Closed Bug 1315642 Opened 3 years ago Closed 3 years ago

Assertion failure: dirEntry (attempt to rename font with no name table), at gfxFontUtils.cpp:1093

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

VERIFIED FIXED
mozilla53
Tracking Status
firefox50 --- fixed
firefox51 + fixed
firefox52 + verified
firefox53 --- fixed

People

(Reporter: cbook, Assigned: jfkthame)

References

(Blocks 1 open bug, )

Details

(Keywords: assertion, crash, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached file stack
found via bughunter and reproduced with latest trunk debug and opt tinderbox build.

Steps to reproduce:
-> Load http://www.manintown.com/deejay-ten-milano-si-prepara-celebrare-la-xii-edizione/2016/09/20/?utm_source=nativeadv&utm_medium=banner&utm_campaign=YB
--> Assertion/Crash on Load

breakpad id: https://crash-stats.mozilla.com/report/index/2b2f66d4-f0b2-4229-b1f0-ff14d2161107

[Child 308] WARNING: NS_ENSURE_TRUE(dirEntry) failed: file c:/builds/moz2_slave/m-cen-w32-d-000000000000000000/build/src/gfx/thebes/gfxFontUtils.cpp, line 1158
Assertion failure: dirEntry (attempt to rename font with no name table), at c:/builds/moz2_slave/m-cen-w32-d-000000000000000000/build/src/gfx/thebes/gfxFontUtils.cpp:1093
#01: soundtouch::SoundTouch::operator=[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0xc990d5]
#02: soundtouch::SoundTouch::operator=[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0xcb42dd]
#03: soundtouch::SoundTouch::operator=[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0xcae1e9]
#04: mozilla_dump_image[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x1f1c2d8]
#05: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x297504]
#06: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x4d68c3]
#07: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x48edd7]
#08: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x49b09f]
#09: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x4a6cbd]
#10: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x4a1bd1]
#11: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x6428cc]
#12: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x823fdf]
#13: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5abbf9]
#14: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5ac161]
#15: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5b3260]
#16: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5b2941]
#17: XRE_AddStaticComponent[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x1e5982]
#18: NS_StringSetIsVoid[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x20de89]
#19: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5b25e6]
#20: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5b2712]
#21: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x593735]
#22: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5936ed]
#23: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x593436]
#24: mozilla_dump_image[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x1d5582b]
#25: mozilla_dump_image[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x1daa208]
#26: XRE_RunAppShell[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x2561f9b]
#27: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5b2649]
#28: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x593735]
#29: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x5936ed]
#30: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x593436]
#31: XRE_InitChildProcess[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\xul.dll +0x2561b35]
#32: ???[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\firefox.exe +0x189f]
#33: ???[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\firefox.exe +0x1622]
#34: ???[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\firefox.exe +0x208e]
#35: TargetNtUnmapViewOfSection[c:\bughunter\firefox-52.0a1.en-US.win32\firefox\firefox.exe +0x32ba7]
#36: BaseThreadInitThunk[C:\Windows\system32\kernel32.dll +0x4ee1c]
#37: RtlInitializeExceptionChain[C:\Windows\SYSTEM32\ntdll.dll +0x637eb]
#38: RtlInitializeExceptionChain[C:\Windows\SYSTEM32\ntdll.dll +0x637be]
[Parent 3520] WARNING: Cannot know response Content-Length due to presence of Content-Encoding or Transfer-Encoding headers.: file c:/builds/moz2_slave/m-cen-w32-d-000000000000000000/bu
[Tracking Requested - why for this release]:

affecting beta -> trunk on opt and debug builds
We could still take a patch in early beta (51) or even to 50.1.0 in the next few weeks.
Priority: -- → P3
Whiteboard: [gfx-noted]
The failure here is happening because the site deploys a TrueType Collection (ttcf) resource as WOFF2; OTS successfully decodes this, but our user-font code doesn't yet support collections. Until we implement that, we need to just discard this resource and move on to the next available option.
Attachment #8810385 - Flags: review?(jmuizelaar)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Attachment #8810385 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5fc1551aa541e1c32d903eb2a95afbf2ee8447fc
Bug 1315642 - Check that font resource decoded/sanitized by OTS is a usable OpenType format (in particular, we do NOT yet support TrueType Collection resources, even though OTS can decode them). r=jrmuizel
https://hg.mozilla.org/mozilla-central/rev/5fc1551aa541
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8810385 [details] [diff] [review]
Check that font resource decoded/sanitized by OTS is a usable OpenType format (in particular, we do NOT yet support TrueType Collection resources, even though OTS can decode them)

As this can lead to crashes on real-world sites, and the fix is extremely simple, I think we should consider it as a ride-along for any bugfix release, in addition to uplifting to aurora & beta.

Approval Request Comment
[Feature/regressing bug #]: Unsure exactly when this was introduced. One of the OTS and WOFF2 updates we've pulled from upstream will have added support for TrueType Collection files in the decoder, and that leads to the problem here.

[User impact if declined]: Potential crash on sites that deploy .ttc files.

[Describe test coverage new/current, TreeHerder]: Tested manually with the site from the bug report

[Risks and why]: Minimal, just reject resources with an unsupported format.

[String/UUID change made/needed]: n/a
Attachment #8810385 - Flags: approval-mozilla-release?
Attachment #8810385 - Flags: approval-mozilla-beta?
Attachment #8810385 - Flags: approval-mozilla-aurora?
Comment on attachment 8810385 [details] [diff] [review]
Check that font resource decoded/sanitized by OTS is a usable OpenType format (in particular, we do NOT yet support TrueType Collection resources, even though OTS can decode them)

Fix a potential crash on real-world sites. Beta51+ and Aurora52+. Should be in 51 beta 2.
Attachment #8810385 - Flags: approval-mozilla-beta?
Attachment #8810385 - Flags: approval-mozilla-beta+
Attachment #8810385 - Flags: approval-mozilla-aurora?
Attachment #8810385 - Flags: approval-mozilla-aurora+
I was able to repro this crash on build 11-14 of 51.0a2 and the crash does not repro on build 20161125004006 of 52.0a2. This is verified as fixed.
Status: RESOLVED → VERIFIED
Comment on attachment 8810385 [details] [diff] [review]
Check that font resource decoded/sanitized by OTS is a usable OpenType format (in particular, we do NOT yet support TrueType Collection resources, even though OTS can decode them)

Fixes a crash, verified on pre-release channel, let's uplift to 50.1.0
Attachment #8810385 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.