Crash in [@ gfxFontGroup::InitScriptRun<T>] - not handling the reinitialization of the font list
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
People
(Reporter: over68, Unassigned, NeedInfo)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [tbird crash])
Crash Data
Steps to reproduce:
- Download and install all Google Noto Fonts.
- Set
fission.autostart
tofalse
. - Restart Firefox.
- Download Font Loader.
- Download Franklin Gothic Book Regular.ttf.
- Log in to Outlook.
- Wait for the ad to display on the right side of the page.
- Click on the Help icon (? in the top right) to open the sidebar.
- Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
- Click on the Load button.
- Close the sidebar.
See https://youtu.be/zM7HW0yT35M
Actual results:
The tab crashed.
Crash report: bp-da237453-efc0-4e6c-a4d1-fb7a50220202
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2694
1 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2490
2 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1674
3 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:3017
4 xul.dll nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8761
5 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:827
6 xul.dll nsIFrame::ShrinkWidthToFit layout/generic/nsIFrame.cpp:6650
7 xul.dll nsIFrame::ComputeSize layout/generic/nsIFrame.cpp:6282
8 xul.dll mozilla::ReflowInput::ReflowInput layout/generic/ReflowInput.cpp:216
9 xul.dll nsFlexContainerFrame::DoFlexLayout layout/generic/nsFlexContainerFrame.cpp:5119
Note the crash only occurs if the ad contains the Ad icon which appears in green, see screenshot.
This is a saved page contains the ad causing the crash (The green icon does not appear because the page is saved) https://onedrive.live.com/download?cid=F96BA52A2AF70D03&resid=F96BA52A2AF70D03%211511&authkey=AJdcrWFNEmmAWZI.
Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0349ccb58fc487905423ad2cd7e0ee4c6545367b&tochange=cdf7e5db79db369374fb7a529a8ac857984c3831
Regressed by: bug 1669855
This similar to bug 1588418.
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1669855
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Set release status flags based on info from the regressing bug 1669855
Comment 6•3 years ago
|
||
(In reply to blinky from comment #2)
Regressed by: bug 1669855
ni=jfkthame to investigate when he's got cycles.
Comment 7•3 years ago
|
||
This must be a further example where we're not handling the reinitialization of the font list fully correctly. Leaving needinfo flag for now pending deeper investigation.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 8•3 years ago
|
||
The bug has a crash signature, thus the bug will be considered confirmed.
Updated•3 years ago
|
Updated•2 years ago
|
The crash signature has changed to gfxFontEntry::HasCharacter
.
Crash report: bp-c8ed8851-b63a-46cc-93d1-04ae50221026
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll gfxFontEntry::HasCharacter gfx/thebes/gfxFontEntry.h:230
0 xul.dll gfxFont::HasCharacter const gfx/thebes/gfxFont.h:1770
0 xul.dll gfxFontGroup::ComputeRanges gfx/thebes/gfxTextRun.cpp:3497
0 xul.dll gfxFontGroup::InitScriptRun gfx/thebes/gfxTextRun.cpp:2744
0 xul.dll gfxFontGroup::InitTextRun gfx/thebes/gfxTextRun.cpp:2622
0 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2515
1 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2664
1 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1777
2 xul.dll BuildTextRuns layout/generic/nsTextFrame.cpp:1696
2 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:3115
Updated•2 years ago
|
Description
•