Closed Bug 618592 Opened 15 years ago Closed 15 years ago

freeze on typekit

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b8
Tracking Flags:
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: davida, Assigned: jfkthame)

References

(
URL
)

Details

(Keywords: hang, regression)

Attachments

(2 files)

patch, fix the harfbuzz hang on typekit's site
827 bytes, patch
Details | Diff | Splinter Review
patch, v2 - fix the harfbuzz hang by making apply_lookup return false if count==0
1.03 KB, patch
mozilla
: review+
Details | Diff | Splinter Review
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8pre) Gecko/20101210 Firefox/4.0b8pre STRs: 1. Go to http://typekit.com/libraries/trial?tags=open+source 2. Click on next Expected: going to next page Actual: beachball, 100% CPU usage for a while, until i kill it. very font-heavy page marking blocker as it's a crasher, but don't know if that's right.
hang/freeze != crash, blocker=blocks development; crash, freeze or dataloss=critical :-) I get the same freeze with Seamonkey trunk on win7 and also with FF4.0b7 and I will tr5y to generate a stacktrace with 4.0b7
Severity: blocker → critical
Keywords: hang
OS: Mac OS X → All
Summary: crash on typekit → freeze on typekit
FF4.0b7 hang analysis ( !analyze -v -hang ) from Windbg I hope that I did it right 002d2cc8 641f2e4c 0ace43e4 00000000 0000000d xul!GenericArrayOf<IntType<unsigned short>,ClassRangeRecord>::operator[]+0x8 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-open-type-private.hh @ 567] 002d2ce4 6423b70b 0ace43e2 0000000d 64270ee4 xul!ClassDefFormat2::get_class+0x2e [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 509] 002d2cf0 64270ee4 0ace43e2 0000000d 642d65b8 xul!ClassDef::get_class+0x2b [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 537] 002d2cfc 642d65b8 0000000d 0ace4400 0ace43e2 xul!match_class+0xd [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 74] 002d2d28 642e7a05 00000001 00000003 0ace4400 xul!match_input+0x91 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 105] 002d2d78 642f8c74 002d2e40 00000003 0ace4400 xul!context_lookup+0x2e [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 263] 002d2d9c 643055f4 0ace43fc 002d2e40 002d2de0 xul!Rule::apply+0x55 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 278] 002d2dbc 64316f02 0ace1000 002d2e40 002d2de0 xul!RuleSet::apply+0x46 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 312] 002d2dec 6431fadf 0ace43ca 002d2200 6432f64b xul!ContextFormat2::apply+0xa0 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 395] 002d2e04 64327bda 0ace43ca 002d2e40 6432f64b xul!Context::apply+0x41 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 476] 002d2e18 64329dec 002d2e40 00000005 00000034 xul!SubstLookupSubTable::apply+0x50 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsub-private.hh @ 718] 002d2e64 6432b165 0ace43c2 002d2ecc 0b28a700 xul!SubstLookup::apply_once+0x102 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsub-private.hh @ 810] 002d2e90 6432be07 0ace43c2 002d2ecc 0b28a700 xul!SubstLookup::apply_string+0x6d [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsub-private.hh @ 833] 002d2eac 6432ca16 0ace4380 002d2ecc 0b28a700 xul!GSUB::substitute_lookup+0x1e [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsub-private.hh @ 886] 002d2ee0 6407335b 0b2836e0 0b28a700 00000000 xul!hb_ot_layout_substitute_lookup+0x2c [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout.cc @ 569] 002d2f70 641f2e4c 641f2e52 0affe630 00000047 xul!hb_ot_shape+0x38b25b 002d2f8c 6423b70b 0affe62c 00000047 64270f49 xul!ClassDefFormat2::get_class+0x2e [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 509] 002d2f98 64270f49 0affe62c 00000047 0b009c82 xul!ClassDef::get_class+0x2b [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 537] 002d2fa8 641f2ec7 641f2ecd 0b009cea 00000047 xul!GDEF::get_glyph_class+0x21 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gdef-private.hh @ 336] 002d2fac 641f2ecd 0b009cea 00000047 0000000e xul!CoverageFormat2::get_coverage+0x32 