Crash in [@ gfxFontGroup::GetUnderlineOffset]
Categories
(Core :: Layout: Text and Fonts, defect, P3)
Tracking
()
People
(Reporter: over68, Assigned: jfkthame)
References
Details
(Keywords: regression)
Crash Data
Attachments
(2 files)
Steps to reproduce:
- Set
gfx.e10s.font-list.shared
totrue
. - Restart Firefox.
- Download Font Loader.
- Download Franklin Gothic Book Regular.ttf.
- Open the <select> menu in the testcase.
- Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
- Click on the Load button.
- Open the <select> menu in the testcase.
Actual results:
Browser crashes.
Crash report: bp-6f8a0fca-486e-4f79-a40e-7d86d0190902
Top 10 frames of crashing thread:
0 xul.dll gfxFontGroup::GetUnderlineOffset gfx/thebes/gfxTextRun.cpp:2737
1 xul.dll nsFontMetrics::MaxHeight gfx/src/nsFontMetrics.cpp:228
2 xul.dll void nsTextBoxFrame::GetTextSize layout/xul/nsTextBoxFrame.cpp:982
3 xul.dll void nsTextBoxFrame::CalcTextSize layout/xul/nsTextBoxFrame.cpp:993
4 xul.dll struct nsSize nsTextBoxFrame::GetXULPrefSize layout/xul/nsTextBoxFrame.cpp:1053
5 xul.dll nsSprocketLayout::GetXULPrefSize layout/xul/nsSprocketLayout.cpp:1248
6 xul.dll nsBoxFrame::GetXULPrefSize layout/xul/nsBoxFrame.cpp:690
7 xul.dll struct nsSize nsMenuFrame::GetXULPrefSize layout/xul/nsMenuFrame.cpp:1220
8 xul.dll nsSprocketLayout::GetXULPrefSize layout/xul/nsSprocketLayout.cpp:1248
9 xul.dll nsBoxFrame::GetXULPrefSize layout/xul/nsBoxFrame.cpp:690
Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=87be514024ac53ab6362ffc26610c063d50abe07&tochange=7de7d6a0be86d400ee23ca1ac806eb358555b28d
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Note that this is disabled by default (bug 1533462 is about turning on the pref for dev builds); adjusting firefox-70 status accordingly.
Assignee | ||
Comment 3•5 years ago
|
||
The crash here occurs because when the new font is activated, we rebuild the font list; but when we do that, we fail to flush the nsFontCache attached to each device context, and this means we may retrieve and try to use a cached nsFontMetrics that contains stale references to fonts from the old font-list.
(This was probably a bug that might have been observable in some obscure cases even without the shared font list; I think we might have temporarily used the wrong metrics, or something like that. But with the shared font list, we end up trying to use a pointer to a shared-memory object that is no longer present, and so we crash.)
Assignee | ||
Comment 4•5 years ago
|
||
Comment 6•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 8•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Description
•