Closed Bug 801400 Opened 10 years ago Closed 8 years ago

Font size change/increase Thunderbird crashes @ _chkstk in chkstk.asm

Categories

(Thunderbird :: Message Compose Window, defect)

16 Branch
defect
Not set
critical

Tracking

(thunderbird18?)

RESOLVED WORKSFORME
Tracking Status
thunderbird18 ? ---

People

(Reporter: bart, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [regression:TB16][stack comment 9])

Crash Data

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Build ID: 20120905151427

Steps to reproduce:

I started typing a new mail.

For some reason since a while (before the update of today to 16.0.1) my default font size is too small, so after I typed a few lines I pressed CTRL-A to select all text, and then I clicked the button to increase the font size.

I decided I did not want to send the mail anyway, so I closed the window. After searching another mail to find an address of someone, I clicked the address and composed a new mail to that person. I did the same: selected all text and pressed the button to increase font size.



Actual results:

The first time I pressed the button to increase the font size, every line got a bigger font size than the previous one. So the first line was small size, the second line had a bigger size,...and so on...very weird!
See picture of this attached: it were 4 lines of the same size.

The sevond time (the mail to the other person), Thunderbird just crashed: it was gone completely. Without warning or errors...just suddenly gone.


Expected results:

Font size should just have increased equally for all lines, and Thunderbird shold not just crash/quit without reason.
(In reply to Wayne Mery (:wsmwk) from comment #1)
> so no crash ID?
> https://support.mozillamessaging.com/en-US/kb/mozilla-crash-
> reporter#w_viewing-crash-reports

Also did you try with extension disabled ?
(In reply to Wayne Mery (:wsmwk) from comment #1)
> so no crash ID?
> https://support.mozillamessaging.com/en-US/kb/mozilla-crash-
> reporter#w_viewing-crash-reports

I got the window that allowed me to notify Mozilla of this, and send a report, but when I clicked the 'Details'-button, nothing happened. I submitted the report a few times already though...but I don't know what's inside it.
(In reply to Ludovic Hirlimann [:Usul] from comment #2)
> (In reply to Wayne Mery (:wsmwk) from comment #1)
> > so no crash ID?
> > https://support.mozillamessaging.com/en-US/kb/mozilla-crash-
> > reporter#w_viewing-crash-reports
> 
> Also did you try with extension disabled ?

Just tried and had the same issues: I typed a few lines of text (short lines, entering after each line, not wrapping), then pressed CTRL-A to select all text, and then every next line was shown in a bigger font size than the previous one. Sometimes in pretty random sizes even, and sometimes Thunderbird crashes (not always).
(In reply to bart from comment #3)
> (In reply to Wayne Mery (:wsmwk) from comment #1)
> > so no crash ID?
> > https://support.mozillamessaging.com/en-US/kb/mozilla-crash-
> > reporter#w_viewing-crash-reports
> 
> I got the window that allowed me to notify Mozilla of this, and send a
> report, but when I clicked the 'Details'-button, nothing happened. I
> submitted the report a few times already though...but I don't know what's
> inside it.

Just for the record: I disabled all extensions...is that enough or is there some kind of a safe mode than behaves different than just disabling all extensions?
Details button and info is not useful.  Please look at the link I provided
(In reply to Wayne Mery (:wsmwk) from comment #6)
> Details button and info is not useful.  Please look at the link I provided

Sorry, I read your post too quickly.
There are two ID's:

https://crash-stats.mozilla.com/report/index/bp-2846f089-c262-4b05-bf53-a06852121015
https://crash-stats.mozilla.com/report/index/bp-b76de2d6-2240-4232-bfbd-1b4932121014

Thanks
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 607368
bart, this is really easy for you to reproduce?


BuildTextRunsScanner::BuildTextRunForFrames is not in the reporter's stacks, so I'm not 100% this is the same what bug 607368 currently describes.  But I coulld be wrong : )  I suppose it depends on whether the likes of Firefox bp-0a4b4020-bb73-4698-b516-d9ef12121013 (whose stack matches this bug) is the same as bug 607368
Severity: normal → critical
Depends on: 607368
Keywords: crash
I don't think this is a dupe of 607368. That's basically just an out-of-memory DoS script. This seems to be describing a genuine bug where font-size increases are not being handled correctly ("every next line was shown in a bigger font size than the previous one", "sometimes random sizes"), and whatever's broken there may be leading to a possible crash - perhaps triggered by huge sizes that lead to coordinate overflows or something like that.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
#9 crash for TB16.0.1 and a regression

bp-2846f089-c262-4b05-bf53-a06852121015
0|0|xul.dll|_chkstk|f:/dd/vctools/crt_bld/SELF_X86/crt/src/INTEL/chkstk.asm|99|0x0 1|0|ntdll.dll|NtGetContextThread|||0x12 1|1|ntdll.dll|NtClose|||0x11 1|2|kernel32.dll||||0x11437 2|0|ntdll.dll|ZwWaitForWorkViaWorkerFactory|||0x12 2|1|ntdll.dll|TppTimerpSet|||0x24d 2|2|kernel32.dll||||0x133a9 2|3|ntdll.dll|__RtlUserThreadStart|||0x26 2|4|ntdll.dll|_RtlUserThreadStart|||0x1a 3|0|ntdll.dll|NtRemoveIoCompletion|||0x15 3|1|KERNELBASE.dll||||0x76fc 3|2|xul.dll|base::MessagePumpForIO::GetIOItem(unsigned long,base::MessagePumpForIO::IOItem *)|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.cc:0507d387617c|536|0x21 3|3|xul.dll|base::MessagePumpForIO::WaitForIOCompletion(unsigned long,base::MessagePumpForIO::IOHandler *)|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.cc:0507d387617c|507|0xd 3|4|xul.dll|base::MessagePumpForIO::WaitForWork()|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.cc:0507d387617c|500|0x9 3|5|xul.dll|base::MessagePumpForIO::DoRunLoop()|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.cc:0507d387617c|485|0x6 3|6|xul.dll|base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.cc:0507d387617c|53|0x4 3|7|xul.dll|base::MessagePumpWin::Run(base::MessagePump::Delegate *)|hg:hg.mozilla.org/releases/mozilla-release:ipc/chromium/src/base/message_pump_win.h:0507d387617c|78|0xa
Crash Signature: [@ _chkstk ]
No longer depends on: 607368
Keywords: regression, topcrash
Summary: Font size increases per line or Thunderbird crashes → Font size change/increase Thunderbird crashes @ _chkstk
(In reply to Wayne Mery (:wsmwk) from comment #9)
> bart, this is really easy for you to reproduce?
> 
> 
> BuildTextRunsScanner::BuildTextRunForFrames is not in the reporter's stacks,
> so I'm not 100% this is the same what bug 607368 currently describes.  But I
> coulld be wrong : )  I suppose it depends on whether the likes of Firefox
> bp-0a4b4020-bb73-4698-b516-d9ef12121013 (whose stack matches this bug) is
> the same as bug 607368

Hi, yeah it's easy to reproduce.
You need to use CTRL-A though, just selecting all text with your mouse doesn't seem to cause this (afaik).
> Hi, yeah it's easy to reproduce.
> You need to use CTRL-A though, just selecting all text with your mouse
> doesn't seem to cause this (afaik).

Is someone else able to reproduce it?
Can I give more info that can be useful? If I can test something for you guys, just let me know.
crash has been around for a while, but in TB16 something kicked in causing this to go topcrash. And still is topcrash for TB17.

(In reply to bart from comment #12)
> Hi, yeah it's easy to reproduce.
> You need to use CTRL-A though, just selecting all text with your mouse
> doesn't seem to cause this (afaik).

Different/empty/presumably OOM stack but similar STR is bp-1717b670-a9f2-4fd5-95d4-067802121124

Bug 802997 related?
Depends on: 802997
Whiteboard: [regression:TB16]
Can someone please look into this bug?
I've been using TB for many years, but this bug is making TB SO annoying to use that I'm really considering switching to something else.
(In reply to bart from comment #15)
> Can someone please look into this bug?
> I've been using TB for many years, but this bug is making TB SO annoying to
> use that I'm really considering switching to something else.

bart, it's great that you reported this. I can't imagine the frustration level.  I can't reproduce this. So first stop, can your reproduce the crash when using TB18 beta from http://www.mozilla.org/en-US/thunderbird/channel/

I've posted more information in bug 802997, including the fact that this (various crash sigs for changing font size) appears to be a top 10 crash for TB17
(In reply to Wayne Mery (:wsmwk) from comment #16)
> bart, it's great that you reported this. I can't imagine the frustration
> level.  I can't reproduce this. So first stop, can your reproduce the crash
> when using TB18 beta from http://www.mozilla.org/en-US/thunderbird/channel/
> 
> I've posted more information in bug 802997, including the fact that this
> (various crash sigs for changing font size) appears to be a top 10 crash for
> TB17

Hi Wayne, thanks for getting back to me. I just installed TB18 and the first try was already bingo: same problem. All addons were disabled, but to be sure I just removed them all: same problem :/
(In reply to bart from comment #17)
> Hi Wayne, thanks for getting back to me. I just installed TB18 and the first
> try was already bingo: same problem. All addons were disabled, but to be
> sure I just removed them all: same problem :/

Hey Wayne, guess what...I found something.
Menu 'Tools' > 'Options' > 'Composition' > tab 'General', box 'HTML': there I have 'Helvetica, Arial' as font, text colour blue and background colour white. BUT...the font size was set to 'small'. When set to small, I experience this issue, but when set to medium, I don't! I set it back to small, and the problem was back, switched back to medium, gone again...

