No test case available at the moment. Prefs gfx.webrender.all=true and gfx.webrender.software=true were set.

==3258==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400019c488 at pc 0x7f9e3ac6bc38 bp 0x7ffeb651b130 sp 0x7ffeb651b128
READ of size 8 at 0x61400019c488 thread T0 (Web Content)
    #0 0x7f9e3ac6bc37 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f9e3ac6bc37 in GetUnicodeRangeMap /builds/worker/workspace/obj-build/dist/include/gfxFont.h:1756:29
    #2 0x7f9e3ac6bc37 in gfxFontCache::HashEntry::KeyEquals(gfxFontCache::Key const*) const /gecko/gfx/thebes/gfxFont.cpp:220:55
    #3 0x7f9e37c1e94e in SearchTable<PLDHashTable::ForSearchOrRemove, (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:498:7), (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:499:7)> /gecko/xpcom/ds/PLDHashTable.cpp:373:11
    #4 0x7f9e37c1e94e in PLDHashTable::Search(void const*) const /gecko/xpcom/ds/PLDHashTable.cpp:496:10
    #5 0x7f9e3ac6ca50 in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:211:16
    #6 0x7f9e3ac6ca50 in gfxFontCache::DestroyFont(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:282:29
    #7 0x7f9e3ac6c7ab in gfxFontCache::NotifyExpired(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:276:3
    #8 0x7f9e3ac2ff37 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:261:7
    #9 0x7f9e3acb2c56 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:442:7
    #10 0x7f9e37d6aad2 in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:562:7
    #11 0x7f9e37d6a39d in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:251:11
    #12 0x7f9e37d55069 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:452:16
    #13 0x7f9e37d51b27 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:722:26
    #14 0x7f9e37d4fa67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:581:15
    #15 0x7f9e37d4febd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:375:36
    #16 0x7f9e37d5cb84 in operator() /gecko/xpcom/threads/TaskController.cpp:125:37
    #17 0x7f9e37d5cb84 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:485:5
    #18 0x7f9e37d7d58b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1196:14
    #19 0x7f9e37d887ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #20 0x7f9e3907d8d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #21 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #22 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #23 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #24 0x7f9e3fdc8117 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7f9e43ae929f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #26 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #27 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #28 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #29 0x7f9e43ae883c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:732:34
    #30 0x5589d1fa07fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x5589d1fa0c37 in main /gecko/browser/app/nsBrowserApp.cpp:305:18
    #32 0x7f9e541b00b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #33 0x5589d1ef4199 in _start (/home/worker/builds/m-c-20201126212448-fuzzing-asan-opt/firefox+0x5b199)

0x61400019c488 is located 72 bytes inside of 400-byte region [0x61400019c440,0x61400019c5d0)
freed by thread T0 (Web Content) here:
    #0 0x5589d1f6ddad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f9e3ac6caad in gfxFontCache::DestroyFont(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:288:3
    #2 0x7f9e3ac6c7ab in gfxFontCache::NotifyExpired(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:276:3
    #3 0x7f9e3ac2ff37 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:261:7
    #4 0x7f9e3acb2c56 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:442:7
    #5 0x7f9e37d6aad2 in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:562:7
    #6 0x7f9e37d6a39d in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:251:11
    #7 0x7f9e37d55069 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:452:16
    #8 0x7f9e37d51b27 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:722:26
    #9 0x7f9e37d4fa67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:581:15
    #10 0x7f9e37d4febd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:375:36
    #11 0x7f9e37d5cb84 in operator() /gecko/xpcom/threads/TaskController.cpp:125:37
    #12 0x7f9e37d5cb84 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:485:5
    #13 0x7f9e37d7d58b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1196:14
    #14 0x7f9e37d887ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #15 0x7f9e3907d8d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #16 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #17 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #18 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #19 0x7f9e3fdc8117 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #20 0x7f9e43ae929f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #21 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #22 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #23 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #24 0x7f9e43ae883c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:732:34

