Closed Bug 593928 Opened 14 years ago Closed 14 years ago

Infinite recursion in SMIL at SVG Example page (leading to stack overflow in harfbuzz [@ setup_lookups ])

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 572938
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: Matti, Assigned: dholbert)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Mozilla/5.0 (Windows NT 6.1; rv:2.0b6pre) Gecko/20100906 SeaMonkey/2.1b1pre

1) load http://svg.kvalitne.cz/cavern/100/cavern.xhtmlz
2) crash

bp-7cbaf5b8-5901-44f5-9477-bce302100906
bp-f59c5fdd-0c7f-41d5-bc14-352052100906
bp-0b648a39-c37e-4c4d-899d-6b9372100906
bp-07c45ab7-2931-4832-911a-b5afd2100906

0  	seamonkey.exe  	setup_lookups  	 gfx/harfbuzz/src/hb-ot-shape.cc:259
1 	seamonkey.exe 	hb_ot_substitute_complex 	gfx/harfbuzz/src/hb-ot-shape.cc:390
2 	seamonkey.exe 	hb_ot_shape 	gfx/harfbuzz/src/hb-ot-shape.cc:616
3 	seamonkey.exe 	gfxHarfBuzzShaper::InitTextRun 	gfx/thebes/gfxHarfBuzzShaper.cpp:852
4 	seamonkey.exe 	gfxFont::InitTextRun 	gfx/thebes/gfxFont.cpp:1338
5 	seamonkey.exe 	gfxFontGroup::InitTextRun 	gfx/thebes/gfxFont.cpp:2245
6 	seamonkey.exe 	gfxFontGroup::InitTextRun 	gfx/thebes/gfxFont.cpp:2213
7 	seamonkey.exe 	gfxFontGroup::MakeTextRun 	gfx/thebes/gfxFont.cpp:2188
8 	seamonkey.exe 	TextRunWordCache::MakeTextRun 	gfx/thebes/gfxTextRunWordCache.cpp:693
9 	seamonkey.exe 	gfxTextRunWordCache::MakeTextRun 	gfx/thebes/gfxTextRunWordCache.cpp:1002
blocking2.0: --- → ?
blocking2.0: ? → final+
Assignee: nobody → jfkthame
This is not a harfbuzz crash, it's a stack overflow that just happens to show up within harfbuzz but it's happening because of infinite recursion in the SMIL code. Looking at the crash reports, a sequence of frames such as:

32	seamonkey.exe	nsSMILCompositor::ComposeAttribute	content/smil/nsSMILCompositor.cpp:111
33	seamonkey.exe	DoComposeAttribute	content/smil/nsSMILAnimationController.cpp:311
34	seamonkey.exe	nsTHashtable<nsUniCharEntry>::s_EnumStub	objdir/mozilla/dist/include/nsTHashtable.h:420
35	xpcom_core.dll	PL_DHashTableEnumerate	objdir/mozilla/xpcom/build/pldhash.c:754
36	seamonkey.exe	nsTHashtable<nsPtrHashKey<nsFontFaceLoader> >::EnumerateEntries	objdir/mozilla/dist/include/nsTHashtable.h:241
37	seamonkey.exe	nsSMILAnimationController::DoSample	content/smil/nsSMILAnimationController.cpp:400
38	seamonkey.exe	PresShell::FlushPendingNotifications	layout/base/nsPresShell.cpp:4775
39	seamonkey.exe	nsComputedDOMStyle::GetStyleContextForElement	layout/style/nsComputedDOMStyle.cpp:333
40	seamonkey.exe	LookupStyleContext	layout/style/nsStyleAnimation.cpp:1628
41	seamonkey.exe	StyleWithDeclarationAdded	layout/style/nsStyleAnimation.cpp:1663
42	seamonkey.exe	nsStyleAnimation::ComputeValue	layout/style/nsStyleAnimation.cpp:1699
43	seamonkey.exe	ValueFromStringHelper	content/smil/nsSMILCSSValueType.cpp:354
44	seamonkey.exe	nsSMILCSSValueType::ValueFromString	content/smil/nsSMILCSSValueType.cpp:389
45	seamonkey.exe	nsSMILCSSProperty::GetBaseValue	content/smil/nsSMILCSSProperty.cpp:148

repeats over and over..... here they are, some 16000+ frames later:

16454	seamonkey.exe	nsSMILCompositor::ComposeAttribute	content/smil/nsSMILCompositor.cpp:111
16455	seamonkey.exe	DoComposeAttribute	content/smil/nsSMILAnimationController.cpp:311
16456	seamonkey.exe	nsTHashtable<nsUniCharEntry>::s_EnumStub	objdir/mozilla/dist/include/nsTHashtable.h:420
16457	xpcom_core.dll	PL_DHashTableEnumerate	objdir/mozilla/xpcom/build/pldhash.c:754
16458	seamonkey.exe	nsTHashtable<nsPtrHashKey<nsFontFaceLoader> >::EnumerateEntries	objdir/mozilla/dist/include/nsTHashtable.h:241
16459	seamonkey.exe	nsSMILAnimationController::DoSample	content/smil/nsSMILAnimationController.cpp:400
16460	seamonkey.exe	PresShell::FlushPendingNotifications	layout/base/nsPresShell.cpp:4775
16461	seamonkey.exe	nsComputedDOMStyle::GetStyleContextForElement	layout/style/nsComputedDOMStyle.cpp:333
16462	seamonkey.exe	LookupStyleContext	layout/style/nsStyleAnimation.cpp:1628
16463	seamonkey.exe	StyleWithDeclarationAdded	layout/style/nsStyleAnimation.cpp:1663
16464	seamonkey.exe	nsStyleAnimation::ComputeValue	layout/style/nsStyleAnimation.cpp:1699
16465	seamonkey.exe	ValueFromStringHelper	content/smil/nsSMILCSSValueType.cpp:354
16466	seamonkey.exe	nsSMILCSSValueType::ValueFromString	content/smil/nsSMILCSSValueType.cpp:389
16467	seamonkey.exe	nsSMILCSSProperty::GetBaseValue	content/smil/nsSMILCSSProperty.cpp:148
16468	seamonkey.exe	nsSMILCompositor::ComposeAttribute	content/smil/nsSMILCompositor.cpp:111

With this recursion going on, a stack overflow is inevitable sooner or later, and it happens to occur within harfbuzz code called from the SMIL stuff.

BTW, I tried loading the example page in a Mac debug build, and it spewed a couple of assertions:

###!!! ASSERTION: Registering content during sample.: '!mRunningSample', file /Users/jonathan/mozdev/mc-ots/content/smil/nsSMILAnimationController.cpp, line 190
###!!! ASSERTION: Unregistering content during sample.: '!mRunningSample', file /Users/jonathan/mozdev/mc-ots/content/smil/nsSMILAnimationController.cpp, line 206

over and over again before finally crashing; a backtrace at that point listed over 43,000 stack frames, showing the same pattern of infinite recursion leading to an eventual stack overflow.
OS: Windows 7 → All
Summary: Crash in HarfBuzz at SVG Example page [@ setup_lookups ] → Infinite recursion in SMIL at SVG Example page (leading to stack overflow in harfbuzz [@ setup_lookups ])
Assignee: jfkthame → nobody
Assignee: nobody → dholbert
Assignee: dholbert → nobody
Component: Graphics → SVG
QA Contact: thebes → general
Assignee: nobody → dholbert
Almost certainly a duplicate of bug 572938.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ setup_lookups ]
You need to log in before you can comment on or make changes to this bug.