Bug#406698: iceape-browser hangs when opening a specific webpage

Mike Hommey mh at glandium.org
Sat Jan 13 10:00:48 CET 2007 

tag 406698 confirmed
clone 406698 -1
clone 406698 -2
reassign -1 libxul0d
reassign -1 iceweasel
thanks

On Sat, Jan 13, 2007 at 02:32:40AM +0100, Eric Van Buggenhaut <ericvb at debian.org> wrote:
> Package: iceape-browser
> Version: 1.0.7-2
> Severity: normal
> 
> When I try to open:
> 
> http://www.archivodefamosas.com
> 
> iceape-browser hangs and I have to kill -9 it

I can confirm this behaviour with epiphany (using libxul0d) and
iceweasel, too, though I had to scroll before it hanged.

They seem to freeze in the "crash recovery", and the backtrace traces
back to the same array of code, though not exactly the same.

libxul0d traces back to a "delete[] utf8_spacing;" in
nsFontMetricsPango::DrawStringSlowly while iceweasel and iceape trace
back to the preceding "gdk_draw_layout_line(aDrawable, aGC, aX, aY, aLine);"
line.

Running all these through gdb reveals various glibc warnings. I even got
a segmentation fault with iceape...

Anyways, I ran this through valgrind, and after a while, I got this
interesting information that may be the cause of the problem:

==8089== Invalid write of size 4
==8089==    at 0x77E4598: nsFontMetricsPango::DrawStringSlowly(char const*, unsigned short const*, unsigned, _GdkDrawable*, _GdkGC*, int, int, _PangoLayoutLine*, int const*) (nsFontMetricsPango.cpp:1338)
==8089==    by 0x77E76A5: nsFontMetricsPango::DrawString(unsigned short const*, unsigned, int, int, int, int const*, nsRenderingContextGTK*, nsDrawingSurfaceGTK*) (nsFontMetricsPango.cpp:788)
==8089==    by 0x77D9CF9: nsRenderingContextGTK::DrawString(unsigned short const*, unsigned, int, int, int, int const*) (nsRenderingContextGTK.cpp:1324)
==8089==    by 0x5F2ACCD: nsTextFrame::RenderString(nsIRenderingContext&, nsStyleContext*, nsPresContext*, nsTextFrame::TextPaintStyle&, unsigned short*, int, int, int, int, int, SelectionDetails*) (nsTextFrame.cpp:3083)
==8089==    by 0x5F2D4B4: nsTextFrame::PaintTextSlowly(nsPresContext*, nsIRenderingContext&, nsStyleContext*, nsTextFrame::TextPaintStyle&, int, int) (nsTextFrame.cpp:3364)
==8089==    by 0x5F2F6A2: nsTextFrame::Paint(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsTextFrame.cpp:1604)
==8089==    by 0x5EDF368: nsContainerFrame::PaintChild(nsPresContext*, nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) (nsContainerFrame.cpp:282)
==8089==    by 0x5ECC5C6: nsBlockFrame::PaintChild(nsPresContext*, nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) (nsBlockFrame.h:286)
==8089==    by 0x5ED1137: nsBlockFrame::PaintChildren(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsBlockFrame.cpp:6470)
==8089==    by 0x5EF727D: nsHTMLContainerFrame::PaintDecorationsAndChildren(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) (nsHTMLContainerFrame.cpp:136)
==8089==    by 0x5ED0CD6: nsBlockFrame::Paint(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsBlockFrame.cpp:6364)
==8089==    by 0x5EDF368: nsContainerFrame::PaintChild(nsPresContext*, nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) (nsContainerFrame.cpp:282)
==8089==  Address 0x967EFEC is 0 bytes after a block of size 44 alloc'd
==8089==    at 0x401D7C1: operator new[](unsigned) (vg_replace_malloc.c:195)
==8089==    by 0x77E4545: nsFontMetricsPango::DrawStringSlowly(char const*, unsigned short const*, unsigned, _GdkDrawable*, _GdkGC*, int, int, _PangoLayoutLine*, int const*) (nsFontMetricsPango.cpp:1329)
==8089==    by 0x77E76A5: nsFontMetricsPango::DrawString(unsigned short const*, unsigned, int, int, int, int const*, nsRenderingContextGTK*, nsDrawingSurfaceGTK*) (nsFontMetricsPango.cpp:788)
==8089==    by 0x77D9CF9: nsRenderingContextGTK::DrawString(unsigned short const*, unsigned, int, int, int, int const*) (nsRenderingContextGTK.cpp:1324)
==8089==    by 0x5F2ACCD: nsTextFrame::RenderString(nsIRenderingContext&, nsStyleContext*, nsPresContext*, nsTextFrame::TextPaintStyle&, unsigned short*, int, int, int, int, int, SelectionDetails*) (nsTextFrame.cpp:3083)
==8089==    by 0x5F2D4B4: nsTextFrame::PaintTextSlowly(nsPresContext*, nsIRenderingContext&, nsStyleContext*, nsTextFrame::TextPaintStyle&, int, int) (nsTextFrame.cpp:3364)
==8089==    by 0x5F2F6A2: nsTextFrame::Paint(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsTextFrame.cpp:1604)
==8089==    by 0x5EDF368: nsContainerFrame::PaintChild(nsPresContext*, nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) (nsContainerFrame.cpp:282)
==8089==    by 0x5ECC5C6: nsBlockFrame::PaintChild(nsPresContext*, nsIRenderingContext&, nsRect const&, nsIFrame*, nsFramePaintLayer, unsigned) (nsBlockFrame.h:286)
==8089==    by 0x5ED1137: nsBlockFrame::PaintChildren(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsBlockFrame.cpp:6470)
==8089==    by 0x5EF727D: nsHTMLContainerFrame::PaintDecorationsAndChildren(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, int, unsigned) (nsHTMLContainerFrame.cpp:136)
==8089==    by 0x5ED0CD6: nsBlockFrame::Paint(nsPresContext*, nsIRenderingContext&, nsRect const&, nsFramePaintLayer, unsigned) (nsBlockFrame.cpp:6364)

I got this with iceape and epiphany. Haven't tried with iceweasel, but
that may be the same.

This also means this is a pango backend related problem, and indeed,
running with MOZ_DISABLE_PANGO=1 doesn't freeze.

Mike

More information about the pkg-mozilla-maintainers mailing list