View Single Post
08 Nov 2009  


Quote   Quote: Originally Posted by shernren View Post
Wow, that's one of the more bizarre reasons for a system crash I've seen.
Yeah, it made me chuckle, although it's not quite as uncommon as one might think.

Quote   Quote: Originally Posted by shernren View Post
I've tracked the offending font down: it's "Mathematica5", as evidenced by it causing both MS Word and Mathematica 7 (which I just installed before the weekend started) to crash. It's a bit strange for that to be the bad font because I don't see any obvious interactions between it and Firefox / Wordpad.
It's good that you remember which font you'd installed recently

Fonts are ultimately just specific patterns in memory. The "rendering" done by the Win32 subsystem in order to draw a particular font on a device context corresponding to the screen or a printer is done down in kernel-mode by the unimaginatively named win32k.sys (Win32 subsystem "kernel" driver).

Wild memory reading/writing due to corrupted data causes an app-specific crash when it happens up in user-mode, but it's absolutely lethal to the entire OS when it occurs in kernel-mode (it usually leads to a BSOD). Hence, a bad font definition (a "bug" in the font) can easily take out the entire OS. Weird, huh? Most people would assume that the choice of what's in their freeware font packs hardly matters at all.

Wordpad and FF may not even be "using" the bad font in the sense that they're actively writing crud on screen in that font. It may be enough just to merely enumerate the list of fonts available, perhaps for that pretty drop-down list which shows you all the fonts on the system.

Quote   Quote: Originally Posted by shernren View Post
Now I'll see if I can shunt over into safe mode and replace that font. In the mean time, more minidumps for you to look at (with all flags set on the verifier) to see if there's any more helpful details.
With verifier enabled, the crash stack looks exactly the same before, except now the presence of the additional verifier checks virtually proves that the font itself is mangled:

ChildEBP RetAddr
bb5a4a8c 82b46f90 nt!ExFreePoolWithTag+0x1b1 // BOOM! Crash!
bb5a4aa0 9655c189 nt!VerifierExFreePoolWithTag+0x30 // additional checking due to (driver) verifier
bb5a4ab4 9663e832 win32k!EngFreeMem+0x1f // free memory associated with font
bb5a4acc 9663e7d3 win32k!ttfdCloseFontContext+0x51 // done with the font object
bb5a4adc 9663e873 win32k!ttfdDestroyFont+0x16
bb5a4ae8 96635501 win32k!ttfdSemDestroyFont+0x18
bb5a4b20 96635554 win32k!PDEVOBJ:estroyFont+0x67 // website interprets method syntax as a smilie. Ironic.
bb5a4b50 965a0d1e win32k!RFONTOBJ::vDeleteRFONT+0x33
bb5a4b94 965a2d15 win32k!RFONTOBJ::bMakeInactiveHelper+0x25a
bb5a4bf0 965cba77 win32k!RFONTOBJ::vMakeInactive+0x72
bb5a4c70 965cbd74 win32k!RFONTOBJ::bInit+0xe3
bb5a4c88 9656b38f win32k!RFONTOBJ::vInit+0x16
bb5a4ca4 9656afd4 win32k!ulGetFontData2+0x17
bb5a4cd0 9656ac5a win32k!ulGetFontData+0x48
bb5a4d18 8285942a win32k!NtGdiGetFontData+0x5a

bb5a4d18 77c364f4 nt!KiFastCallEntry+0x12a

Just remember to run VERIFIER /RESET now.
My System SpecsSystem Spec