MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002445NetSurfWin32-specificpublic2016-03-17 15:192016-04-12 11:45
ReporterVincent Sanders 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
Platformx86 64bitOSwindowsOS Version10
Product Version3.4 
Target VersionFixed in Version3.5 
Fixed in CI build #3452
Reported in CI build #3444
URL of problem page
Summary0002445: first page navigated to causes crash on windows 10
Descriptionnavigating to any web page causes netsurf to crash
TagsNo tags attached.
Relationships
Attached Files? rlog (57,885) 2016-03-17 15:19
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=423&type=bug
zip nslog.zip (137,035) 2016-03-22 17:47
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=425&type=bug

Notes
(0001357)
Vincent Sanders   
2016-03-21 21:12   
since tlsa fix to windows/font.c nsfont_split() this now happens on all Os not just 10.
(0001358)
Vincent Sanders   
2016-03-21 21:16   
from debug throwback in visual studio

        EAX BB010C1F
        ECX BB010C1F
        EDX BEEA1DE7
        ESI 03E911C8


005615A0 push ebp
005615A1 push edi
005615A2 push esi
005615A3 push ebx
005615A4 sub esp,2Ch
005615A7 mov eax,dword ptr [esp+54h]
005615AB mov edi,dword ptr [esp+48h]
005615AF mov ebx,dword ptr [esp+50h]
005615B3 mov ebp,dword ptr [esp+40h]
005615B7 mov esi,dword ptr [esp+44h]
005615BB mov dword ptr [esp+1Ch],eax
005615BF mov dword ptr [esp+14h],eax
005615C3 mov eax,dword ptr [esp+4Ch]
005615C7 mov dword ptr [esp+10h],ebx
005615CB mov dword ptr [esp+8],edi
005615CF mov dword ptr [esp+4],esi
005615D3 mov dword ptr [esp+0Ch],eax
005615D7 mov dword ptr [esp],ebp
005615DA call 005614D0
005615DF mov ecx,dword ptr [ebx]
005615E1 cmp edi,ecx
005615E3 je 00561653
005615E5 lea edx,[esi+ecx]
005615E8 mov eax,ecx

-> 005615EA cmp byte ptr [edx],20h

005615ED je 00561604
005615EF test ecx,ecx
005615F1 jne 005615F9
005615F3 jmp 00561630
005615F5 test eax,eax
005615F7 je 00561630
005615F9 sub eax,1
005615FC mov dword ptr [ebx],eax
005615FE cmp byte ptr [esi+eax],20h
00561602 jne 005615F5
00561604 test eax,eax
00561606 je 00561630
00561608 mov ecx,dword ptr [ebx]
0056160A mov eax,dword ptr [esp+1Ch]
0056160E mov dword ptr [esp+44h],esi
00561612 mov dword ptr [esp+40h],ebp
00561616 mov dword ptr [esp+48h],ecx
0056161A mov dword ptr [esp+4Ch],eax
(0001359)
Vincent Sanders   
2016-03-21 21:17   
(Last edited: 2016-03-21 21:33)
from objdump of exe this seems to be

