Crash in [@ mozilla::fontlist::Pointer::ToPtr]
Categories
(Core :: Layout: Text and Fonts, defect, P3)
Tracking
()
People
(Reporter: over68, Assigned: jfkthame)
References
Details
Crash Data
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Steps to reproduce:
- Set
gfx.e10s.font-list.shared
totrue
. - Restart Firefox.
- Download Font Loader.
- Download Franklin Gothic Book Regular.ttf.
- Open http://linux.voyager.hr/grsec_last_stable/changelog-stable2.txt.
- Press Shift-Reload.
- Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
- Click on the Load button.
Actual results:
The tab crashed.
Crash report: bp-dc902d43-a705-403b-87d6-749fd0190917
Top 10 frames of crashing thread:
0 xul.dll mozilla::fontlist::Pointer::ToPtr gfx/thebes/SharedFontList.cpp:40
1 xul.dll mozilla::fontlist::Family::SearchAllFontsForChar gfx/thebes/SharedFontList.cpp:304
2 xul.dll class gfxFont* gfxFontGroup::FindFallbackFaceForChar gfx/thebes/gfxTextRun.cpp:2714
3 xul.dll gfxFontGroup::FindFontForChar gfx/thebes/gfxTextRun.cpp
4 xul.dll gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2486
5 xul.dll static void gfxFontGroup::InitTextRun<char16_t> gfx/thebes/gfxTextRun.cpp:2408
6 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2280
7 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2482
8 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1640
9 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrame.cpp:1964
Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=87be514024ac53ab6362ffc26610c063d50abe07&tochange=7de7d6a0be86d400ee23ca1ac806eb358555b28d
Comment 2•5 years ago
|
||
hi, it looks like the same issue as filed under bug 1554819., so i'll dupe it over. can you post your str there as well?
thanks.
Reopen this. The fix for bug 1554819 doesn't fix this, See bug 1554819 comment 40.
Assignee | ||
Comment 4•5 years ago
|
||
I can't currently reproduce this with any sort of reliability, which makes it difficult for me to test locally, but I've pushed a try build with a speculative patch that I'm hoping might prevent this crash:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ed01e29c7cf48e5414ecde65f9a1ed7be48f1132&selectedJob=276577474.
If you could give that a try and see whether it affects things on your system, that would be really helpful - thanks!
This is reproduced on Win10 with latest Nightly build.
Steps to reproduce:
- Download Font Loader.
- Download Franklin Gothic Book Regular.ttf.
- Open this page.
- Press Shift-Reload.
- Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
- Click on the Load button.
- If it doesn't reproduce, close and open the page again.
- Click on the Unload button.
Actual results:
The tab crashed.
Crash report: bp-1b0e7305-593d-4a52-807d-c45970191116
Top 10 frames of crashing thread:
0 xul.dll InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:27
1 xul.dll mozilla::fontlist::Pointer::ToPtr gfx/thebes/SharedFontList.cpp:58
2 xul.dll mozilla::fontlist::Family::SearchAllFontsForChar gfx/thebes/SharedFontList.cpp:304
3 xul.dll class gfxFont* gfxFontGroup::FindFallbackFaceForChar gfx/thebes/gfxTextRun.cpp:2717
4 xul.dll gfxFontGroup::FindFontForChar gfx/thebes/gfxTextRun.cpp
5 xul.dll static void gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2489
6 xul.dll static void gfxFontGroup::InitTextRun<char16_t> gfx/thebes/gfxTextRun.cpp:2411
7 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2283
8 xul.dll void BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1644
9 xul.dll void BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrame.cpp:2012
I can not reproduce the crash with the build in comment 4. Thanks.
Comment 7•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Assignee | ||
Comment 8•5 years ago
|
||
Not really a regression; this is an issue with an in-progress feature that is not yet preffed on.
Assignee | ||
Comment 9•5 years ago
|
||
Assignee | ||
Comment 10•5 years ago
|
||
What seems to be going on here is that after a change to the installed system fonts (which causes us to discard and re-create the font list), it's possible for us to get a reflow (e.g. triggered by the RefreshDriver firing an InterruptibleLayout flush) after the content process has updated its font-list to refer to the newly-created shared list, thus invalidating any pointers into the old list, but before the global reconstruction of all frames triggered by gfxPlatform::ForceGlobalReflow() has happened.
This causes problems because if we have existing textframes which have references existing fontgroups, those fontgroups now have Family/Face/SharedBitSet pointers that point to no-longer-mapped memory and cannot safely be touched. So we crash when trying to do font-matching using these objects. These fontgroups and their (obsolete) references are all due to be discarded and rebuilt as a result of ForceGlobalReflow(), but we can't guarantee that'll happen before any other attempt to use them.
To protect against this, we need to check whether the platform font list has been recreated before trying to use a fontgroup to build text runs, and if so, force the fontgroup to redo its BuildFontList so that it gets fresh, valid references to the various font objects.
This is similar to bug 1554819, and we can use the same font-list generation check as there, but it turns out the issue is wider than just canvas contexts.
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Comment 12•5 years ago
|
||
bugherder |
Comment 13•5 years ago
|
||
Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 14•5 years ago
|
||
This is still preffed off by default, so status for beta is disabled.
Updated•5 years ago
|
Comment 15•5 years ago
|
||
Description
•