We have a null dereference in the small testcase I'll attach in a sec. In the console I see: _win32_scaled_font_set_world_transform: The operation completed successfully. 0[b55708]: ###!!! ASSERTION: Failed to make scaled font: 'mScaledFont', file c:/mozilla/trees/trunk/mozilla/gfx/thebes/src/gfxWindowsFonts.cpp, line 156 ###!!! ASSERTION: Failed to make scaled font: 'mScaledFont', file c:/mozilla/trees/trunk/mozilla/gfx/thebes/src/gfxWindowsFonts.cpp, line 156 before crashing with the following stack. > thebes.dll!_moz_cairo_win32_scaled_font_select_font(_cairo_scaled_font * scaled_font=0x00000000, HDC__ * hdc=0xac0138a4) Line 1618 + 0x3 bytes C thebes.dll!gfxWindowsTextRun::MeasureOrDrawFast(gfxContext * aContext=0x04d2d400, int aDraw=1, gfxPoint pt={...}) Line 702 + 0xd bytes C++ thebes.dll!gfxWindowsTextRun::Draw(gfxContext * aContext=0x04d2d400, gfxPoint pt={...}) Line 502 + 0x1c bytes C++ thebes.dll!gfxContext::DrawTextRun(gfxTextRun * text=0x04284b68, gfxPoint pt={...}) Line 628 C++ gkgfxthebes.dll!nsThebesFontMetrics::DrawString(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000, nsThebesRenderingContext * aContext=0x0344a5f0) Line 441 C++ gkgfxthebes.dll!nsThebesRenderingContext::DrawStringInternal(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000) Line 1271 C++ gkgfxthebes.dll!nsRenderingContextImpl::DrawString(const unsigned short * aString=0x0012e888, unsigned int aLength=53, int aX=0, int aY=150, int aFontID=-1, const int * aSpacing=0x00000000) Line 893 + 0x29 bytes C++ gklayout.dll!nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x04445508, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x04d4e1f0, nsTextPaintStyle & aTextStyle={...}, int dx=0, int dy=0) Line 2915 C++ gklayout.dll!nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2015 C++ gklayout.dll!nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012ec80, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 1948 C++ gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012ec80, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 302 + 0x19 bytes C++ gklayout.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x0344a5f4, nsIFrame * aFrame=0x04d4dfac, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=0) Line 721 C++ gklayout.dll!nsSVGForeignObjectFrame::PaintSVG(nsSVGRenderState * aContext=0x0012eec0, nsRect * aDirtyRect=0x0012eeb0) Line 240 + 0x2c bytes C++ gklayout.dll!nsSVGUtils::PaintChildWithEffects(nsSVGRenderState * aContext=0x0012eec0, nsRect * aDirtyRect=0x0012eeb0, nsIFrame * aFrame=0x04d4de2c) Line 701 C++ gklayout.dll!nsSVGOuterSVGFrame::Paint(nsIRenderingContext & aRenderingContext={...}, const nsRect & aDirtyRect={...}, nsPoint aPt={...}) Line 500 + 0x11 bytes C++ gklayout.dll!nsDisplaySVG::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 408 C++ gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 302 + 0x19 bytes C++ gklayout.dll!nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 711 C++ gklayout.dll!nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 943 C++ gklayout.dll!nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012efa8, nsIRenderingContext * aCtx=0x0344a5f4, const nsRect & aDirtyRect={...}) Line 302 + 0x19 bytes C++ gklayout.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x0344a5f4, nsIFrame * aFrame=0x04cbe45c, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 721 C++ gklayout.dll!PresShell::Paint(nsIView * aView=0x04d349a8, nsIRenderingContext * aRenderingContext=0x0344a5f4, const nsRegion & aDirtyRegion={...}) Line 5668 + 0x15 bytes C++ gklayout.dll!nsViewManager::RenderViews(nsView * aView=0x04c65b00, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++ gklayout.dll!nsViewManager::Refresh(nsView * aView=0x04c65b00, nsIRenderingContext * aContext=0x0344a5f4, nsIRegion * aRegion=0x0344a690, unsigned int aUpdateFlags=1) Line 580 C++ gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f464, nsEventStatus * aStatus=0x0012f310) Line 1448 C++ gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f464) Line 174 C++ gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f464, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1113 + 0xc bytes C++ gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f464, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1139 C++ gkwidget.dll!nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5952 + 0x1e bytes C++ gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012f950) Line 4439 + 0x15 bytes C++ gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x002a0dac, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1302 + 0x1d bytes C++ user32.dll!77d48734() [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] user32.dll!77d48816() MSCTF.dll!74730e71() user32.dll!77d4b4c0() user32.dll!77d4ebf3() user32.dll!77d4b50c() ntdll.dll!7c90eae3() user32.dll!77d494d2() user32.dll!77d4b530() user32.dll!77d49402() user32.dll!77d48a10() gkwidget.dll!nsAppShell::ProcessNextNativeEvent(int mayWait=1) Line 149 C++ gkwidget.dll!nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=1) Line 136 + 0x11 bytes C++ gkwidget.dll!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b5c7e0, int mayWait=1, unsigned int recursionDepth=0) Line 231 + 0xf bytes C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fbc4) Line 472 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b5c7e0, int mayWait=1) Line 225 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++ xul.dll!XRE_main(int argc=4, char * * argv=0x00b590a0, const nsXREAppData * aAppData=0x004036b0) Line 2513 + 0x25 bytes C++ firefox.exe!main(int argc=4, char * * argv=0x00b590a0) Line 61 + 0x13

Oh. The reason we're crashing is because I set the Y-axis scale to zero instead of one by mistake. Nevertheless, we shouldn't crash. Putting a conditional break point in gfxWindowsFont::UpdateCTM with the condition |aMatrix.mat.xx==2.0| catches when the invalid matrix is set on the gfxWindowsFont.

Looks like the same crash as in bug 358732.

Comment on attachment 249241 [details] [diff] [review] patch thanks

Comment on attachment 249241 [details] [diff] [review] patch OK, but wouldn't it make more sense for drawing operations to not crash on a singular matrix?

Patch checked in. Will investigate fixing cairo upstream not to crash.

VERIFIED FIXED Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a2pre) Gecko/20070102 Minefield/3.0a2pre ID:2007010206 [cairo]