542550 - random talos crash at [@ gfxCoreTextFont::SetGlyphsFromRun]

Status: RESOLVED DUPLICATE of bug 540702

(Core :: Graphics, defect)

Description

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

New random talos crash:

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1264613476.1264614488.30894.gz
MacOSX Darwin 9.0.0 mozilla-central talos tp4 on 2010/01/27 09:31:16  

...
NOISE: Cycle 8: loaded http://localhost/page_load_test/tp4/www.warez-bb.org/www.warez-bb.org/index.html (next: http://localhost/page_load_test/tp4/www.thefreedictionary.com/www.thefreedictionary.com/index.html)
NOISE: Cycle 8: loaded http://localhost/page_load_test/tp4/www.thefreedictionary.com/www.thefreedictionary.com/index.html (next: http://localhost/page_load_test/tp4/www.nnm.ru/www.nnm.ru/index.html)
NOISE: 
NOISE: __FAILbrowser non-zero return code (256)__FAIL

Operating system: Mac OS X
                  10.5.2 9C7010
CPU: x86
     GenuineIntel family 6 model 15 stepping 2
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x247ffca0

Thread 0 (crashed)
 0  XUL!gfxCoreTextFont::SetGlyphsFromRun(gfxTextRun*, __CTRun const*, int, int, int) [gfxCoreTextFonts.cpp:ae8c17be0129 : 678 + 0x16]
    eip = 0x02a9b2c3   esp = 0xbfff1e60   ebp = 0xbfff21c8   ebx = 0x02a9af41
    esi = 0x00000001   edi = 0x24800008   eax = 0xffffff26   ecx = 0x00000001
    edx = 0x2618b990   efl = 0x00210293
    Found by: given as instruction pointer in context
 1  XUL!gfxCoreTextFont::InitTextRun(gfxTextRun*, unsigned short const*, unsigned int, unsigned int) [gfxCoreTextFonts.cpp:ae8c17be0129 : 523 + 0x2a]
    eip = 0x02a9bebf   esp = 0xbfff21d0   ebp = 0xbfff2238
    Found by: previous frame's frame pointer
 2  XUL!gfxFontGroup::InitTextRun(gfxTextRun*, unsigned short const*, unsigned int) [gfxFont.cpp:ae8c17be0129 : 1761 + 0x23]
    eip = 0x02a882f0   esp = 0xbfff2240   ebp = 0xbfff2388
    Found by: previous frame's frame pointer
 3  XUL!gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) [gfxFont.cpp:ae8c17be0129 : 1725 + 0x1c]
    eip = 0x02a88845   esp = 0xbfff2390   ebp = 0xbfff23b8
    Found by: previous frame's frame pointer
 4  XUL!TextRunWordCache::MakeTextRun(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) [gfxTextRunWordCache.cpp:ae8c17be0129 : 683 + 0x2a]
    eip = 0x02a95011   esp = 0xbfff23c0   ebp = 0xbfff2a68
    Found by: previous frame's frame pointer
 5  XUL!gfxTextRunWordCache::MakeTextRun(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) [gfxTextRunWordCache.cpp:ae8c17be0129 : 992 + 0x2a]
    eip = 0x02a950b4   esp = 0xbfff2a70   ebp = 0xbfff2a98
    Found by: previous frame's frame pointer
 6  XUL!BuildTextRunsScanner::BuildTextRunForFrames(void*) [nsTextFrameThebes.cpp:ae8c17be0129 : 436 + 0x32]
    eip = 0x0219e991   esp = 0xbfff2aa0   ebp = 0xbfff3f08
    Found by: previous frame's frame pointer
 7  XUL!BuildTextRunsScanner::FlushFrames(int, int) [nsTextFrameThebes.cpp:ae8c17be0129 : 1229 + 0xe]
    eip = 0x0219eee2   esp = 0xbfff3f10   ebp = 0xbfff4f68
    Found by: previous frame's frame pointer
...



Maybe a regression from bug 541277?

Comment 1

[Smokey Ardisson (offline for a while; not following bugs - do not email)]

Hiding this because it seems to be the same thing as bug 540702 (both are at line 678 after bug 541277 landed), which is hidden.  Apologies if that's not right.

Comment 2

[Jonathan Kew [:jfkthame]]

Not specifically a regression from bug 541277, though that may have made it show up more readily by altering the cluster-scanning behavior. I believe this is the same error as bug 540702, and will go away when that is fixed.