Closed Bug 645072 Opened 9 years ago Closed 9 years ago

mozilla-central (4.2a1pre) topcrash [@ nsTextFragment::CharAt(int)] with crash address 0x0 or at [@ PropertyProvider::GetHyphenationBreaks ]

Categories

(Core :: Layout: Text and Fonts, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla5

People

(Reporter: dbaron, Assigned: dbaron)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(2 files)

Starting with yesterday's third nightly, there have been a bunch of crashes at nsTextFragment::CharAt(int), with crash address 0x0 (which could mean a null-dereference, although there are other reasons it could be happening).

A link to all such crashes in nightlies for the past 4 weeks or so (and going a few days into the future -- note it's a dated query) is:
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.2a1pre&version=Firefox%3A4.0b13pre&version=Firefox%3A4.0b12pre&version=Firefox%3A4.0b11pre&version=Firefox%3A4.0b10pre&query_search=signature&query_type=exact&query=nsTextFragment%3A%3ACharAt%28int%29&date=03%2F28%2F2011%2000%3A00%3A00&range_value=4&range_unit=weeks&hang_type=crash&process_type=browser&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsTextFragment%3A%3ACharAt%28int%29

The regression range based on the fact that these started appearing in the 20110324144234 nightly is most likely in:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=868be4c08700&tochange=0798b52bb40d
Of the crashes that have a URL in the crash report, all but one are .ru sites.
The stack is:

0 	xul.dll 	nsTextFragment::CharAt 	obj-firefox/dist/include/nsTextFragment.h:205
1 	xul.dll 	PropertyProvider::GetHyphenationBreaks 	layout/generic/nsTextFrameThebes.cpp:2848
2 	xul.dll 	nsTextFrame::AddInlineMinWidthForFlow
Looking through the changes a little more closely, I think the most likely cause is:

http://hg.mozilla.org/mozilla-central/rev/25beb9ced8d2
user:        Jonathan Kew <jfkthame@gmail.com>
date:        Thu Mar 24 15:22:37 2011 +0000
summary:     bug 418975 - support soft hyphen when calculating min width for table and fieldset. r=roc
I can crash reliably on Linux loading http://beon.ru/ .  (One of the URLs in crash-stats.)

bp-e75c21ca-58d2-4dd7-990c-fee3a2110325
bp-3c8ea755-cdd7-4567-b489-ca3652110325
OS: Windows XP → All
Hardware: x86 → All
Summary: mozilla-central (4.2a1pre) topcrash [@ nsTextFragment::CharAt(int)] with crash address 0x0 → mozilla-central (4.2a1pre) topcrash [@ nsTextFragment::CharAt(int)] with crash address 0x0 or at [@ PropertyProvider::GetHyphenationBreaks ]
BTW, I submitted a lot of crash reports on Linux while simplifying the testcase.
(In reply to comment #3)
> Looking through the changes a little more closely, I think the most likely
> cause is:
> 
> http://hg.mozilla.org/mozilla-central/rev/25beb9ced8d2
> user:        Jonathan Kew <jfkthame@gmail.com>
> date:        Thu Mar 24 15:22:37 2011 +0000
> summary:     bug 418975 - support soft hyphen when calculating min width for
> table and fieldset. r=roc

I confirmed this locally.  I plan to back out the change for now.
I (a) backed out the patch that caused it (b) instead of backing out the tests that were added in a separate changeset, I marked them failing (and checked that they all failed) and (c) added the above simplified testcase as a crashtest:

https://hg.mozilla.org/mozilla-central/rev/5c844a79e5c1
https://hg.mozilla.org/mozilla-central/rev/f1d26af4c57b
https://hg.mozilla.org/mozilla-central/rev/1d3457c061ff
Assignee: nobody → dbaron
Status: NEW → RESOLVED
Closed: 9 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.2
Attached file testcase 2
Duplicate of this bug: 645139
I landed Jesse's testcase from comment #9 as an additional crashtest:
http://hg.mozilla.org/mozilla-central/rev/868c4316d7ed
Crash Signature: [@ nsTextFragment::CharAt(int)] [@ PropertyProvider::GetHyphenationBreaks ]
You need to log in before you can comment on or make changes to this bug.