Open Bug 1794695 Opened 2 years ago Updated 2 years ago

Crash in [@ nsFont::nsFont]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

People

(Reporter: dholbert, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/0b027f73-e6c6-4027-99ab-4f1f10221011

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsFont::nsFont gfx/src/nsFont.cpp:28
1 xul.dll style::properties::longhands::font_family::cascade_property x86_64-pc-windows-msvc/release/build/style-c0291e025f45e906/out/longhands/font.rs:110
2 xul.dll style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_style_and_visited<style::gecko::wrapper::GeckoElement> servo/components/style/style_resolver.rs:367
3 xul.dll style::traversal::compute_style<style::gecko::wrapper::GeckoElement> servo/components/style/traversal.rs:610
4 xul.dll style::driver::traverse_dom<style::gecko::wrapper::GeckoElement, style::gecko::traversal::RecalcStyleOnly> servo/components/style/driver.rs:112
5 xul.dll geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:335
6 xul.dll mozilla::ServoStyleSet::StyleDocument layout/style/ServoStyleSet.cpp:774
7 xul.dll mozilla::RestyleManager::DoProcessPendingRestyles layout/base/RestyleManager.cpp:3084
8 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4372
9 xul.dll mozilla::EventStateManager::PreHandleEvent dom/events/EventStateManager.cpp:779

This report was: bp-0b027f73-e6c6-4027-99ab-4f1f10221011
Another recent report: bp-fe458b5c-6cf8-4fa0-9a62-71a0d0221002

(This crash signature was originally classified under bug 866767, but I don't think the crashes we're getting with this signature nowadays are related to what that bug was originally filed about, so I'm spinning it off.)

Looks like this sometimes happens when resolving style (e.g. the crash reports & backtrace in comment 0). Other crash reports are in layout, e.g.
bp-7f96a886-706d-43d3-8f57-db82c0220708 has this backtrace:

0 xul.dll nsFont::nsFont gfx/src/nsFont.cpp:28
1 xul.dll nsFontCache::GetMetricsFor gfx/src/nsFontCache.cpp:92
2 xul.dll static nsLayoutUtils::GetFontMetricsForFrame layout/base/nsLayoutUtils.cpp:4061
3 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1750
4 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrame.cpp:2154
5 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:3096
6 xul.dll nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8865
7 xul.dll nsContainerFrame::DoInlineMinISize layout/generic/nsContainerFrame.cpp:889
8 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:840
9 xul.dll static nsLayoutUtils::IntrinsicForAxis layout/base/nsLayoutUtils.cpp:4931

In both cases we're crashing in nsFont::nsFont(const nsFont& aOther) = default; i.e. the default nsFont copy-constructor, so we seem to be working with (and failing when copy-constructing) a nsFont instance with some bogus data.

Summary: Crash in [@ nsFont::nsFont] when resolving style → Crash in [@ nsFont::nsFont]
Component: CSS Parsing and Computation → Layout: Text and Fonts
You need to log in before you can comment on or make changes to this bug.