00561640 <_nsfont_split>:
 */

static bool nsfont_split(const plot_font_style_t *style,
        const char *string, size_t length,
        int x, size_t *char_offset, int *actual_x)
{
  561640: 55 push %ebp
  561641: 57 push %edi
  561642: 56 push %esi
  561643: 53 push %ebx
  561644: 83 ec 2c sub $0x2c,%esp
  561647: 8b 44 24 54 mov 0x54(%esp),%eax
  56164b: 8b 7c 24 48 mov 0x48(%esp),%edi
  56164f: 8b 5c 24 50 mov 0x50(%esp),%ebx
  561653: 8b 6c 24 40 mov 0x40(%esp),%ebp
  561657: 8b 74 24 44 mov 0x44(%esp),%esi
  56165b: 89 44 24 1c mov %eax,0x1c(%esp)
    int c_off;
    nsfont_position_in_string(style, string, length, x, char_offset,
  56165f: 89 44 24 14 mov %eax,0x14(%esp)
  561663: 8b 44 24 4c mov 0x4c(%esp),%eax
  561667: 89 5c 24 10 mov %ebx,0x10(%esp)
  56166b: 89 7c 24 08 mov %edi,0x8(%esp)
  56166f: 89 74 24 04 mov %esi,0x4(%esp)
  561673: 89 44 24 0c mov %eax,0xc(%esp)
  561677: 89 2c 24 mov %ebp,(%esp)
  56167a: e8 f1 fe ff ff call 561570 <_nsfont_position_in_string>
            actual_x);
    c_off = *char_offset;
  56167f: 8b 0b mov (%ebx),%ecx
    if (*char_offset == length) {
  561681: 39 cf cmp %ecx,%edi
  561683: 74 6e je 5616f3 <_nsfont_split+0xb3>
        return true;
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
  561685: 8d 14 0e lea (%esi,%ecx,1),%edx
  561688: 89 c8 mov %ecx,%eax

-> 56168a: 80 3a 20 cmpb $0x20,(%edx)

  56168d: 74 15 je 5616a4 <_nsfont_split+0x64>
  56168f: 85 c9 test %ecx,%ecx
  561691: 75 06 jne 561699 <_nsfont_split+0x59>
  561693: eb 3b jmp 5616d0 <_nsfont_split+0x90>
  561695: 85 c0 test %eax,%eax
  561697: 74 37 je 5616d0 <_nsfont_split+0x90>
        (*char_offset)--;
  561699: 83 e8 01 sub $0x1,%eax
  56169c: 89 03 mov %eax,(%ebx)
            actual_x);
    c_off = *char_offset;
    if (*char_offset == length) {
        return true;
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
  56169e: 80 3c 06 20 cmpb $0x20,(%esi,%eax,1)
  5616a2: 75 f1 jne 561695 <_nsfont_split+0x55>
        (*char_offset)--;
    if (*char_offset == 0) {
  5616a4: 85 c0 test %eax,%eax
  5616a6: 74 28 je 5616d0 <_nsfont_split+0x90>
  5616a8: 8b 0b mov (%ebx),%ecx
        while (*char_offset < length && string[*char_offset] != ' ') {
            (*char_offset)++;
        }
    }

    return nsfont_width(style, string, *char_offset, actual_x);
  5616aa: 8b 44 24 1c mov 0x1c(%esp),%eax
  5616ae: 89 74 24 44 mov %esi,0x44(%esp)
  5616b2: 89 6c 24 40 mov %ebp,0x40(%esp)
  5616b6: 89 4c 24 48 mov %ecx,0x48(%esp)
  5616ba: 89 44 24 4c mov %eax,0x4c(%esp)
}
  5616be: 83 c4 2c add $0x2c,%esp
  5616c1: 5b pop %ebx
  5616c2: 5e pop %esi
  5616c3: 5f pop %edi
  5616c4: 5d pop %ebp
        while (*char_offset < length && string[*char_offset] != ' ') {
            (*char_offset)++;
        }
    }

    return nsfont_width(style, string, *char_offset, actual_x);
  5616c5: e9 86 fd ff ff jmp 561450 <_nsfont_width>
  5616ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
        (*char_offset)--;
    if (*char_offset == 0) {
        *char_offset = c_off;
        while (*char_offset < length && string[*char_offset] != ' ') {
  5616d0: 39 cf cmp %ecx,%edi
        return true;
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
        (*char_offset)--;
    if (*char_offset == 0) {
        *char_offset = c_off;
  5616d2: 89 0b mov %ecx,(%ebx)
        while (*char_offset < length && string[*char_offset] != ' ') {
  5616d4: 76 d4 jbe 5616aa <_nsfont_split+0x6a>
  5616d6: 80 3a 20 cmpb $0x20,(%edx)
  5616d9: 74 cf je 5616aa <_nsfont_split+0x6a>
  5616db: 83 c1 01 add $0x1,%ecx
  5616de: eb 0b jmp 5616eb <_nsfont_split+0xab>
  5616e0: 80 3c 0e 20 cmpb $0x20,(%esi,%ecx,1)
  5616e4: 8d 41 01 lea 0x1(%ecx),%eax
  5616e7: 74 c1 je 5616aa <_nsfont_split+0x6a>
  5616e9: 89 c1 mov %eax,%ecx
  5616eb: 39 f9 cmp %edi,%ecx
            (*char_offset)++;
  5616ed: 89 0b mov %ecx,(%ebx)
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
        (*char_offset)--;
    if (*char_offset == 0) {
        *char_offset = c_off;
        while (*char_offset < length && string[*char_offset] != ' ') {
  5616ef: 75 ef jne 5616e0 <_nsfont_split+0xa0>
  5616f1: eb b7 jmp 5616aa <_nsfont_split+0x6a>
            (*char_offset)++;
        }
    }

