Open Bug 1240158 Opened 8 years ago Updated 2 years ago

Cairo crash in _cairo_scaled_glyph_set_metrics() when visiting certain O'Reilly blog article

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Version:
43 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- ?
firefox45 --- affected
firefox46 --- ?

People

(Reporter: andre.jaenisch, Unassigned)

Details

(Keywords: crash, Whiteboard: [gfx-noted])

Attachments

(3 files)

firefox-strace.log
8.65 MB, text/plain
Details
firefox-gdb.log
16.31 KB, text/plain
Details
firefox-dev-strace.log
4.81 MB, text/plain
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Steps to reproduce:

Open https://www.oreilly.com/ideas/5-ways-web-apps-and-sites-are-the-same-and-different in Firefox 43 on Sabayon Linux.

I tried open the same page in both, private mode and without enabled add-ons (aka safe-mode). Same result.

$ uname -a
Linux sabayonx86-64 4.3.0-sabayon #1 SMP Wed Dec 16 22:02:39 UTC 2015 x86_64 Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz GenuineIntel GNU/Linux


Actual results:

The browser just closes and in a console I can see a line stating "Segmentation Fault". Nothing else.

Every.Single.Time.


Expected results:

I want to be able to read that article
Oh, and in ~/.mozilla/firefox/Crash Reports/ there is no new file, so I cannot even upload that one :-(

I hate C/C++ especially because of SegFaults :-/
Attached file firefox-strace.log 
Bummer.

Sabayon is based on Gentoo, but with binaries. Hence no emerging for me. That means, no debugging symbols in the binary :-/

Attached is a strace.
Attached file firefox-gdb.log 
Bummer.

Sabayon is based on Gentoo, but with binaries. Hence no emerging for me. That means, no debugging symbols in the binary :-/

Attached is a gdb dump.
Keywords: crash
Andre, can you try download and testing an official Mozilla build? It might have more useful debug information than your distro's Firefox build.

This crash looks like it's in freetype, though I don't know the stack trace would include vpx_get_mb_ss_mmx(), a libvpx (VP8/VP9) video function.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6e60f2d in ?? () from /lib64/libc.so.6

(gdb) bt
#0  0x00007ffff6e60f2d in ?? () from /lib64/libc.so.6
#1  0x00007ffff0064e83 in ?? () from /usr/lib64/libfreetype.so.6
#2  0x00007ffff006524c in ?? () from /usr/lib64/libfreetype.so.6
#3  0x00007ffff00b189f in ?? () from /usr/lib64/libfreetype.so.6
#4  0x00007ffff00afe12 in ?? () from /usr/lib64/libfreetype.so.6
#5  0x00007ffff00b27ba in ?? () from /usr/lib64/libfreetype.so.6
#6  0x00007ffff006dd95 in FT_Load_Glyph () from /usr/lib64/libfreetype.so.6
#7  0x00007ffff3a9dbd0 in vpx_get_mb_ss_mmx () from /usr/lib64/firefox/libxul.so
#8  0x00007ffff3ad7efd in vpx_get_mb_ss_mmx () from /usr/lib64/firefox/libxul.so
#9  0x00007ffff3ad8508 in vpx_get_mb_ss_mmx () from /usr/lib64/firefox/libxul.so
#10 0x00007ffff2845d30 in ?? () from /usr/lib64/firefox/libxul.so
#11 0x00007ffff284622f in ?? () from /usr/lib64/firefox/libxul.so
#12 0x00007ffff284650e in ?? () from /usr/lib64/firefox/libxul.so
#13 0x00007ffff2845f6c in ?? () from /usr/lib64/firefox/libxul.so
Product: Firefox → Core
Flags: needinfo?(andre.jaenisch)
Produced with Firefox 45.0a1 (Developer Edition) on 16th Jan 2016: https://crash-stats.mozilla.com/report/index/bb24dc80-33c3-4ca9-bcdb-cb92f2160116

On Chromium the tab crashes, too.

Interestingly I could read it with Firefox executed with root privileges o_O
Flags: needinfo?(andre.jaenisch)
My graphics card:

$ sudo lspci -nnk | grep -i VGA -A2
00:02.0 VGA compatible controller [0300]: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0126] (rev 09)
	Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics Controller [17aa:21cf]
	Kernel driver in use: i915

driver name and version:
$ glxinfo | grep 'OpenGL version string'
OpenGL version string: 3.0 Mesa 11.1.0
um, 45.0a2, My bad.
Attached file firefox-dev-strace.log 
Stracelog with Firefox Developer Edition v45.0a2.
Thanks, Andre. The crash report is very helpful! Its stack trace is much clearer than the one from Sabayon build.

This is a null pointer crash deep inside libfreetype.so, called from our Cairo code.
Status: UNCONFIRMED → NEW
status-firefox43: --- → affected
status-firefox44: --- → ?
status-firefox45: --- → affected
status-firefox46: --- → ?
Component: Untriaged → Graphics: Text
Ever confirmed: true
Summary: Segfault when visiting certain O'Reilly blog article → Cairo crash in _cairo_scaled_glyph_set_metrics() when visiting certain O'Reilly blog article
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: