crash in libsystem_c.dylib@0xa737c

RESOLVED WORKSFORME

Status

()

Core
Graphics: Text
--
critical
RESOLVED WORKSFORME
3 years ago
2 years ago

People

(Reporter: Daniela Domnici, Unassigned)

Tracking

({crash})

unspecified
All
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [mozmill], gfx-noted, crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-3cbd9c9b-a6c9-4caf-8e59-33ad22150212.
=============================================================
We had this crash when running remoe testruns on nightly.

Reports:
http://mozmill-daily.blargon7.com/#/remote/report/beeca5bc62c04337e8365d933bbcfa0c

Crash details:
Crash Reason 	EXC_BREAKPOINT / 0x00000002
Crash Address 	0x7fff9479937c

First 15 frames from the stack:
 0 	libsystem_c.dylib 	libsystem_c.dylib@0xa737c 	
 1 	libsystem_c.dylib 	libsystem_c.dylib@0xa03c7 	
 2 	CoreFoundation 	CoreFoundation@0x3caf 	
 3 	CoreText 	CoreText@0x5f8d 	
4 	XUL 	gfxCoreTextShaper::ShapeText(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*) 	gfx/thebes/gfxCoreTextShaper.cpp
 5 	XUL 	gfxMacFont::ShapeText(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*) 	gfx/thebes/gfxMacFont.cpp
6 	XUL 	gfxShapedWord* gfxFont::GetShapedWord<char16_t>(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, int, unsigned int, gfxTextPerfMetrics*) 	gfx/thebes/gfxFont.cpp
7 	XUL 	bool gfxFont::SplitAndInitTextRun<char16_t>(gfxContext*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, int, bool) 	gfx/thebes/gfxFont.cpp
8 	XUL 	void gfxFontGroup::InitScriptRun<char16_t>(gfxContext*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, int, gfxMissingFontRecorder*) 	gfx/thebes/gfxTextRun.cpp
9 	XUL 	void gfxFontGroup::InitTextRun<char16_t>(gfxContext*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) 	gfx/thebes/gfxTextRun.cpp
10 	XUL 	gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int, gfxMissingFontRecorder*) 	gfx/thebes/gfxTextRun.cpp
11 	XUL 	gfxTextRun* MakeTextRun<char16_t>(char16_t const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int, gfxMissingFontRecorder*) 	layout/generic/nsTextFrame.cpp
12 	XUL 	BuildTextRunsScanner::BuildTextRunForFrames(void*) 	layout/generic/nsTextFrame.cpp
13 	XUL 	BuildTextRunsScanner::FlushFrames(bool, bool) 	layout/generic/nsTextFrame.cpp
14 	XUL 	nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) 	layout/generic/nsTextFrame.cpp
(Reporter)

Updated

3 years ago
status-firefox38: --- → affected
Whiteboard: [mozmill]
Crash Signature: [@ libsystem_c.dylib@0xa737c] → [@ libsystem_c.dylib@0xa737c] [@ gfxCoreTextShaper::ShapeText(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*)]
Looks like some variation from bug 1130994. Is it a dupe?
Quite likely. We seem to be getting a bunch of reports that all look like they could be due to a bad/corrupt font, but it's hard to do much diagnosis without a specific testcase or URL that triggers the crash.
Component: Graphics → Graphics: Text
Whiteboard: [mozmill] → [mozmill], gfx-noted
So Firefox crashed here while we were in the following test:
http://hg.mozilla.org/qa/mozmill-tests/file/195befdcc2292eb5b4ca8d6bd458c273b2628ed7/firefox/tests/remote/testToolbar/testStopReloadButtons.js

This test loads the following page and aborts the load before its done:
http://mozqa.com/data/firefox/layout/delayed_load.php?seconds=2

We aren't using any special font in that page.

Also I want to note that all of our OSX boxes have been upgraded to the latest Software Updates last week! Maybe one of the Apple updates delivered a broken font?
I'm currently trying to nail this problem down given that it appears to happen more often those days now by running more different builds of Aurora in our Mozmill CI. What I can say right now it is somewhat related to downloading and a restart of Firefox. Once I have the testcase for Mozmill I will upload it.
Created attachment 8569059 [details] [diff] [review]
testcase (patch for mozmill-tests)

This is the minimized testcase for our Mozmill tests which triggers this crash each time the about:newtab page gets opened after starting and canceling the given download of the Firefox source bundle. Another download does not trigger the crash on shutdown.

I can see this all the time on one of our OS X 10.7 boxes. If you want to try it yourself please do those steps:

1. Install mozmill 2.0.10 and prepare the mozmill-tests as written at https://developer.mozilla.org/en-US/docs/Mozilla/QA/Mozmill_tests
2. Apply the attached patch
3. Run mozmill via "mozmill -b %binary% -t firefox/tests/remote/testDownloading/testDownloadStates.js"
When I run a debug build I see lots of those messages. Not sure if they are related given that such a build does not crash or assert.

[Child 36049] WARNING: flushing shaped-word cache: file /builds/slave/m-aurora-osx64-d-0000000000000/build/src/gfx/thebes/gfxFont.cpp, line 2379
Blocks: 1136602
I wonder how we can get a better query for those crashes on crashstats given that gfxCoreTextShaper::ShapeText is the important frame here. Robert do you have a tip?

Comment 8

3 years ago
It would be helpful if someone would upload symbols for that version of the Mac OS libraries so that we'd have an actually proper stack. Then it might make sense from there to add things to skiplist if needed, but before that, anything is off to speculation.
Who is usually doing this? It would be good to ni him/her.

Comment 10

3 years ago
Ted, do we have anyone who usually takes care of Mac symbols nowadays?
Flags: needinfo?(ted)
mstange expressed some interest but no, there's nobody actively in charge of it.

I have scripts here you can run to get the symbols out of system libraries on a specific machine:
http://hg.mozilla.org/users/tmielczarek_mozilla.com/mac-breakpad-symbol-gather/

You'll need a dump_syms binary (I can probably give you one that will work) and you'll need to `pip install requests`, but then you can run gathersymbols.py and it will produce a symbols.zip.
Flags: needinfo?(ted)
If you can give me that binary it would be great. I could give it a try then.
Here's a binary I have on my Mac, I'm not sure how compatible it'll be with older OS X releases:
http://people.mozilla.com/~tmielczarek/dump_syms

Just try running that binary directly on the machine you want symbols from. If it prints usage information then it'll work. If it prints an error then I'll try building a different one.

Comment 14

3 years ago
(In reply to Henrik Skupin (:whimboo) from comment #6)
> When I run a debug build I see lots of those messages. Not sure if they are
> related given that such a build does not crash or assert.
> 
> [Child 36049] WARNING: flushing shaped-word cache: file
> /builds/slave/m-aurora-osx64-d-0000000000000/build/src/gfx/thebes/gfxFont.
> cpp, line 2379

That's sort of a bogus warning, it simply means the word cache has hit it's capacity limit and is flushing items in the cache. Nothing wrong with that. But it would seem to indicate a lot of textruns are being built, which might indicate this has something to do with some sort of use-after-delete scenario (just spitballing here).

Updated

3 years ago
Crash Signature: [@ libsystem_c.dylib@0xa737c] [@ gfxCoreTextShaper::ShapeText(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*)] → [@ libsystem_c.dylib@0xa737c] [@ gfxCoreTextShaper::ShapeText(gfxContext*, char16_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*)] [@ gfxCoreTextShaper::ShapeText]
Mass resolving WFM: signature(s) hasn't(/haven't) reported in past 28 days.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.