Closed Bug 1316262 Opened 7 years ago Closed 7 years ago

Crash in mozalloc_abort | NS_DebugBreak | gfxFontGroup::GetDefaultFont

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
51 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 + verified
firefox52 --- verified
firefox53 --- verified

People

(Reporter: cbook, Assigned: jfkthame)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(3 files)

bughunter stack
115.09 KB, text/plain
Details
Error creating scaled GDI Fonts
2.28 KB, text/plain
Details
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio
1.71 KB, patch
mchang
: review+
gchang
: approval-mozilla-aurora+
gchang
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file bughunter stack 
This bug was filed from the Socorro interface and is 
report bp-e72d0a45-c359-4c37-80ab-1b1432161109.
=============================================================

Found via bughunter and reproduced on current aurora opt builds.

Steps to reproduce:
-> Load http://www.newegg.ca/Product/Product.aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016

--> Crash
Hi Johnathan i guess this is something for you
Flags: needinfo?(jfkthame)
Seems to hit aurora only not trunk (will check beta also)

Aurora debug builds crash with:

[Child 2204] WARNING: Failed to create scaled font: Mangal status: 5: file c:/builds/moz2_slave/m-aurora-w32-d-000000000000000/build/src/gfx/thebes/gfxGDIFont.cpp, line 419
Crash Annotation GraphicsCriticalError: |[C0][GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec (t=303.911) [GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec
Assertion failure: [GFX1]: no fonts - init: 1 fonts: 143 loader: 1 backend: gdi system-uptime:  5984.057 sec, at c:\builds\moz2_slave\m-aurora-w32-d-000000000000000\build\src\obj-firefox\dist\include\mozilla/gfx/Logging.h:513
#01: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5e4f0c]
#02: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xd2814e]
#03: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xd287bc]
#04: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xbb4c1d]
#05: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xbb61cf]
#06: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2141ffe]
#07: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2141f48]
#08: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x214bb81]
#09: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2036c98]
#10: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202f00c]
#11: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5cff7]
#12: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5cc67]
#13: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#14: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5ccfa]
#15: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#16: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5ccfa]
#17: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5c4c5]
#18: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5a39a]
#19: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20368a1]
#20: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2036c37]
#21: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202f00c]
#22: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc72b32]
#23: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc75a51]
#24: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc5df7c]
#25: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc6ea3f]
#26: soundtouch::SoundTouch::operator=[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0xc6e864]
#27: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20bd8a1]
#28: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20bc0dc]
#29: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20ba64d]
#30: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1ec30]
#31: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1ea5e]
#32: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e1e917]
#33: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2021693]
#34: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x20218be]
#35: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x202090c]
#36: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x201fdb2]
#37: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x2021865]
#38: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x201ed4e]
#39: DumpFrameArray[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x221dc96]
#40: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x7d642e]
#41: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x630e73]
#42: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f2f9e]
#43: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f34f2]
#44: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f69bf]
#45: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9793]
#46: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9ac2]
#47: XRE_AddStaticComponent[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x22d827]
#48: NS_StringSetIsVoid[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x255077]
#49: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9e30]
#50: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9f5c]
#51: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d79d7]
#52: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d798f]
#53: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d76da]
#54: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e46287]
#55: mozilla_dump_image[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x1e96939]
#56: XRE_RunAppShell[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x263ad95]
#57: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5f9e93]
#58: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d79d7]
#59: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d798f]
#60: mozilla::net::LoadInfo::TriggeringPrincipal[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x5d76da]
#61: XRE_InitChildProcess[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\xul.dll +0x263a92f]
#62: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x1832]
#63: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x15b5]
#64: ???[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x2040]
#65: TargetNtUnmapViewOfSection[c:\bughunter\aurora\firefox-51.0a2.en-US.win32\firefox\firefox.exe +0x32af3]
[Tracking Requested - why for this release]:
seems this affect only aurora
status-firefox50: --- → unaffected
status-firefox51: --- → affected
status-firefox52: --- → unaffected
tracking-firefox51: --- → ?
I can reproduce the crash on Aurora51.0a2 if HWA is disabled.

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=77428fd9afc3b069894f466ce5b774fa3f267fc2&tochange=72c8ea085d7227204666b528d001f34c1cf4b113

Regressed by: Bug 1302225


And, I can also reproduce the crash on Nightly52.0a1 if set gfx.content.azure.backends = "direct2d1.1,cairo" && HWA is disabled.
Blocks: 1302225
Keywords: regression
I guess this is Cairo only, if it's in GDI, but I'm not sure we want to ignore it (printing?)  Mason, thoughts?  We are hitting a critical note...
Flags: needinfo?(mchang)
Assignee: nobody → mchang
What about systems where HWA is blocked for graphics card or driver issues -- will those users also be running into this?
Flags: needinfo?(jfkthame)
(In reply to Milan Sreckovic [:milan] from comment #5)
> I guess this is Cairo only, if it's in GDI, but I'm not sure we want to
> ignore it (printing?)  Mason, thoughts?  We are hitting a critical note...

This seems to have become a bug somewhere in Gecko 51. Beta doesn't have this bug, but Nightly still does. We should still fix it since this seems to be happening in gfxGDIFonts, which depends on cairo to do some things. Users who are on skia but don't have dwrite fonts will still hit this problem.

