Closed Bug 1109201 Opened 10 years ago Closed 10 years ago

crash in gfxFontGroup::FamilyFace::SetFont(gfxFont*)

Categories

(Core :: Graphics: Text, defect, P1)

Product:
Core
Component:
Graphics: Text
Version:
35 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox34 --- unaffected
firefox35 + verified
firefox36 + verified
firefox37 --- verified

People

(Reporter: tracy, Assigned: jtd)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

patch, null-check the font before calling SetFont
892 bytes, patch
roc
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
[Tracking Requested - why for this release]:

This startup crash has exploded to #2 in volume on 35.0b1.  At this time, it appears to only affect Fx35.  

There were some scattered reports in the Aurora time frame. But as you can see, it has risen sharply in volume on beta1
2014110804 	4 
2014111300 	1 	
2014111900 	1 
2014112500 	1 
2014112800 	63 
2014120116 	2629

This bug was filed from the Socorro interface and is 
report bp-eb0b3277-c492-48d7-b78a-4904d2141203.
=============================================================

Frame 	Module 	Signature 	Source
0 	xul.dll 	gfxFontGroup::FamilyFace::SetFont(gfxFont*) 	gfx/thebes/gfxTextRun.h
1 	xul.dll 	gfxFontGroup::GetFontAt(int) 	gfx/thebes/gfxTextRun.cpp
2 	xul.dll 	gfxFontGroup::GetFirstValidFont() 	gfx/thebes/gfxTextRun.cpp
3 	xul.dll 	gfxFontGroup::InitScriptRun<unsigned char>(gfxContext*, gfxTextRun*, unsigned char const*, unsigned int, unsigned int, int) 	gfx/thebes/gfxTextRun.cpp
4 	xul.dll 	gfxFontGroup::InitTextRun<unsigned char>(gfxContext*, gfxTextRun*, unsigned char const*, unsigned int) 	gfx/thebes/gfxTextRun.cpp
5 	xul.dll 	gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) 	gfx/thebes/gfxTextRun.cpp
6 	xul.dll 	MakeTextRun<unsigned char>(unsigned char const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) 	layout/generic/nsTextFrame.cpp
7 	xul.dll 	BuildTextRunsScanner::BuildTextRunForFrames(void*) 	layout/generic/nsTextFrame.cpp
8 	xul.dll 	BuildTextRunsScanner::FlushFrames(bool, bool) 	layout/generic/nsTextFrame.cpp
9 	xul.dll 	BuildTextRuns 	layout/generic/nsTextFrame.cpp
Milan - can you help us get some eyes on this?
Flags: needinfo?(milan)
Jonathan, something you can help with?
Flags: needinfo?(milan) → needinfo?(jfkthame)
jdaggett has been working on this code more recently than me, I believe; I think we should ask him to take a look first.
Flags: needinfo?(jfkthame) → needinfo?(jdaggett)
Assignee: nobody → jdaggett
Flags: needinfo?(jdaggett)
This is a startup crash and it's been almost a week, meaning that it probably stranded a lot of beta users with non-working Firefox already. We are losing those people from our testing community!

What's the status here, jdaggett?
Flags: needinfo?(jdaggett)
FWIW, my SO's Firefox has this on about:crashes

bp-4823bb7d-24f1-4ed8-b90d-abdfe2141215	15/12/2014	12:42 p.m.

Report ID 	Date Submitted
Let me know if there's anything worth collecting from an affected system.
Flags: needinfo?(twalker)
We really need a testcase for this. If the crash is occurring close to startup then it must be caused by trying to create a gfxFont for a system font. But to hit this path the font must somehow be invalid, which is sort of puzzling.
Flags: needinfo?(jdaggett)
Keywords: testcase-wanted
Add a simple null-check, which will cause this font to be simply marked as invalid and skipped.
Attachment #8540507 - Flags: review?(roc)
Priority: -- → P1
FWIW 35 crashed like this when loading http://live.nicovideo.jp/watch/lv203465449