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 385] 002d2fc4 6423b79b 00000012 00000047 64270ec9 xul!CoverageFormat2::get_coverage+0x38 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 386] 002d2fd0 64270ec9 0b009c80 00000047 002d3008 xul!Coverage::get_coverage+0x2e [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 415] 002d2fe0 642d6460 00000047 0b002200 0b009c5e xul!match_coverage+0x22 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 80] 002d3008 642e79a4 00000000 00000001 0b009c68 xul!match_lookahead+0xaa [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 160] 002d306c 641f2bb4 641f2be2 0affec7e 0affed56 xul!chain_context_lookup+0x95 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gsubgpos-private.hh @ 543] 002d3070 641f2be2 0affec7e 0affed56 002d3128 xul!ValueFormat::apply_value+0x97 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gpos-private.hh @ 103] 002d3090 641a39b3 00000000 0b0049f8 0b004e6c xul!ValueFormat::apply_value+0xc5 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gpos-private.hh @ 106] 002d30a0 641f2ec7 641f2ecd 0b004ebc 00000047 xul!ValueFormat::get_len+0x1d [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gpos-private.hh @ 86] 002d3148 6432b0d5 0affeb74 002d3188 0b28a680 xul!CoverageFormat2::get_coverage+0x32 [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-common-private.hh @ 385] 00000000 00000000 00000000 00000000 00000000 xul!PosLookup::apply_string+0x4b [e:\builds\moz2_slave\win32_build\build\gfx\harfbuzz\src\hb-ot-layout-gpos-private.hh @ 1541] setting gfx.font_rendering.harfbuzz.level to 0 fixes the hang for me ! Is harfbuzz enabled on OS X or did I just morph David's Bug ?
blocking2.0: --- → ?
Component: General → Graphics
Keywords: regression
QA Contact: general → thebes
Harfbuzz is indeed enabled on OS X.
blocking2.0: ? → final+
Assignee: nobody → mozilla
Behdad, I think this is a harfbuzz bug. It's hanging in the loop of SubstLookup::apply_string, which says while (buffer->i < buffer->len) { if ((buffer->info[buffer->i].mask & mask) && apply_once (layout, buffer, mask, NO_CONTEXT, MAX_NESTING_LEVEL)) ret = true; else buffer->next_glyph (); } This loop uses next_glyph() to iterate through the buffer if the rules *don't* match, and relies on apply_once() to advance the position (buffer->i) in the case where a rule *does* apply. Normally, that's fine, but it seems that one of the fonts on that Typekit page has a Contextual Substitution (format 2) lookup with a Rule whose inputCount is zero. This means that apply_lookup() immediately returns true, but does not advance the current position in the buffer. Result: infinite loop. A Rule with inputCount of zero doesn't seem very useful, so I think this is a font error, but it needs to be handled somehow. Rather than rejecting the table during sanitization, it should be easy to just ignore such a rule. A possible patch is attached; this fixes the hang on Typekit. But I don't know if this is the approach you want to take, or if there's a different level where you'd prefer to handle this. Also, we should think whether there may be other cases that would run into similar problems.
Attachment #497107 - Flags: review?(mozilla)
On second thoughts, it'd make more sense to fix apply_lookup() so that it just returns false in this situation.
Attachment #497109 - Flags: review?(mozilla)
Attachment #497107 - Flags: review?(mozilla)
Right. We should return false unless a substitution was applied. I'll check them all and fix tomorrow.
Comment on attachment 497109 [details] [diff] [review] patch, v2 - fix the harfbuzz hang by making apply_lookup return false if count==0 LGTM. Pushing upstream.
Attachment #497109 - Flags: review?(mozilla) → review+
Assignee: mozilla → jfkthame
Let's take this in beta8. I'll mark as blocking as I know this is coming in shortly. If it doesn't, I'll punt it back to blocking final.
blocking2.0: final+ → beta8+
Pushed: http://hg.mozilla.org/mozilla-central/rev/66036625795f
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: