Closed
Bug 538628
Opened 15 years ago
Closed 15 years ago
Crash loading some pages [@ nsAString_internal::Assign(nsAString_internal const&) ]
Categories
(Core :: Graphics, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: fehe, Assigned: jfkthame)
References
()
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(3 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) Crash on loading linked page. Regression Window: Works: http://hg.mozilla.org/mozilla-central/rev/6ce98ed11af8 1262940916-20100108005516-6ce98ed11af8-firefox-3.7a1pre Crashes: http://hg.mozilla.org/mozilla-central/rev/99bb0c6877f0 1262950468-20100108033428-99bb0c6877f0-firefox-3.7a1pre Caused by: Bug 493280: restructure Windows font management based on cross-platform font-list classes. Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll nsAString_internal::Assign xpcom/string/src/nsTSubstring.cpp:398 1 xul.dll gfxPlatformFontList::FindFontForChar gfx/thebes/src/gfxPlatformFontList.cpp:351 2 xul.dll gfxWindowsFontGroup::WhichSystemFontSupportsChar gfx/thebes/src/gfxWindowsFonts.cpp:1879 3 xul.dll gfxFontGroup::FindFontForChar 4 xul.dll gfxFontGroup::ComputeRanges gfx/thebes/src/gfxFont.cpp:1641 5 xul.dll gfxWindowsFontGroup::InitTextRunUniscribe gfx/thebes/src/gfxWindowsFonts.cpp:1920 6 xul.dll gfxWindowsFontGroup::InitTextRunGDI 7 xul.dll gfxWindowsFontGroup::MakeTextRun gfx/thebes/src/gfxWindowsFonts.cpp:741 8 xul.dll TextRunWordCache::MakeTextRun gfx/thebes/src/gfxTextRunWordCache.cpp:683 9 xul.dll MakeTextRun layout/generic/nsTextFrameThebes.cpp:436 10 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrameThebes.cpp:1798 11 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrameThebes.cpp:1229 12 xul.dll BuildTextRuns layout/generic/nsTextFrameThebes.cpp:1160 13 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrameThebes.cpp:1987 14 xul.dll nsTextFrame::Reflow layout/generic/nsTextFrameThebes.cpp:6208 15 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:852 16 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 17 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 18 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 19 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 20 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 21 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 22 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 23 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3119 24 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2384 25 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 26 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 27 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 28 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3119 29 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2384 30 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 31 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 32 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 33 xul.dll nsBlockFrame::ReflowFloat layout/generic/nsBlockFrame.cpp:5677 34 xul.dll nsBlockReflowState::FlowAndPlaceFloat layout/generic/nsBlockReflowState.cpp:767 35 xul.dll nsBlockReflowState::AddFloat layout/generic/nsBlockReflowState.cpp:580 36 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:890 37 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 38 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 39 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 40 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 41 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 42 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 43 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:310 44 xul.dll nsBlockFrame::ReflowFloat layout/generic/nsBlockFrame.cpp:5677 45 xul.dll nsBlockReflowState::FlowAndPlaceFloat layout/generic/nsBlockReflowState.cpp:767 46 xul.dll nsBlockReflowState::AddFloat layout/generic/nsBlockReflowState.cpp:580 47 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:890 48 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3752 49 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3546 50 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3400 51 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2439 52 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1885 53 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:993 54 xul.dll nsAbsoluteContainingBlock::ReflowAbsoluteFrame layout/generic/nsAbsoluteContainingBlock.cpp:466 55 xul.dll nsAbsoluteContainingBlock::Reflow layout/generic/nsAbsoluteContainingBlock.cpp:156 Reproducible: Always Steps to Reproduce: 1. Load the linked URL 2. 3.
Component: General → Graphics
Keywords: crash,
regression
Product: Firefox → Core
Version: unspecified → Trunk
|
||
Comment 3•15 years ago
|
||
also majorly affecting thunderbird trunk bp-dda49921-ff6b-41be-bd6e-8b7d52100108
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 4•15 years ago
|
||
Additional crash reports: http://crash-stats.mozilla.com/report/index/c2a6b928-867c-4663-bf59-e42c82100108 http://crash-stats.mozilla.com/report/index/624a6af5-c8d2-4c84-ab16-effaa2100108
|
Assignee | |
Comment 5•15 years ago
|
||
(In reply to comment #2) > Created an attachment (id=420779) [details] > test case: Loading this will crash the browser This does not crash for me (running latest nightly build on Vista). I suspect it may depend on particular fonts, or on some unpredictable dynamic text that's part of the page. It would be helpful if you can cut this down to a *minimal* testcase, containing just the actual fragment of text that's triggering the crash (it's clearly text-related), and does not depend on a bunch of external stylesheets and other resources.
|
|
Assignee | |
Comment 6•15 years ago
|
||
I believe the crash is caused by an uninitialized field in the font fallback search structure, which can lead to us using an undefined value as a gfxFontEntry pointer. This should fix it.
Assignee: nobody → jfkthame
|
|
Assignee | |
Comment 7•15 years ago
|
||
Comment on attachment 420830 [details] [diff] [review] fix uninitialized structure field leading to potential crash No, that was not the real issue - forget that patch.
Attachment #420830 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•15 years ago
|
||
Font entries in the platform font-list are supposed to have a pointer back to their owning family; this was not being set in the GDI (or FT2) font lists. The result is a null dereference when we try to access the family name from a font entry.
Attachment #420838 -
Flags: review?(jdaggett)
|
||
Updated•15 years ago
|
Attachment #420838 -
Flags: review?(jdaggett) → review+
|
|
Assignee | |
Comment 10•15 years ago
|
||
Just to clarify, the crash occurs if you have a font installed that supports the character U+FFFD (the Unicode REPLACEMENT CHARACTER), and you view a page where font fallback is used to render this character, either because there's a literal U+FFFD (or an entity reference) in the page, or an encoding error that gets replaced by this. It will not crash if the U+FFFD is explicitly formatted in a font that actually supports it (so fallback does not occur), nor if you have no such font and we fall back to displaying a hexbox.
|
|
Assignee | |
Comment 11•15 years ago
|
||
(In reply to comment #9) > Created an attachment (id=420840) [details] > Reduced test case Thanks for this - as you'll see from the other comments, I believe we have isolated the issue. Your testcase hits this issue because it is not served with correct charset information, and so if the default encoding is set to UTF-8, then the intended "»" after Browse All Shows will be replaced by U+FFFD (because it is encoded as a single Windows-1252 byte that is not a valid UTF-8 sequence).
|
||
Comment 13•15 years ago
|
||
Just noticed this with Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20100108043818.
|
|
||
Comment 14•15 years ago
|
||
Steps to reproduce: 1. Install Charis SIL font locally: http://scripts.sil.org/CharisSIL_download 2. Open "Reduced test case" Result: crash
|
|
||
Comment 15•15 years ago
|
||
Fix tested and pushed http://hg.mozilla.org/mozilla-central/rev/2ec1983f96c6
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 16•15 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20100108213748 http://hg.mozilla.org/mozilla-central/rev/2ec1983f96c6
Status: RESOLVED → VERIFIED
|
|
||
Comment 17•15 years ago
|
||
The page and actions that triggered this crash for me now WFM. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100109 Minefield/3.7a1pre - Build ID: 20100109042837
|
||
Updated•13 years ago
|
Crash Signature: [@ nsAString_internal::Assign(nsAString_internal const&) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•