Report ID 	Date Submitted
bp-18c157a4-5689-4945-9786-92ac62141223	23/12/2014	01:54 a.m.
Pushed to inbound
https://hg.mozilla.org/integration/mozilla-inbound/rev/073b4ec79de9

Please leave this bug open as I'm not sure yet whether this will fix the problem or not.
(In reply to alex_mayorga from comment #8)
> FWIW 35 crashed like this when loading
> http://live.nicovideo.jp/watch/lv203465449

Alex, can you always reproduce this on your machine? If so, could you try with the tryserver build to see if the crash does not occur?
Flags: needinfo?(alex_mayorga)
(In reply to John Daggett (:jtd) from comment #6)
> We really need a testcase for this. If the crash is occurring close to
> startup then it must be caused by trying to create a gfxFont for a system
> font. But to hit this path the font must somehow be invalid, which is sort
> of puzzling.

I remember from the past that we every now and then had issues with some people having corrupted or damaged fonts installed in the system. It's wise to harden us against that when possible.
How can one tell if they have damaged/corrupted fonts?
Flags: needinfo?(twalker)
https://hg.mozilla.org/mozilla-central/rev/073b4ec79de9
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
User reports reproducible testcase:

https://crash-stats.mozilla.com/report/index/42b309d6-caa6-4259-9d72-80d972141223

Reproducable crash (even with clean profile): Firefox ver >= 35
0. Windows Vista 64bit SP2
1. Download and install Google Noto Fonts named "Noto Sans CJK JP Regular". The file name is "NotoSansCJKjp-Regular.otf"(MD5: 96E4076155CD5D760B012360A850BFC0) from (URL removed) .
2. Open "(URL removed)
3. Select "Contents" tab.
4. Select "Default font" as "Noto Sans CJK JP" and apply it.
5. Crash...
6. You cannot start Firefox except for Firefox Safe Mode...
STR in Bug 1097626
Crash on Aurora36.0a2, Firefox35.0b6.
status-firefox36: unaffectedaffected
tracking-firefox36: --- → ?
Please uplift this to Aurora36.0a2, Firefox35beta, ASAP.
Comment on attachment 8540507 [details] [diff] [review]
patch, null-check the font before calling SetFont

Approval Request Comment
[Feature/regressing bug #]: Crash caused by changes made in bug 998869.
[User impact if declined]: in situations where something is wrong with a font, a crash may occur. This occurs at startup so it has the potential to prevent users from using Firefox.
[Describe test coverage new/current, TBPL]: don't have a reproducible testcase yet.
[Risks and why]: the fix is a simple null-check so very minor risk.
[String/UUID change made/needed]: none
Attachment #8540507 - Flags: approval-mozilla-beta?
Attachment #8540507 - Flags: approval-mozilla-aurora?
Attachment #8540507 - Flags: approval-mozilla-beta?
Attachment #8540507 - Flags: approval-mozilla-beta+
Attachment #8540507 - Flags: approval-mozilla-aurora?
Attachment #8540507 - Flags: approval-mozilla-aurora+
Crash Signature: [@ gfxFontGroup::FamilyFace::SetFont(gfxFont*)] → [@ gfxFontGroup::FamilyFace::SetFont(gfxFont*)] [@ gfxFont::AddRef()]
No crashes in beta/aurora channel builds after patch landed on aurora/beta trees.
Socorro shows no crashes (with either of the two signatures) with Firefox 35 Beta 8 or older, Firefox 36 Aurora (builds after December 28), or Firefox 37 Nightly (Builds after December 24).

Reproduced the crash in an older Firefox 35 Beta with steps from bug 1097626. Could not reproduce the crash with the same steps for Firefox 35 RC build2, latest Firefox 36 Aurora, or latest Firefox 37 Nightly.
Status: RESOLVED → VERIFIED
status-firefox35: fixedverified
status-firefox36: fixedverified
status-firefox37: fixedverified
Flags: needinfo?(alex_mayorga)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: