Crash @ xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0x00000592

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: cbook, Assigned: jfkthame)

Tracking

(Blocks 1 bug, {crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, )

Attachments

(7 attachments)

Found via Bughunter and reproduced on Win7 Trunk Debug Build

Steps to reproduce:
-> Load http://www.msn.com/en-us/money/stockdetails/fi-126.1.ARCP.NAS
--> Firefox Debug exists with a crash

001ed5b8 58a2ee77 001ed644 3f800000 41c00000 xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0x592
001ed5d8 5857f122 001ed644 00000000 3ff00000 xul!mozilla::dom::CanvasRenderingContext2D::FillText+0x2d
001ed6e4 58a1b0b3 081f9250 001ed710 0bd29000 xul!mozilla::dom::CanvasRenderingContext2DBinding::fillText+0x248
001ed734 59dd5f09 081f9250 00000003 001ed714 xul!mozilla::dom::GenericBindingMethod+0x115
001ed75c 59ded843 0820f400 58a1af9e 001ed9bc xul!js::CallJSNative+0x89
001ed9b0 59de926e 081f9250 00000000 041df498 xul!js::Invoke+0x203
001eddf4 59df1bcd 081f9250 001ede3c 081f9250 xul!Interpret+0x3b8e
001ede20 59ded8f9 001ede18 001ede3c 081f9250 xul!js::RunScript+0x19d
001ee070 59b63d67 081f9250 081f9200 001ee32c xul!js::Invoke+0x2b9
001ee378 59dd5f09 081f9250 00000002 001ee688 xul!js_fun_apply+0x3d7
001ee3a0 59ded843 0820f400 59b63990 001ee600 xul!js::CallJSNative+0x89
001ee5f4 59ded598 081f9250 0541b100 001ee698 xul!js::Invoke+0x203
001ee6e4 59f2f1d5 081f9250 001ee73c 001ee768 xul!js::Invoke+0x288
001ee7a8 1df76f82 081f9250 001ee84c 08f939c0 xul!js::jit::DoCallFallback+0x445
WARNING: Frame IP not in any known module. Following frames may be wrong.
001ee848 579d4d58 00000001 00000001 001ee950 0x1df76f82
001ee878 1df70a19 00000143 02f29668 00000000 xul!NS_LogAddRef+0xa
001ee8a8 59f347d5 173c1f00 00000001 001eede0 0x1df70a19
001ee9d4 59f34cf4 081f9250 001ee9f0 001eeb10 xul!EnterBaseline+0x1e5
001eeac8 59df1b61 081f9250 001eeb10 081f9250 xul!js::jit::EnterBaselineMethod+0xe4
001eeaf4 59ded8f9 001eeaec 001eeb10 081f9250 xul!js::RunScript+0x131
001eed44 59ded598 081f9250 001eee00 001eede8 xul!js::Invoke+0x2b9
001eee34 59af8811 081f9250 001eefac 001eee9c xul!js::Invoke+0x288
001eee6c 586855cc 0820f400 001eefac 001eee9c xul!JS::Call+0xa1
001eef7c 58347b2e 081f9250 001eefac 0bd23d1c xul!mozilla::dom::Function::Call+0x1a1
001ef0a4 583660b2 001ef18c 0bd23d1c 001ef144 xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0xfe
001ef1fc 58365e2e 0d9f8ac0 08fb3d90 001ef2dc xul!nsGlobalWindow::RunTimeoutHandler+0x16c
001ef280 5836c656 0d9f8ac0 5836c62a 001ef350 xul!nsGlobalWindow::RunTimeout+0x29a
001ef290 57a12b2b 0bd0bd00 0d9f8ac0 0571f760 xul!nsGlobalWindow::TimerCallback+0x2c
001ef350 57a17720 001ef47b 00807400 001ef47b xul!nsTimerImpl::Fire+0x27d
001ef380 57a157ac 0571f760 00810b38 00810b20 xul!nsTimerEvent::Run+0x7f
001ef45c 57a3d3e1 0571f760 00000000 001ef47b xul!nsThread::ProcessNextEvent+0x3a0
001ef470 57c8a93b 01807430 00000000 008610e0 xul!NS_ProcessNextEvent+0x46
001ef4a0 57c5c53b 008610e0 008610e0 5a715608 xul!mozilla::ipc::MessagePump::Run+0xc0
001ef4c0 57c5c4f3 2e782a5f 041d2e00 008610e0 xul!MessageLoop::RunInternal+0x42
001ef4f4 57c5c270 00807430 00000001 57c4d800 xul!MessageLoop::RunHandler+0x50
001ef514 58f2cc40 04337e00 00000000 001ef534 xul!MessageLoop::Run+0x19
001ef524 58f62ec5 041d2e00 04337e00 001ef548 xul!nsBaseAppShell::Run+0x47
001ef534 595904c9 041d2e00 001ef650 001ef745 xul!nsAppShell::Run+0x16
001ef548 595d4f73 04337e00 73521719 001ef650 xul!nsAppStartup::Run+0x4b
001ef61c 595d3735 00000001 001ef77c 00000000 xul!XREMain::XRE_mainRun+0xaa2
001ef638 595d5c8f 00000001 003955c0 001ef77c xul!XREMain::XRE_main+0x167
001ef74c 00ae203f 00000001 003955c0 001ef77c xul!XRE_main+0x34
001ef8ec 00ae1a04 00000001 003955c0 00842100 firefox!do_main+0x352
001ef97c 00ae2395 00000001 003955c0 00000000 firefox!NS_internal_main+0x143
001ef9b0 00ae4480 00000001 00000190 00395818 firefox!wmain+0x11d
001ef9f8 7557ed6c 7ffd4000 001efa44 7710377b firefox!__tmainCRTStartup+0xf2
001efa04 7710377b 7ffd4000 769f32e4 00000000 kernel32!BaseThreadInitThunk+0xe
001efa44 7710374e 00ae4543 7ffd4000 00000000 ntdll!__RtlUserThreadStart+0x70
001efa5c 00000000 00ae4543 7ffd4000 00000000 ntdll!_RtlUserThreadStart+0x1b
Can you get line numbers for the crash?
Oops, I'm pretty sure this is a regression from bug 1090168. Fix coming shortly...
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
:Tomcat, I'm pretty sure the patch above will fix this, but if you have reliable STR for the crash and can test a patched build to confirm this, it'd be great - thanks.
Flags: needinfo?(cbook)
Ah, never mind -- I was able to reproduce and confirm the fix locally on OS X, too.
Flags: needinfo?(cbook)
(In reply to Fanolian from comment #7)
> Are these crash reports related to this bug?
> https://crash-stats.mozilla.com/report/index/bp-3b041f87-64f9-4ba4-a4c6-
> aedf12141114
> https://crash-stats.mozilla.com/report/index/bp-9c1220d8-bb57-424b-8e2e-
> 0cbb72141114
> https://crash-stats.mozilla.com/report/index/bp-4bd60cbd-7416-41ac-8d5d-
> 289552141114
> 
> I encountered a similar situation a month ago with bug 1079746.

