1. http://www.arlovance.com/ 2. sometimes crash. I haven't been able to reproduce locally on Mac OS X or Windows XP, but the automation has so far crashed on Windows 7 32bit, Fedora 14 32bit and 64bit. I have been able to reproduce locally on Fedora 14 32bit especially when running under gdb. I wasn't able to crash a nightly Linux build however. YMMV. associated socorro signature: gfxUserFontSet::LoadNext Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xffffffffdddddddd Thread 0 (crashed) 0 xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 139 + 0x5] eip = 0x635d33bc esp = 0x0017c394 ebp = 0x0017c398 ebx = 0x00000001 esi = 0x00343e20 edi = 0x00000000 eax = 0x04c28238 ecx = 0xdddddddd edx = 0x04b55820 efl = 0x00010202 Found by: given as instruction pointer in context 1 xul.dll!gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry *) [gfxUserFontSet.h : 113 + 0xa] eip = 0x63b193f4 esp = 0x0017c3a0 ebp = 0x0017c3b0 Found by: call frame info 2 xul.dll!gfxUserFontSet::LoadNext(gfxProxyFontEntry *) [gfxUserFontSet.cpp : 691 + 0xb] eip = 0x63b191ee esp = 0x0017c3b8 ebp = 0x0017c7f0 Found by: call frame info 3 xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 586 + 0xe] eip = 0x63b17fe3 esp = 0x0017c7f8 ebp = 0x0017ce78 Found by: call frame info 4 xul.dll!nsFontFaceLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,unsigned int,unsigned int,unsigned char const *) [nsFontFaceLoader.cpp : 226 + 0x1f] eip = 0x63f12a7a esp = 0x0017ce80 ebp = 0x0017cefc Found by: call frame info 5 xul.dll!nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,unsigned int) [nsStreamLoader.cpp : 125 + 0x3d] eip = 0x63bc4cc6 esp = 0x0017cf04 ebp = 0x0017cf24 Found by: call frame info Operating system: Linux 0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!nsTArray_base<nsTArrayDefaultAllocator>::Length [nsTArray.h : 139 + 0x5] eip = 0x00b1b84e esp = 0xbf986d38 ebp = 0xbf986d38 ebx = 0x02ec255c esi = 0x08a70b90 edi = 0x00000020 eax = 0x00000000 ecx = 0x02ec255c edx = 0x00000004 efl = 0x00010216 Found by: given as instruction pointer in context 1 libxul.so!gfxMixedFontFamily::RemoveFontEntry [gfxUserFontSet.h : 113 + 0xd] eip = 0x021e5a78 esp = 0xbf986d40 ebp = 0xbf986d68 ebx = 0x02ec255c esi = 0x08a70b90 edi = 0x00000020 Found by: call frame info 2 libxul.so!gfxUserFontSet::LoadNext [gfxUserFontSet.cpp : 691 + 0x11] eip = 0x021e54db esp = 0xbf986d70 ebp = 0xbf987118 ebx = 0x02ec255c esi = 0x08a70b90 edi = 0x00000020 Found by: call frame info 3 libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 586 + 0x11] eip = 0x021e4e78 esp = 0xbf987120 ebp = 0xbf9876a8 ebx = 0x02ec255c esi = 0x095af330 edi = 0x0000b9c8 Found by: call frame info 4 libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31] eip = 0x00fd1540 esp = 0xbf9876b0 ebp = 0xbf987738 ebx = 0x02ec255c esi = 0x095af330 edi = 0x0000b9c8 Found by: call frame info 5 libxul.so!nsStreamLoader::OnStopRequest [nsStreamLoader.cpp : 125 + 0x4b] eip = 0x00bb5820 esp = 0xbf987740 ebp = 0xbf987788 ebx = 0x02ec255c esi = 0x095af330 edi = 0x0000b9c8 Found by: call frame info Operating system: Linux 0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x9d36000 Thread 0 (crashed) 0 libxul.so!nsCharSinkTraits<CalculateUTF8Size>::write [nsUTF8Utils.h : 604 + 0x3] eip = 0x01d60b00 esp = 0xbfb9b4b0 ebp = 0xbfb9b4f8 ebx = 0x02b2155c esi = 0x006f0063 edi = 0x00005e24 eax = 0x09d36000 ecx = 0x02da234c edx = 0x00273410 efl = 0x00010202 Found by: given as instruction pointer in context 1 libxul.so!copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> [nsAlgorithm.h : 93 + 0x31] eip = 0x01d5fd8a esp = 0xbfb9b500 ebp = 0xbfb9b518 ebx = 0x02b2155c esi = 0x006f0063 edi = 0x00005e24 Found by: call frame info 2 libxul.so!AppendUTF16toUTF8 [nsReadableUtils.cpp : 200 + 0x12] eip = 0x01d5df9d esp = 0xbfb9b520 ebp = 0xbfb9b578 ebx = 0x02b2155c esi = 0xbfb9b550 edi = 0x00005e24 Found by: call frame info 3 libxul.so!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8 [nsString.h : 161 + 0x11] eip = 0x00776061 esp = 0xbfb9b580 ebp = 0xbfb9b598 ebx = 0x02b2155c esi = 0x09a8af50 edi = 0x00005e24 Found by: call frame info 4 libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 477 + 0x1c] eip = 0x01e43950 esp = 0xbfb9b5a0 ebp = 0xbfb9bb28 ebx = 0x02b2155c esi = 0x09a8af50 edi = 0x00005e24 Found by: call frame info 5 libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31] eip = 0x00c30540 esp = 0xbfb9bb30 ebp = 0xbfb9bbb8 ebx = 0x02b2155c esi = 0x09a8af50 edi = 0x00005e24 Found by: call frame info ss since Windows 7 showed deleted heap in the crash address and ecx.

