case" Result: crash
Fix tested and pushed http://hg.mozilla.org/mozilla-central/rev/2ec1983f96c6
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20100108213748 http://hg.mozilla.org/mozilla-central/rev/2ec1983f96c6
Status: RESOLVED → VERIFIED
The page and actions that triggered this crash for me now WFM. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100109 Minefield/3.7a1pre - Build ID: 20100109042837
Crash Signature: [@ nsAString_internal::Assign(nsAString_internal const&) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: