874053 - crash in gfxFontEntry::TestCharacterMap

Status: VERIFIED FIXED

(Core :: Graphics, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-fb47e612-9353-46a2-9695-442532130520 .
============================================================= 

Seen while looking at trunk crash stats - https://crash-stats.mozilla.com/report/list?signature=gfxFontEntry::TestCharacterMap%28unsigned%20int%29. Some dupes, but some unique users have hit it.

Two comments mention Google searches. 

Frame 	Module 	Signature 	Source
0 	XUL 	gfxFontEntry::TestCharacterMap 	obj-firefox/x86_64/dist/include/nsTArray.h:363
1 	XUL 	gfxFontGroup::FindFontForChar 	gfx/thebes/gfxFont.h:306
2 	XUL 	void gfxFontGroup::ComputeRanges<unsigned char> 	gfx/thebes/gfxFont.cpp:4769
3 	XUL 	nsRuleNode::WalkRuleTree 	layout/style/nsRuleNode.cpp:2105
4 	XUL 	void gfxFontGroup::InitScriptRun<unsigned char> 	gfx/thebes/gfxFont.cpp:4457
5 	XUL 	void gfxFontGroup::InitTextRun<unsigned char> 	gfx/thebes/gfxFont.cpp:4369
6 	XUL 	nsRuleNode::WalkRuleTree 	layout/style/nsRuleNode.cpp:2105
7 	XUL 	AtomImpl::ToUTF8String 	nsTSubstring.h:85
8 	XUL 	gfxPlatform::GetFontPrefLangFor 	obj-firefox/x86_64/dist/include/nsTSubstring.h:85
9 	XUL 	gfxAlternateValue* nsTArray_Impl<gfxAlternateValue, nsTArrayInfallibleAllocator> 	obj-firefox/x86_64/dist/include/nsTArray.h:1044
10 	XUL 	gfxFontStyle::gfxFontStyle 	obj-firefox/x86_64/dist/include/nsTArray.h:1044
11 	XUL 	gfxPlatformMac::CreateFontGroup 	gfx/thebes/gfxPlatformMac.cpp:173
12 	XUL 	nsFontMetrics::Init 	obj-firefox/x86_64/dist/include/nsAutoPtr.h:880
13 	libmozglue.dylib 	arena_malloc 	jemalloc.c:1722
14 	libmozglue.dylib 	je_malloc 	jemalloc.c:4247
15 	libsystem_c.dylib 	libsystem_c.dylib@0x2d1b3 	
16 	XUL 	gfxTextRun::Create 	gfx/thebes/gfxSkipChars.h:106
17 	XUL 	gfxFontGroup::MakeTextRun 	gfx/thebes/gfxFont.cpp:4291
18 	XUL 	BuildTextRunsScanner::BuildTextRunForFrames 	layout/generic/nsTextFrameThebes.cpp:559

Comment 1

[Marcia Knous [:marcia]]

Some URLs:

8 	https://www.facebook.com/
4 	http://www.dead.net/
3 	http://www.reddit.com/tb/1ebmpd
3 	https://www.shopwasteland.com/womens-new-shoes/Matiko/Ace-Boot/ACE/
2 	http://www.macupdate.com/
1 	http://www.winstonflowers.com/?utm_source=reddit&utm_medium=web&utm_campaign=rev
1 	http://www.k-magazin.de/
1 	http://facebook.com/
1 	http://www.mozilla.org/about/
1 	http://budget.com/
1 	about:blank

Comment 2

[Jonathan Kew [:jfkthame]]

This is a regression from bug 847344. If there's a font installed on the system that has no usable 'cmap' table (meaning we're not going to be able to actually use it for anything, but it still shows up in the font list), the MacOSFontEntry::ReadCMAP() will incorrectly leave the mCharacterMap pointer null, rather than pointing to a valid (but empty) charmap.

I'll post a patch tomorrow.

Comment 3

[Jonathan Kew [:jfkthame]]

Attachment: ReadCMAP() must not leave the font entry's mCharacterMap pointer NULL, even if cmap table can't be read.

Comment 4

[Jonathan Kew [:jfkthame]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f7beb3f7dceb

Marcia, if you could confirm that the crashes stop happening once this goes out in Nightly, that'd be great. I don't have a reproducible testcase (I believe it's dependent on the user having some kind of weird font installed, such as maybe an old bitmap-only font?), but AFAICS this should prevent the issue.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/f7beb3f7dceb

Comment 6

[Marcia Knous [:marcia]]

Looks good on the crash stats side as the last crashes visible in the last week for both signatures happened with 20130521114340.

Comment 7

[Paul Silaghi, QA [:pauly]]

No crashes in the crashstats for the last 4 weeks.