app_server: double free assert triggered by BRegion

[humdinger]

This is hrev50675.

Had this spontaneous crash, don't know what triggered it. Web+ was running, so...
Please improve the ticket's summary if possible.Full report attached, here just what I image might be helpful when people search thru Trac.

thread 760: event loop 
state: Call (_numAvailable <= _numBlocks)

Frame		IP			Function Name
-----------------------------------------------
00000000	0x6144c112	commpage_syscall + 0x2 
	Disassembly:
		commpage_syscall:
		0x6144c110:             89e1  mov %esp, %ecx
		0x6144c112:             0f34  sysenter  <--

	Frame memory:
		
0x70e27858	0x6f5ad5	debugger + 0x39 
0x70e27888	0x7056c8	__assert_fail + 0x4c 
0x70e278b8	0x77d68f	BPrivate::superblock::isValid() + 0x5b 
0x70e27918	0x77b988	BPrivate::threadHeap::malloc(uint32) + 0x194 
0x70e27948	0x77c4d1	malloc + 0x175 
0x70e27980	0x6f3a18	operator new(void) + 0x24 
0x70e279b0	0x6f3d6f	operator new [](void) + 0x1f 
0x70e279f0	0x203576d	InputServerStream::_MessageFromPort(BMessage*, int64) + 0x55 
0x70e27a30	0x203552b	InputServerStream::GetNextEvent(BMessage*) + 0x3b 
0x70e27ab0	0x203483c	EventDispatcher::_EventLoop() + 0x748 
0x70e27ae0	0x2034b1e	EventDispatcher::_event_looper(void*) + 0x1a 
0x70e27b08	0x6fd381	thread_entry + 0x21 
00000000	0x6144c250	commpage_thread_exit + 0 

thread 761: cursor loop 
state: Call (_numAvailable <= _numBlocks)

Frame		IP			Function Name
-----------------------------------------------
00000000	0x6144c112	commpage_syscall + 0x2 
	Disassembly:
		commpage_syscall:
		0x6144c110:             89e1  mov %esp, %ecx
		0x6144c112:             0f34  sysenter  <--

	Frame memory:
		
0x70d78108	0x6f5ad5	debugger + 0x39 
0x70d78138	0x7056c8	__assert_fail + 0x4c 
0x70d78168	0x77d68f	BPrivate::superblock::isValid() + 0x5b 
0x70d781c8	0x77b988	BPrivate::threadHeap::malloc(uint32) + 0x194 
0x70d781f8	0x77c4d1	malloc + 0x175 
0x70d78230	0x1bc70a5	BRegion::_SetSize(int32) + 0xcd 
0x70d78260	0x1bc5f8e	__7BRegion + 0x56 
0x70d782e0	0x1bc6cc2	BRegion::Exclude(clipping_rect) + 0x52 
0x70d783b0	0x20b9550	HWInterface::CopyBackToFront(BRect&) + 0x268 
0x70d783e0	0x20b92da	HWInterface::Invalidate(BRect&) + 0x56 
0x70d78460	0x20b8f52	HWInterface::MoveCursorTo(float, float) + 0x1f2 
0x70d78490	0x208f085	AccelerantHWInterface::MoveCursorTo(float, float) + 0x21 
0x70d784f0	0x20349c6	EventDispatcher::_CursorLoop() + 0xde 
0x70d78520	0x2034b46	EventDispatcher::_cursor_looper(void*) + 0x1a 
0x70d78548	0x6fd381	thread_entry + 0x21 
00000000	0x6144c250	commpage_thread_exit + 0 

		0x70201560	0x20af8f8	DrawingEngine::FrameBufferChanged() + 0x58 
		0x70201590	0x20af986	DrawingEngine::SetHWInterface(HWInterface*) + 0x56 
		0x702015c0	0x20af6eb	__13DrawingEngineP11HWInterface + 0x8f 
		0x70201600	0x20b86ba	HWInterface::CreateDrawingEngine() + 0x4e 
		0x70201800	0x2037177	Layer::RenderToBitmap(Canvas*) + 0xdb 
		0x70201870	0x201a827	Canvas::BlendLayer(Layer*) + 0x57 
		0x702018a0	0x2067906	View::BlendAllLayers() + 0x56 
		0x70202fe0	0x2061665	ServerWindow::_DispatchViewDrawingMessage(int32, BPrivate::LinkReceiver&) + 0x4985 
		0x70203310	0x205c7cd	ServerWindow::_DispatchViewMessage(int32, BPrivate::LinkReceiver&) + 0x38c5 
		0x70203440	0x2058e11	ServerWindow::_DispatchMessage(int32, BPrivate::LinkReceiver&) + 0x12c9 
		0x702034c0	0x2063f5e	ServerWindow::_MessageLooper() + 0x256 
		0x702034f0	0x203842a	MessageLooper::_message_thread(void*) + 0x26 
		0x70203518	0x6fd381	thread_entry + 0x21 
		00000000	0x6144c250	commpage_thread_exit + 0 

[humdinger]

crash report

[humdinger]

I looks like I get a reproducible crash when being looged in to the ​GCI site and go to "Tasks". Then I wait a bit (might also scroll up/down a bit) and, crash, boom, bang. I have attached two more reports. One shows a similar BPrivate::superblock::isValid().

[pulkomandy]

I had this happen as well, but apparently only if I have the "material icons" font installed (​https://github.com/google/material-design-icons/blob/master/iconfont/MaterialIcons-Regular.ttf). The font doesn't work anyway (it uses ligatures, not sure if we support that).

The crash is a memory corruption so it's possible that the root cause is somewhere else than the backtrace we see.

Which fonts do you have installed and what is your Freetype version?

[humdinger]

Good catch! I actually did have the MaterialIcons font installed, in the hope it fixes the missing icons issue on the GCI site. My original report was with freetype2.6.5, I meanwhile have updated to a selfbuilt Haiku with freetype2.7. It, too, crashes...

[axeld]

Now you just have to verify that it stops crashing when you haven't installed them :-) That would greatly narrow down the issue, at least!

And no, we don't support ligatures yet. Another great opportunity for jua, it seems :-))

[pulkomandy]

Yes, having the font installed is definitely the trigger here. I was about to report that when I noticed humdinger's ticket. As long as the font is not installed, the GCI website can be used without app_server crashes.

[humdinger]

Replying to axeld:

Now you just have to verify that it stops crashing when you haven't installed them :-)

Consider it verified. No MaterialIcon font, no crash.

[waddlesplash]

Seems to still happen (#15111).