1. http://www.arlovance.com/sketches 2. crash 13 windows crashes: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=CalculateUTF8Size%3A%3Awrite&date=03%2F23%2F2011%2016%3A12%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=CalculateUTF8Size%3A%3Awrite%28unsigned%20short%20const%2A%2C%20unsigned%20int%29 associated socorro signature gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry*) 116 windows crashes https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29&date=03%2F23%2F2011%2016%3A18%3A04&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x4 Thread 0 (crashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int) [nsUTF8Utils.h : 604 + 0x3] eip = 0x114f8da5 esp = 0x0012ceac ebp = 0x0012cebc ebx = 0x00000001 esi = 0x0107ff78 edi = 0x00000000 eax = 0x00000004 ecx = 0x030268f0 edx = 0x00000004 efl = 0x00010283 Found by: given as instruction pointer in context 1 xul.dll!nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size &,unsigned short const *,unsigned int) [nsCharTraits.h : 812 + 0xf] eip = 0x114f8d63 esp = 0x0012cec4 ebp = 0x0012cecc Found by: call frame info 2 xul.dll!copy_string<nsReadingIterator<unsigned short>,CalculateUTF8Size>(nsReadingIterator<unsigned short> const &,nsReadingIterator<unsigned short> const &,CalculateUTF8Size &) [nsAlgorithm.h : 93 + 0x26] eip = 0x114f82da esp = 0x0012ced4 ebp = 0x0012cee0 Found by: call frame info 3 xul.dll!AppendUTF16toUTF8(nsAString_internal const &,nsACString_internal &) [nsReadableUtils.cpp : 200 + 0x22] eip = 0x114f6b21 esp = 0x0012cee8 ebp = 0x0012cf20 Found by: call frame info 4 xul.dll!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8(nsAString_internal const &) [nsString.h : 161 + 0xc] eip = 0x100569dc esp = 0x0012cf28 ebp = 0x0012cf34 Found by: call frame info 5 xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 477 + 0x13] eip = 0x10587cff esp = 0x0012cf3c ebp = 0x0012d5bc Found by: call frame info

We really need to capture testcases for this one. Is this a bunch of different crashes at the same site, or are we so screwed up we can crash in such different places. Is it UTF8 conversion or Fonts that are the problem?