Yes, those crashes are the same thing.

BTW, if you have a simple testcase (rather than a complex website) that reliably produces this crash, it would be helpful to have one that we could include as a crashtest, to protect against regressing this similarly sometime in the future.
Crash Signature: [@ mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsAString_internal const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, float*) ]
I crashed on google docs, on the dine-about signup page for Portland.
Just crashed on a Google Spreadsheet as well (with e10s enabled).
Firefox nightly is keep crashing particularly on this google docs 

https://docs.google.com/spreadsheets/d/1scvHkFWPKwKitwPPKsUV8_l7KCPBRwBzTUANLIHPOLE/edit#gid=0

feel free to request access and i will provide it!

Application Basics
------------------

Name: Firefox
Version: 36.0a1
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Multiprocess Windows: 0/1

Crash Reports for the Last 3 Days
---------------------------------

Report ID: bp-dcce9f85-b49e-44fa-9ff3-9636b2141115
Submitted: 5 minutes ago

Report ID: bp-1ad05768-ab44-4b88-a9df-f041a2141115
Submitted: 6 minutes ago

Report ID: bp-f203b7d1-0a8e-492b-91c0-2cdd32141114
Submitted: 1 day ago

Report ID: bp-c72009f7-e26d-4601-8c94-ed5832141114
Submitted: 1 day ago

All Crash Reports (including 4 pending crashes in the given time range)

Extensions
----------

Name: ADB Helper
Version: 0.7.1
Enabled: true
ID: adbhelper@mozilla.org

Name: Adblock Plus
Version: 2.6.6
Enabled: true
ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

Name: ChatZilla
Version: 0.9.91
Enabled: true
ID: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

Graphics
--------

Device ID: 0x 126
GPU Accelerated Windows: 1/1 OpenGL (OMTC)
Vendor ID: 0x8086
WebGL Renderer: ATI Technologies Inc. -- AMD Radeon HD 6770M OpenGL Engine
windowLayerManagerRemote: true
AzureCanvasBackend: quartz
AzureContentBackend: quartz
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0

Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 4
browser.places.smartBookmarksVersion: 7
browser.sessionstore.restore_on_demand: false
browser.sessionstore.upgradeBackup.latestBuildID: 20141115030205
browser.startup.homepage: http://google.co.in/
browser.startup.homepage_override.buildID: 20141115030205
browser.startup.homepage_override.mstone: 36.0a1
browser.tabs.remote.autostart.1: false
browser.urlbar.trimURLs: false
dom.mozApps.used: true
dom.w3c_touch_events.expose: false
extensions.lastAppVersion: 36.0a1
font.internaluseonly.changed: true
font.language.group: x-western
font.name.serif.x-western: Siyam Rupali
keyword.URL: http://search.yahoo.com/search?fr=spigot-adr-ffmac&ei=utf-8&ilc=12&type=997063&p=
media.gmp-gmpopenh264.lastUpdate: 1412184977
media.gmp-gmpopenh264.path: /Users/mozilla/Library/Application Support/Firefox/Profiles/rug860q3.default/gmp-gmpopenh264
media.gmp-gmpopenh264.version: 1.1
media.gmp-manager.lastCheck: 1416062381
network.cookie.prefsMigrated: true
places.database.lastMaintenance: 1415988990
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
print.print_bgcolor: false
print.print_bgimages: false
print.print_colorspace:
print.print_command:
print.print_downloadfonts: false
print.print_duplex: 0
print.print_evenpages: true
print.print_in_color: true
print.print_margin_bottom: 0.5
print.print_margin_left: 0.5
print.print_margin_right: 0.5
print.print_margin_top: 0.5
print.print_oddpages: true
print.print_orientation: 0
print.print_page_delay: 50
print.print_paper_data: 0
print.print_paper_height: 11.00
print.print_paper_name:
print.print_paper_size_type: 1
print.print_paper_size_unit: 0
print.print_paper_width: 8.50
print.print_plex_name:
print.print_resolution: 0
print.print_resolution_name:
print.print_reversed: false
print.print_scaling: 1.00
print.print_shrink_to_fit: true
print.print_to_file: false
print.print_unwriteable_margin_bottom: 57
print.print_unwriteable_margin_left: 25
print.print_unwriteable_margin_right: 25
print.print_unwriteable_margin_top: 25
privacy.cpd.formdata: false
privacy.cpd.offlineApps: true
privacy.cpd.siteSettings: true
privacy.sanitize.migrateFx3Prefs: true
privacy.sanitize.timeSpan: 0
security.ssl.errorReporting.automatic: true
security.warn_viewing_mixed: false
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1415019013

Important Locked Preferences
----------------------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.10.7
Version in use: 4.10.7

NSS
Expected minimum version: 3.18 Basic ECC Beta
Version in use: 3.18 Basic ECC Beta

NSSSMIME
Expected minimum version: 3.18 Basic ECC Beta
Version in use: 3.18 Basic ECC Beta

NSSSSL
Expected minimum version: 3.18 Basic ECC Beta
Version in use: 3.18 Basic ECC Beta

NSSUTIL
Expected minimum version: 3.18 Beta
Version in use: 3.18 Beta

Experimental Features
---------------------

Name: Invisible test of the experiment branching system.
ID: experiment-branch-test-nightly@experiments.mozilla.org
Description: An experiment using branches just to test whether branches get saved correctly.
Active: false
End Date: 1409678461376
Homepage:
Still keeps crashing with Nightly 2014-11-15; Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:36.0) Gecko/20100101 Firefox/36.0; clean profile, no extensions.

World readable Google Spreadsheet which causes the crash:

https://docs.google.com/spreadsheets/d/146pYXq62mFvmF2c09SaD6F6Z6rlXOPFsDfcy6cNik2o/edit#gid=1919920973
No need to keep adding reports here; the issue is understood and there's already a patch awaiting review.

If you want to test a patched build to confirm that it fixes the issue, you can get one from http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jkew@mozilla.com-3c8dc27b2823/.

What would still be helpful here, if anyone has one, is a *simple* testcase -- not a pointer to a Google spreadsheet or suchlike complex site, but a standalone page (probably involving a webfont, I suspect) that reliably reproduces the crash.
I can reproduce the crash with a saved version of the msn page. I'll start reducing it now.
(In reply to Bob Clary [:bc:] from comment #14)
> I can reproduce the crash with a saved version of the msn page. I'll start
> reducing it now.

Thanks, that's great. Ideally, I'd like to end up with something we can land as a crashtest, given that clearly none of our existing unit tests run into this issue.
This is making Nightly unusable for me and others. How about backing out bug 1090168?
Flags: needinfo?(jfkthame)
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #16)
> This is making Nightly unusable for me and others. How about backing out bug
> 1090168?

Sure, if it's that much of a pain then go ahead.
Flags: needinfo?(jfkthame)
I pushed a backout to m-c that should fix this:
https://hg.mozilla.org/mozilla-central/rev/a52bf59965a0
Attachment #8523004 - Flags: review?(jdaggett) → review+
Fixed by backing out bug 1090168.

(FTR, I have now re-landed bug 1090168 on inbound -- i.e. backed out the backout -- with the crash-fix here folded in; see bug 1090168 comment 18.)
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Posted file testcase.html
not quite signature.
bp-f7152bfa-ede0-4dfe-a999-a67f02141118
[@ gfxShapedText::IsVertical() ]
Thanks for the testcase, Bob! Looking at what that script does, I was able to further reduce it, as attached; this should still reproduce the crash with an affected build.
Duplicate of this bug: 1099856
Comment on attachment 8524812 [details] [diff] [review]
Add the minimized testcase as a crashtest.

r=dbaron.

Did you test that it crashes in the test harness without the patch?  Probably worth doing.
Attachment #8524812 - Flags: review?(dbaron) → review+
(In reply to David Baron [:dbaron] (UTC-8) (needinfo? for questions) from comment #25)
> Did you test that it crashes in the test harness without the patch? 

Yes, it crashes consistently (after an assertion, in debug builds) when running ./mach crashtest.

https://hg.mozilla.org/integration/mozilla-inbound/rev/48966e85eec4
You need to log in before you can comment on or make changes to this bug.