    return nsfont_width(style, string, *char_offset, actual_x);
}
  5616f3: 83 c4 2c add $0x2c,%esp
  5616f6: b8 01 00 00 00 mov $0x1,%eax
  5616fb: 5b pop %ebx
  5616fc: 5e pop %esi
  5616fd: 5f pop %edi
  5616fe: 5d pop %ebp
  5616ff: c3 ret
(0001360)
Vincent Sanders   
2016-03-21 21:43   
original source:

static bool nsfont_split(const plot_font_style_t *style,
        const char *string, size_t length,
        int x, size_t *char_offset, int *actual_x)
{
    int c_off;
    nsfont_position_in_string(style, string, length, x, char_offset,
            actual_x);
    c_off = *char_offset;
    if (*char_offset == length) {
        return true;
    }
    while ((string[*char_offset] != ' ') && (*char_offset > 0))
        (*char_offset)--;
    if (*char_offset == 0) {
        *char_offset = c_off;
        while (*char_offset < length && string[*char_offset] != ' ') {
            (*char_offset)++;
        }
    }

    return nsfont_width(style, string, *char_offset, actual_x);
}
(0001361)
Vincent Sanders   
2016-03-22 17:49   
added log with windows nsfont_split() instrumented showing negative x positions from layout which were previously causing issues.
(0001362)
Vincent Sanders   
2016-03-22 21:49   
the font splitting, width etc. routines have been re-written to cope with -ve positions etc.

Tested on windows 10 and it no longer crashes therefore this bug is fixed.
(0001365)
Vincent Sanders   
2016-04-12 11:45   
confirmed resolved in 3.5

Issue History
Date ModifiedUsernameFieldChange
2016-03-17 15:19Vincent SandersNew Issue
2016-03-17 15:19Vincent SandersStatusnew => assigned
2016-03-17 15:19Vincent SandersAssigned To => Vincent Sanders
2016-03-17 15:19Vincent SandersFile Added: rlog
2016-03-21 21:12Vincent SandersNote Added: 0001357
2016-03-21 21:12Vincent SandersStatusassigned => confirmed
2016-03-21 21:16Vincent SandersNote Added: 0001358
2016-03-21 21:17Vincent SandersNote Added: 0001359
2016-03-21 21:19Vincent SandersNote Edited: 0001359bug_revision_view_page.php?bugnote_id=1359#r1849
2016-03-21 21:33Vincent SandersNote Edited: 0001359bug_revision_view_page.php?bugnote_id=1359#r1850
2016-03-21 21:43Vincent SandersNote Added: 0001360
2016-03-22 17:47Vincent SandersFile Added: nslog.zip
2016-03-22 17:49Vincent SandersNote Added: 0001361
2016-03-22 21:49Vincent SandersFixed in CI build # => 3452
2016-03-22 21:49Vincent SandersNote Added: 0001362
2016-03-22 21:49Vincent SandersStatusconfirmed => resolved
2016-03-22 21:49Vincent SandersResolutionopen => fixed
2016-03-22 21:49Vincent SandersFixed in Version => 3.5
2016-04-12 11:45Vincent SandersNote Added: 0001365
2016-04-12 11:45Vincent SandersStatusresolved => closed