Closed Bug 664200 Opened 14 years ago Closed 9 years ago

http://ohinternet.com/Zalgo crashes Firefox in gfxHarfBuzzShaper::SetGlyphsFromRun

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: pcwalton, Unassigned)

Details

(Keywords: crash)

Crash Data

I get a crash on Mac Nightly 7.0a1 2011-06-14 when visiting http://ohinternet.com/Zalgo.
Keywords: crash
Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff881d25d6 __kill + 10 1 libSystem.B.dylib 0x00007fff88272cd6 abort + 83 2 libSystem.B.dylib 0x00007fff8826190d szone_error + 519 3 libSystem.B.dylib 0x00007fff8818dc43 tiny_free_list_remove_ptr + 251 4 libSystem.B.dylib 0x00007fff8818c355 szone_realloc + 637 5 libSystem.B.dylib 0x00007fff8818c09b malloc_zone_realloc + 92 6 libSystem.B.dylib 0x00007fff88198132 realloc + 169 7 libmozalloc.dylib 0x0000000102fd8b7f moz_xrealloc + 31 8 XUL 0x00000001000449b2 nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int, unsigned int) + 146 9 XUL 0x0000000100eba3cf gfxHarfBuzzShaper::SetGlyphsFromRun(gfxContext*, gfxTextRun*, _hb_buffer_t*, unsigned int, unsigned int) + 1775 10 XUL 0x0000000100ebac03 gfxHarfBuzzShaper::InitTextRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int) + 819 11 XUL 0x0000000100e98734 gfxFont::InitTextRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int, int) + 212 12 XUL 0x0000000100ec2ea4 gfxMacFont::InitTextRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int, int) + 68 13 XUL 0x0000000100e9a305 gfxFont::SplitAndInitTextRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int) + 389 14 XUL 0x0000000100ea4147 gfxFontGroup::InitScriptRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, unsigned int, int) + 311 15 XUL 0x0000000100ea60aa gfxFontGroup::InitTextRun(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int) + 330 16 XUL 0x0000000100ea63c5 gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) + 101 17 XUL 0x0000000100eb45a5 TextRunWordCache::MakeTextRun(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) + 2357 18 XUL 0x00000001002d0209 BuildTextRunsScanner::BuildTextRunForFrames(void*) + 5817 19 XUL 0x00000001002d0410 BuildTextRunsScanner::FlushFrames(int, int) + 256 20 XUL 0x00000001002d11a4 nsTextFrame::EnsureTextRun(gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) + 1620 21 XUL 0x00000001002d3470 nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, int, nsHTMLReflowMetrics&, unsigned int&) + 800 22 XUL 0x00000001002aa89e nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, int&) + 798 23 XUL 0x000000010025aaf0 nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) + 96 24 XUL 0x00000001002612fd nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, int*, LineReflowStatus*, int) + 461 25 XUL 0x000000010026196f nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, int*) + 431 26 XUL 0x0000000100261cce nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 558 27 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 28 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 29 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 30 XUL 0x000000010025f7cb nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, int*) + 1115 31 XUL 0x0000000100261b17 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 119 32 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 33 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 34 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 35 XUL 0x000000010025f7cb nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, int*) + 1115 36 XUL 0x0000000100261b17 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 119 37 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 38 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 39 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 40 XUL 0x000000010025964c nsBlockFrame::ReflowFloat(nsBlockReflowState&, nsRect const&, nsIFrame*, nsMargin&, int, unsigned int&) + 412 41 XUL 0x000000010026757a nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) + 2922 42 XUL 0x000000010026781d nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) + 301 43 XUL 0x00000001002ab4ea nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, int&) + 3946 44 XUL 0x000000010025aaf0 nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) + 96 45 XUL 0x00000001002612fd nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, int*, LineReflowStatus*, int) + 461 46 XUL 0x000000010026196f nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, int*) + 431 47 XUL 0x0000000100261cce nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 558 48 