John, Jonathan - ideas?

John, can you please have a look here before we loose the testcase etc?

ditto http://themes.amplus.gambit.ph/?page_id=375

John, we need some traction on this security bug. If you're not the right owner, please make that clear...

Is this still an issue on trunk? I don't see how we could hit a crash like this now that bug 623711 has landed. (Bug 650639 could be a more recent but somewhat similar scenario, but I believe that is now fixed as well.)

comment 5 showed a crash after bug 623711 check ins to mc.

My guess is that this is bug 650639 but I'll see if I can reproduce this with builds prior to that fix to try and confirm this.

Looks like this was fixed by the checkin for bug 650639, which landed on 4/27 at 22:14 PDT. Running on Windows 7 with the 64-bit binary with the startup page set to www.arlovance.com. Page uses typekit, and includes some custom swizzling behavior for FF to hide font loads for 3 seconds (not necessary in FF4 and above). Crashes: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110427 Firefox/6.0a1 Doesn't crash: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110428 Firefox/6.0a1

If I'm understanding correctly, this is a crash signature that you could have gotten from bug 650639 in debug builds because of the userfont logging code that tries to access the font family name; in builds without logging, you'd see the ReplaceFontEntry crash signature instead.

(In reply to comment #11) > If I'm understanding correctly, this is a crash signature that you could have > gotten from bug 650639 in debug builds because of the userfont logging code > that tries to access the font family name; in builds without logging, you'd see > the ReplaceFontEntry crash signature instead. That makes sense. I verified that the changeset for bug 650639 is the precise point at which the fix landed. Using tinderbox builds from: ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-win32/ The submit time on the checkin is 1303967711. Comparing with the build just before it, 1303949796, the crash occurs with the build before the checkin but not after. Mark as a duplicate? Sounds like we need to land the fixes for bug 650639 (and 623711) on 4.x/Aurora ASAP.

Marking this depend on bug 650639 since that's where the fix is, but keeping this bug open for its testcase so it gets verified as a security bug when fixed.

Did the patch in bug 650639 take care of this? Btw it's possible that bug 655138 is related.

update crash bugs to critical per guidelines.

automation found another crash nsCharSinkTraits<CalculateUTF8Size>::write copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> ToNewUTF8String nsGlobalWindow::Dump nsIDOMJSWindow_Dump at http://www.anthopoulosphotos.gr/ORK/AEI/2011_04_11_1400/index.html on Mac (locally I hit an OOM though). Original url doesn't reproduce for me but it never did locally. Perhaps the font related issue is fixed and these others are unrelated.

This patch is *just* the snippet from bug 650639 that is relevant for mozilla-beta. (It was suggested that we need bug 650639 on mozilla-beta because it fixed a crash issue. However, most of that patch is not actually applicable because bug 633299 landed after the m-c -> aurora merge on 4/11.)

Comment on attachment 533553 [details] [diff] [review] patch, don't use proxy font entry after it has been replaced Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)

Landed on both: http://hg.mozilla.org/releases/mozilla-aurora/rev/ba68d5ae818c http://hg.mozilla.org/releases/mozilla-beta/rev/f2b5e55cb53b

Is PR_LOGging enabled in non-debug builds in this module? This patch looks like it applies to the 1.9.2 branch and we don't want to 0-day ourselves by fixing it only in Fx5 if there's a security bug here on branches too.

It looks like unless you configure with --disable-logging, the MOZ_LOGGING symbol will be defined, and this will enable PR_LOGging here. And trying it with a copy of Fx3.6.17 here confirms that logging in the userfonts module is enabled. So yes, we probably want to take this on 1.9.2 as well. In any case, I don't see any risk in the patch; it's a clear and simple fix.

This is the equivalent patch for the 1.9.2 branch.

Comment on attachment 538277 [details] [diff] [review] patch for 1.9.2 branch Approved for 1.9.2.18, a=dveditz for release-drivers

I can't reproduce any crash on http://www.arlovance.com/sketches with 1.9.2.17 on XP. It makes it difficult to verify the fix in 1.9.2.18. :-)