Just did some extra testing: the medium font size is the only one that works...bigger and smaller gives me this font size increasing problem...
Would it be possible that some files of TB have been modified wrongly by some addon, or would that have been corrected by the install of TB18 over TB17 that I just did?
I can confirm that if the default font size (in Preferences / Composition / General) is set to something *other* than 'medium', and you select all the text of an HTML message (using Select All - it's not sufficient to drag-select across it), then the Smaller / Larger commands will apply a size-change that seems to increase exponentially on successive lines.

This does *not* happen if the text has been given an explicit size (whether 'medium' or something else) using the Format menu, only if it's using the HTML editor's default.

(If you have more than about half a dozen lines of text, and use the Larger command, this will likely lead to a crash, presumably because of the vast font size it attempts to create.)
Incidentally, I was using OS X when I reproduced the exponential-size problem, confirming that it's not a platform-specific issue (although if you crash, the exact stack will likely be platform-dependent).
OS: Windows 7 → All
Hardware: x86_64 → All
reproducible?
Flags: needinfo?(jsabash)
I can reproduce the sizing problem, but not the crash.
Memory usage did not go way out of control for me even with very large fonts.
Rough regression range for the inc font function:
Works:Mozilla/5.0 (Windows NT 5.0; rv:10.0.10) Gecko/20121024 Thunderbird/10.0.10
Fails:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
20121113070621

I'm pretty sure that there is a Core/Editor bug for this and a comment that removal of the font up/down function might have to be removed.
No time to dig further at this time.
Flags: needinfo?(jsabash)
xref bug 767684
Niel, Any connection with this bug to your fix there.
(In reply to Joe Sabash from comment #24)
> Neil, Any connection with this bug to your fix there.
No, that was a backout of a change that was stopping the font size from increasing enough ;-)

The problem here is in two parts.

There appears to be a recent regression whereby the editor duplicates the <font size> tag when typing a line break. So the HTML ends up looking like this:
<font size="+1">line 1<br><font size="+1">line 2<br><font size="+1">line 3</font></font></font>

This confuses the increase/decrease font code, which wasn't written to cope with nested font tags. Fortunately the fix for this seems to be an early return inside RelativeFontChangeHelper.
(Note: I recommend filing two new bugs on these issues, keeping this bug focused on the crash.)
(In reply to comment #25)
> There appears to be a recent regression whereby the editor duplicates the
> <font size> tag when typing a line break. So the HTML ends up looking like
> this:
> <font size="+1">line 1<br><font size="+1">line 2<br><font size="+1">line
> 3</font></font></font>
Filed bug 824924.

> This confuses the increase/decrease font code, which wasn't written to cope
> with nested font tags. Fortunately the fix for this seems to be an early
> return inside RelativeFontChangeHelper.
Filed bug 824926.
Depends on: 824926
It's #19 top crasher in TB 17.0.2 so not a top crasher according to https://wiki.mozilla.org/CrashKill/Topcrash
Keywords: topcrash
Duplicate of this bug: 842193
Bart, is your crash gone when using version 17.0.5?  
(now that bug 824926 is fixed)

jfkthame, you too?
Flags: needinfo?(bart)
Keywords: topcrash
Whiteboard: [regression:TB16] → [regression:TB16][stack comment 9]
(In reply to Wayne Mery (:wsmwk) from comment #30)
> Bart, is your crash gone when using version 17.0.5?  
> (now that bug 824926 is fixed)
> 
> jfkthame, you too?

Hi Wayne: bug seems to be gone, thanks!
I tested a few times with font sizes small and large, and all seems to be fine now. I am using version 21.0 now it seems (beta channel).

Thanks again,
Bart
Flags: needinfo?(bart)
This signature doesn't exist in TB 17.0.5.
Keywords: topcrash
WFM per comment 31
Status: REOPENED → RESOLVED
Closed: 10 years ago8 years ago
Resolution: --- → WORKSFORME
Summary: Font size change/increase Thunderbird crashes @ _chkstk → Font size change/increase Thunderbird crashes @ _chkstk in chkstk.asm
You need to log in before you can comment on or make changes to this bug.