Crash in mozalloc_abort | NS_DebugBreak | gfxFontGroup::GetDefaultFont

VERIFIED FIXED in Firefox 51

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
a year ago
a year ago

People

(Reporter: Tomcat, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {crash, regression})

51 Branch
mozilla53
x86
Windows 7
crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 unaffected, firefox51+ verified, firefox52 verified, firefox53 verified)

Details

(crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

a year ago
str
Created attachment 8808947 [details]
bughunter stack

This bug was filed from the Socorro interface and is 
report bp-e72d0a45-c359-4c37-80ab-1b1432161109.
=============================================================

Found via bughunter and reproduced on current aurora opt builds.

Steps to reproduce:
-> Load http://www.newegg.ca/Product/Product.aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016

--> Crash
(Reporter)

Comment 1

a year ago
Hi Johnathan i guess this is something for you
Flags: needinfo?(jfkthame)
(Reporter)

Comment 2

a year ago
Seems to hit aurora only not trunk (will check beta also)

Aurora debug builds crash with:

[Child 2204] WARNING: Failed to create scaled font: Mangal status: 5: file c:/builds/moz2_slave/m-aurora-w32-d-000000000000000/build/src/gfx/thebes/gfxGDIFont.cpp, line 419
Crash Annotation GraphicsCriticalError: |[C0][GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec (t=303.911) [GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec
Assertion failure: [GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec, at c:\builds\moz2_slave\m-aurora-w32-d-000000000000000\build\src\obj-firefox\dist\include\mozilla/gfx/Logging.h:513
#01: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5e4f0c]
#02: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xd2814e]
#03: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xd287bc]
#04: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xbb4c1d]
#05: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xbb61cf]
#06: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2141ffe]
#07: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2141f48]
#08: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x214bb81]
#09: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2036c98]
#10: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202f00c]
#11: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5cff7]
#12: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5cc67]
#13: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#14: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5ccfa]
#15: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#16: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5ccfa]
#17: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#18: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5a39a]
#19: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20368a1]
#20: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2036c37]
#21: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202f00c]
#22: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc72b32]
#23: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc75a51]
#24: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5df7c]
#25: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc6ea3f]
#26: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc6e864]
#27: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20bd8a1]
#28: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20bc0dc]
#29: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20ba64d]
#30: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1ec30]
#31: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1ea5e]
#32: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1e917]
#33: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2021693]
#34: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20218be]
#35: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202090c]
#36: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x201fdb2]
#37: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2021865]
#38: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x201ed4e]
#39: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x221dc96]
#40: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x7d642e]
#41: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x630e73]
#42: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f2f9e]
#43: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f34f2]
#44: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f69bf]
#45: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9793]
#46: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9ac2]
#47: XRE_AddStaticComponent[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x22d827]
#48: NS_StringSetIsVoid[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x255077]
#49: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9e30]
#50: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9f5c]
#51: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d79d7]
#52: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d798f]
#53: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d76da]
#54: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e46287]
#55: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e96939]
#56: XRE_RunAppShell[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x263ad95]
#57: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9e93]
#58: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d79d7]
#59: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d798f]
#60: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d76da]
#61: XRE_InitChildProcess[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x263a92f]
#62: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x1832]
#63: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x15b5]
#64: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x2040]
#65: TargetNtUnmapViewOfSection[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x32af3]
(Reporter)

Comment 3

a year ago
[Tracking Requested - why for this release]:
seems this affect only aurora
status-firefox50: --- → unaffected
status-firefox51: --- → affected
status-firefox52: --- → unaffected
tracking-firefox51: --- → ?

Comment 4

a year ago
I can reproduce the crash on Aurora51.0a2 if HWA is disabled.

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=77428fd9afc3b069894f466ce5b774fa3f267fc2&tochange=72c8ea085d7227204666b528d001f34c1cf4b113

Regressed by: Bug 1302225


And, I can also reproduce the crash on Nightly52.0a1 if set gfx.content.azure.backends = "direct2d1.1,cairo" && HWA is disabled.
Blocks: 1302225
Keywords: regression
I guess this is Cairo only, if it's in GDI, but I'm not sure we want to ignore it (printing?)  Mason, thoughts?  We are hitting a critical note...
Flags: needinfo?(mchang)
Assignee: nobody → mchang
(Assignee)

Comment 6

a year ago
What about systems where HWA is blocked for graphics card or driver issues -- will those users also be running into this?
Flags: needinfo?(jfkthame)
Created attachment 8809110 [details]
Error creating scaled GDI Fonts

(In reply to Milan Sreckovic [:milan] from comment #5)
> I guess this is Cairo only, if it's in GDI, but I'm not sure we want to
> ignore it (printing?)  Mason, thoughts?  We are hitting a critical note...

This seems to have become a bug somewhere in Gecko 51. Beta doesn't have this bug, but Nightly still does. We should still fix it since this seems to be happening in gfxGDIFonts, which depends on cairo to do some things. Users who are on skia but don't have dwrite fonts will still hit this problem.

(In reply to Jonathan Kew (:jfkthame) from comment #6)
> What about systems where HWA is blocked for graphics card or driver issues
> -- will those users also be running into this?

If they have dwrite, they'll be on skia and won't be affected.

The attachment is the error im getting when creating scaled GDI fonts. The status 5 from cairo is an invalid matrix.
Flags: needinfo?(mchang)
status-firefox52: unaffected → affected
This is a regression somewhere in Gecko 51. STR:

1) Go to about:config on a windows machine.
2) set preference "gfx.content.azure.backends" to "cairo" and preference "layers.acceleration.disabled" to true.
3) Restart firefox
4) go to about:support, ensure "AzureContentBackend" says "cairo".
5) Go to http://www.newegg.ca/Product/Product.aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 - Wait for a while. Takes a bit for the error to happen. See crash.
Keywords: regressionwindow-wanted

Comment 9

a year ago
(In reply to Mason Chang [:mchang] from comment #8)
> This is a regression somewhere in Gecko 51. STR:
> 
> 1) Go to about:config on a windows machine.
> 2) set preference "gfx.content.azure.backends" to "cairo" and preference
> "layers.acceleration.disabled" to true.
> 3) Restart firefox
> 4) go to about:support, ensure "AzureContentBackend" says "cairo".
> 5) Go to
> http://www.newegg.ca/Product/Product.
> aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 -
> Wait for a while. Takes a bit for the error to happen. See crash.

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3c9808031734f59937dcc9a122035e8673f75
(Assignee)

Comment 10

a year ago
(In reply to Alice0775 White from comment #9)

> Regression window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3
> c9808031734f59937dcc9a122035e8673f75

Thanks! The only plausible one of the bugs there would be bug 1296742; the other two bugs in that range are not relevant to the GDI fonts codepath.
(In reply to Alice0775 White from comment #9)
> (In reply to Mason Chang [:mchang] from comment #8)
> > This is a regression somewhere in Gecko 51. STR:
> > 
> > 1) Go to about:config on a windows machine.
> > 2) set preference "gfx.content.azure.backends" to "cairo" and preference
> > "layers.acceleration.disabled" to true.
> > 3) Restart firefox
> > 4) go to about:support, ensure "AzureContentBackend" says "cairo".
> > 5) Go to
> > http://www.newegg.ca/Product/Product.
> > aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 -
> > Wait for a while. Takes a bit for the error to happen. See crash.
> 
> Regression window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3
> c9808031734f59937dcc9a122035e8673f75

Thanks! That was fast :)

Can you take a look at this then Jonathan?
Flags: needinfo?(jfkthame)
Track 51+ as this crash only happened in aurora and real site.
tracking-firefox51: ? → +
Version: unspecified → 51 Branch
Keywords: regressionwindow-wanted
(Assignee)

Comment 13

a year ago
Created attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

The failure here happens because the CSS on that site tries to use font-size-adjust in places where the nominal font size is already tiny (0.05px or thereabouts). But in this case, the x-height and em-height metrics we get from the GDI backend are simply zero (because GDI doesn't support tiny fractional font sizes), which means we get a NaN trying to calculate the aspect ratio, and this leads to cairo failures when it ends up in the font matrix. To avoid the problem, I think we can just skip the font-size-adjust computation for such tiny sizes where everything is collapsing to zero under GDI anyway.
Attachment #8810366 - Flags: review?(mchang)
(Assignee)

Updated

a year ago
Assignee: mchang → jfkthame
Status: NEW → ASSIGNED
(Assignee)