previously allocated by thread T0 (Web Content) here:
    #0 0x5589d1f6e02d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x5589d1fb290d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f9e3abf1397 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f9e3abf1397 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) /gecko/gfx/thebes/gfxFcPlatformFontList.cpp:870:22
    #4 0x7f9e3ac428e3 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /gecko/gfx/thebes/gfxFontEntry.cpp:280:24
    #5 0x7f9e3adc7bd0 in gfxFontGroup::GetFontAt(int, unsigned int, bool*) /gecko/gfx/thebes/gfxTextRun.cpp:2055:16
    #6 0x7f9e3adc9412 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /gecko/gfx/thebes/gfxTextRun.cpp:2277:12
    #7 0x7f9e401d2f5e in Gecko_GetFontMetrics /gecko/layout/style/GeckoBindings.cpp:1457:33
    #8 0x7f9e469b92cd in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::h3759fbc4866cf298 /gecko/servo/components/style/gecko/wrapper.rs:986:13
    #9 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::hc67792483aee53f0 /gecko/servo/components/style/values/specified/length.rs:158:13
    #10 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::h806342036867de5a /gecko/servo/components/style/values/specified/length.rs:188:21
    #11 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::to_computed_value::ha2a083094b5d0646 /gecko/servo/components/style/values/specified/length.rs:137:40
    #12 0x7f9e465c580d in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::h0ecd15cd2647c96b /gecko/servo/components/style/values/computed/length.rs:36:17
    #13 0x7f9e465bb7f2 in style::values::computed::length_percentage::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..LengthPercentage$GT$::to_computed_value::h217b42dd8a766ef3 /gecko/servo/components/style/values/computed/length_percentage.rs:502:46
    #14 0x7f9e465bb7f2 in _$LT$style..values..generics..NonNegative$LT$T$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::hfffe814fa0c780b0 /gecko/servo/components/style/values/generics/mod.rs:159:5
    #15 0x7f9e465bb7f2 in _$LT$style..values..generics..size..Size2D$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h475e1a5d578fecb3 /gecko/servo/components/style/values/generics/size.rs:26:5
    #16 0x7f9e465bb7f2 in _$LT$style..values..generics..border..GenericBorderCornerRadius$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h2d6f73396932981c /gecko/servo/components/style/values/generics/border.rs:88:5
    #17 0x7f9e465bb7f2 in style::properties::longhands::border_top_right_radius::cascade_property::hf774be0c6c78eadc /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-b92d20914194d20b/out/longhands/border.rs:2908:32
    #18 0x7f9e45b7c1f6 in style::properties::cascade::Cascade::apply_declaration::hd80bc4a262944ad0 /gecko/servo/components/style/properties/cascade.rs:556:9
    #19 0x7f9e45b7c1f6 in style::properties::cascade::Cascade::apply_properties::h97dc347fdfb66d00 /gecko/servo/components/style/properties/cascade.rs:673:13
    #20 0x7f9e45b7f34d in style::properties::cascade::apply_declarations::h79e76a38ef3dd397 /gecko/servo/components/style/properties/cascade.rs:349:9
    #21 0x7f9e45b7f34d in style::properties::cascade::cascade_rules::h6cd7581f7454481d /gecko/servo/components/style/properties/cascade.rs:210:5
    #22 0x7f9e45b99988 in style::properties::cascade::cascade::h095b70487531cd61 /gecko/servo/components/style/properties/cascade.rs:93:5
    #23 0x7f9e45b99988 in style::stylist::Stylist::cascade_style_and_visited::hb2060cc5018908d1 /gecko/servo/components/style/stylist.rs:905:9
    #24 0x7f9e45ba42b4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h0e5aa1193cfc8070 /gecko/servo/components/style/style_resolver.rs:346:22
    #25 0x7f9e45ba391e in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h09ed4087b003e7eb /gecko/servo/components/style/style_resolver.rs:243:20
    #26 0x7f9e45b9f1cc in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::h910ea45f7d136d0c /gecko/servo/components/style/style_resolver.rs:203:9
    #27 0x7f9e45b9edf9 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::hbafcad99a6c1d8ad /gecko/servo/components/style/style_resolver.rs:259:29
    #28 0x7f9e45b9a68a in style::traversal::resolve_style::hfcb3b409f24f1892 /gecko/servo/components/style/traversal.rs:367:5
    #29 0x7f9e45b9a68a in Servo_ResolveStyleLazily /gecko/servo/ports/geckolib/glue.rs:5502:18
    #30 0x7f9e402266aa in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /gecko/layout/style/ServoStyleSet.cpp:1140:10

Johnathan, if you have a testcase that reproduces this (from the dup'd report in bug 1679936), I'd be interested to see it, as it's not immediately clear to me how this arises. Thanks!

I managed to get a pernosco trace of this issue:
https://pernos.co/debug/7F3QONN2DScYbVDQONww-A/index.html

(In reply to Jonathan Kew (:jfkthame) from comment #2)

Johnathan, if you have a testcase that reproduces this (from the dup'd report in bug 1679936), I'd be interested to see it, as it's not immediately clear to me how this arises. Thanks!

I've attached a reduced testcase for this issue. Please let me know if you have any issues reproducing it.

Jason, does this still reproduce? It looks to me like it may have been triggered by the same underlying issue as bug 1684497.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210120161357-171064b937f6.
The bug appears to have been introduced in the following build range:

Start: bf21f044ae70855a7407d7ac247b915dd65ae7a4 (20200622093556)
End: 7a13c77442451fdb9fd1032f605f1322a218702b (20200622094618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bf21f044ae70855a7407d7ac247b915dd65ae7a4&tochange=7a13c77442451fdb9fd1032f605f1322a218702b

I couldn't repro this one, but I could repro bug 1682607 and I'm ~sure it's the same underlying issue. Jason, can you confirm bug 1682607 fixes this when it lands?

(In reply to Emilio Cobos Álvarez (:emilio) from comment #8)

I couldn't repro this one, but I could repro bug 1682607 and I'm ~sure it's the same underlying issue. Jason, can you confirm bug 1682607 fixes this when it lands?

:emilio, I can confirm that this bug no longer reproduces using the patch in bug 1682607.

Should we uplift bug 1682607 to 86?

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210211154112-160b47b7163e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

I had requested uplift for that bug already.

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.