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 49 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 50 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 51 XUL 0x000000010025f7cb nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, int*) + 1115 52 XUL 0x0000000100261b17 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 119 53 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 54 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 55 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 56 XUL 0x000000010025f7cb nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, int*) + 1115 57 XUL 0x0000000100261b17 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 119 58 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 59 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 60 XUL 0x0000000100265325 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) + 245 61 XUL 0x000000010025f7cb nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, int*) + 1115 62 XUL 0x0000000100261b17 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) + 119 63 XUL 0x0000000100262593 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) + 1507 64 XUL 0x0000000100263734 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 852 65 XUL 0x000000010026f48a nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) + 154 66 XUL 0x0000000100298b45 nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 885 67 XUL 0x000000010026f48a nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) + 154 68 XUL 0x000000010028b300 nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, int, int, nsHTMLReflowMetrics*, int) + 528 69 XUL 0x00000001002904ab nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) + 251 70 XUL 0x00000001002927ee nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 558 71 XUL 0x000000010026f48a nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) + 154 72 XUL 0x00000001002dc976 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) + 502 73 XUL 0x000000010022f77e PresShell::DoReflow(nsIFrame*, int) + 590 74 XUL 0x000000010023167e PresShell::ProcessReflowCommands(int) + 366 75 XUL 0x00000001002318df PresShell::FlushPendingNotifications(mozFlushType) + 415 76 XUL 0x0000000100237c21 nsRefreshDriver::Notify(nsITimer*) + 3089 77 XUL 0x0000000100e4b614 nsTimerImpl::Fire() + 372 78 XUL 0x0000000100e4b748 nsTimerEvent::Run() + 56 79 XUL 0x0000000100e48043 nsThread::ProcessNextEvent(int, int*) + 435 80 XUL 0x0000000100e035ce NS_ProcessPendingEvents_P(nsIThread*, unsigned int) + 78 81 XUL 0x0000000100ce644d nsBaseAppShell::NativeEventCallback() + 93 82 XUL 0x0000000100cb0527 nsAppShell::ProcessGeckoEvents(void*) + 423 83 com.apple.CoreFoundation 0x00007fff87fa8401 __CFRunLoopDoSources0 + 1361 84 com.apple.CoreFoundation 0x00007fff87fa65f9 __CFRunLoopRun + 873 85 com.apple.CoreFoundation 0x00007fff87fa5dbf CFRunLoopRunSpecific + 575 86 com.apple.HIToolbox 0x00007fff8479c7ee RunCurrentEventLoopInMode + 333 87 com.apple.HIToolbox 0x00007fff8479c551 ReceiveNextEventCommon + 148 88 com.apple.HIToolbox 0x00007fff8479c4ac BlockUntilNextEventMatchingListInMode + 59 89 com.apple.AppKit 0x00007fff88408e64 _DPSNextEvent + 718 90 com.apple.AppKit 0x00007fff884087a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 91 com.apple.AppKit 0x00007fff883ce48b -[NSApplication run] + 395 92 XUL 0x0000000100cafebd nsAppShell::Run() + 45 93 XUL 0x0000000100b19644 nsAppStartup::Run() + 52 94 XUL 0x0000000100016eff XRE_main + 12015 95 org.mozilla.nightly 0x0000000100000af7 main + 231 96 org.mozilla.nightly 0x0000000100000954 start + 52
Component: General → Layout: Text
QA Contact: general → layout.fonts-and-text
Summary: http://ohinternet.com/Zalgo crashes Firefox → http://ohinternet.com/Zalgo crashes Firefox in gfxHarfBuzzShaper::SetGlyphsFromRun
Strangely, I don't see the crash reporter come up, and there's no recorded crash in about:crashes.
Crash Signature: [@ gfxHarfBuzzShaper::SetGlyphsFromRun]
Ted, any idea what's up with comment 2? I'd think abort() would cause us to run crashreporter...
abort definitely does not reliably trigger Breakpad on all platforms, see: http://mxr.mozilla.org/mozilla-central/source/memory/mozalloc/mozalloc_abort.cpp#70
pbiggar has been poking at OS X malloc stuff in the jemalloc-on-OSX bug...
(In reply to comment #5) > pbiggar has been poking at OS X malloc stuff in the jemalloc-on-OSX bug... I don't think I've anything useful to contribute here - the signature makes it look like a traditional memory bug.
Severity: normal → critical
Obsolete.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.