Updated

a year ago
Flags: needinfo?(jfkthame)
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Review of attachment 8810366 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this! Please also request uplift to 51.
Attachment #8810366 - Flags: review?(mchang) → review+
(Assignee)

Comment 15

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6e0621b81552eb3c20275b3ae5c25e2f15db1eb
Bug 1316262 - Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio. r=mchang
(Reporter)

Comment 16

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c6e0621b8155
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
(Assignee)

Comment 17

a year ago
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Approval Request Comment
[Feature/regressing bug #]: 1296742 (depending whether skia is enabled)

[User impact if declined]: potential abort due to font instantiation failure under cairo+GDI when site uses font-size-adjust in combination with tiny font-size

[Describe test coverage new/current, TreeHerder]: tested manually using scenarios described in the bug (h/w accel and skia backend both disabled)

[Risks and why]: minimal risk, trivial patch to avoid doing computations with sizes that rounded to zero

[String/UUID change made/needed]: n/a
Attachment #8810366 - Flags: approval-mozilla-beta?
Attachment #8810366 - Flags: approval-mozilla-aurora?
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Fix a crash. Aurora52+, Beta51+. Should be in 51 beta 2.
Attachment #8810366 - Flags: approval-mozilla-beta?
Attachment #8810366 - Flags: approval-mozilla-beta+
Attachment #8810366 - Flags: approval-mozilla-aurora?
Attachment #8810366 - Flags: approval-mozilla-aurora+
(Reporter)

Comment 20

a year ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/8117e133c588
status-firefox51: affected → fixed
Flags: qe-verify+
I reproduced this issue using Fx 52.0a1 (build ID: 20161109030210) on Windows 7 x32, using the steps from comment 8.
I can confirm this issue is fixed on Fx 52.0a2 (build ID: 20161121004022) and Fx 53.0a1(build ID: 20161120030205).

However I can still reproduce this issue on Fx 51.0b1 - build 2 (build ID: 20161115182233)

Crash reports:

- https://crash-stats.mozilla.com/report/index/dbe6d384-141c-4cbf-9f16-893db2161121
- https://crash-stats.mozilla.com/report/index/b289b7ec-b5c7-4cd7-9f94-745522161121
- https://crash-stats.mozilla.com/report/index/d1850b07-22b9-414f-8f59-0b9532161121
- https://crash-stats.mozilla.com/report/index/eb6e581a-81a6-4118-b9b2-aa8b52161121


Note: This crash also occurs using Fx 51.0b1 on Windows 10 x64 as well. 
 - https://crash-stats.mozilla.com/report/index/6008ebcc-f942-4dea-b915-c7e5b2161121
status-firefox52: fixed → verified
status-firefox53: fixed → verified
Flags: qe-verify+
(Assignee)

Comment 22

a year ago
(In reply to Cristian Comorasu from comment #21)
> However I can still reproduce this issue on Fx 51.0b1 - build 2 (build ID:
> 20161115182233)

That's expected; the patch didn't land on beta until 2016-11-17 (comment 20), so that build is too early to include the fix.
I verified again using Fx 51.0b2 (build ID:20161121093909) on Windows 10 x64 and Windows 7 x32. The crash did not occur.
Status: RESOLVED → VERIFIED
status-firefox51: fixed → verified
(Assignee)

Comment 25

a year ago
(In reply to [:philipp] from comment #24)
> hi, the signature is spiking up again since yesterday on beta:
> https://crash-stats.mozilla.com/signature/
> ?product=Firefox&release_channel=beta&signature=mozalloc_abort%20%7C%20NS_Deb
> ugBreak%20%7C%20gfxFontGroup%3A%3AGetDefaultFont&date=%3E%3D2016-09-
> 07T20%3A57%3A54.000Z&date=%3C2016-12-07T20%3A57%3A54.000Z#graphs
> 
> should we file a new bug about this?

Yes, I think so. The issue here was specific to the GDI font backend. I looked at a bunch of the current crash reports, and all the ones I checked had the DirectWrite backend active. So whatever they are, they're definitely not the same as the issue this bug was about.
Flags: needinfo?(jfkthame)

Updated

a year ago
See Also: → bug 1322437
You need to log in before you can comment on or make changes to this bug.