(In reply to Jonathan Kew (:jfkthame) from comment #6)
> What about systems where HWA is blocked for graphics card or driver issues
> -- will those users also be running into this?

If they have dwrite, they'll be on skia and won't be affected.

The attachment is the error im getting when creating scaled GDI fonts. The status 5 from cairo is an invalid matrix.
Flags: needinfo?(mchang)
This is a regression somewhere in Gecko 51. STR:

1) Go to about:config on a windows machine.
2) set preference "gfx.content.azure.backends" to "cairo" and preference "layers.acceleration.disabled" to true.
3) Restart firefox
4) go to about:support, ensure "AzureContentBackend" says "cairo".
5) Go to http://www.newegg.ca/Product/Product.aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 - Wait for a while. Takes a bit for the error to happen. See crash.
Keywords: regressionwindow-wanted
(In reply to Mason Chang [:mchang] from comment #8)
> This is a regression somewhere in Gecko 51. STR:
> 
> 1) Go to about:config on a windows machine.
> 2) set preference "gfx.content.azure.backends" to "cairo" and preference
> "layers.acceleration.disabled" to true.
> 3) Restart firefox
> 4) go to about:support, ensure "AzureContentBackend" says "cairo".
> 5) Go to
> http://www.newegg.ca/Product/Product.
> aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 -
> Wait for a while. Takes a bit for the error to happen. See crash.

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3c9808031734f59937dcc9a122035e8673f75
(In reply to Alice0775 White from comment #9)

> Regression window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3
> c9808031734f59937dcc9a122035e8673f75

Thanks! The only plausible one of the bugs there would be bug 1296742; the other two bugs in that range are not relevant to the GDI fonts codepath.
(In reply to Alice0775 White from comment #9)
> (In reply to Mason Chang [:mchang] from comment #8)
> > This is a regression somewhere in Gecko 51. STR:
> > 
> > 1) Go to about:config on a windows machine.
> > 2) set preference "gfx.content.azure.backends" to "cairo" and preference
> > "layers.acceleration.disabled" to true.
> > 3) Restart firefox
> > 4) go to about:support, ensure "AzureContentBackend" says "cairo".
> > 5) Go to
> > http://www.newegg.ca/Product/Product.
> > aspx?Item=N82E16820156150&cm_sp=Homepage_BS-_-P5_20-156-150-_-11062016 -
> > Wait for a while. Takes a bit for the error to happen. See crash.
> 
> Regression window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=1150d238edc731d37bdbbe1601141214ce0415bc&tochange=d2d3
> c9808031734f59937dcc9a122035e8673f75

Thanks! That was fast :)

Can you take a look at this then Jonathan?
Flags: needinfo?(jfkthame)
Track 51+ as this crash only happened in aurora and real site.
tracking-firefox51: ?+
Version: unspecified → 51 Branch
The failure here happens because the CSS on that site tries to use font-size-adjust in places where the nominal font size is already tiny (0.05px or thereabouts). But in this case, the x-height and em-height metrics we get from the GDI backend are simply zero (because GDI doesn't support tiny fractional font sizes), which means we get a NaN trying to calculate the aspect ratio, and this leads to cairo failures when it ends up in the font matrix. To avoid the problem, I think we can just skip the font-size-adjust computation for such tiny sizes where everything is collapsing to zero under GDI anyway.
Attachment #8810366 - Flags: review?(mchang)
Assignee: mchang → jfkthame
Status: NEW → ASSIGNED
Flags: needinfo?(jfkthame)
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Review of attachment 8810366 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this! Please also request uplift to 51.
Attachment #8810366 - Flags: review?(mchang) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6e0621b81552eb3c20275b3ae5c25e2f15db1eb
Bug 1316262 - Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio. r=mchang
https://hg.mozilla.org/mozilla-central/rev/c6e0621b8155
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Approval Request Comment
[Feature/regressing bug #]: 1296742 (depending whether skia is enabled)

[User impact if declined]: potential abort due to font instantiation failure under cairo+GDI when site uses font-size-adjust in combination with tiny font-size

[Describe test coverage new/current, TreeHerder]: tested manually using scenarios described in the bug (h/w accel and skia backend both disabled)

[Risks and why]: minimal risk, trivial patch to avoid doing computations with sizes that rounded to zero

[String/UUID change made/needed]: n/a
Attachment #8810366 - Flags: approval-mozilla-beta?
Attachment #8810366 - Flags: approval-mozilla-aurora?
Comment on attachment 8810366 [details] [diff] [review]
Guard against failure applying font-size-adjust to tiny font sizes with GDI backend, where metrics round to zero so we cannot compute aspect ratio

Fix a crash. Aurora52+, Beta51+. Should be in 51 beta 2.
Attachment #8810366 - Flags: approval-mozilla-beta?
Attachment #8810366 - Flags: approval-mozilla-beta+
Attachment #8810366 - Flags: approval-mozilla-aurora?
Attachment #8810366 - Flags: approval-mozilla-aurora+
Flags: qe-verify+
I reproduced this issue using Fx 52.0a1 (build ID: 20161109030210) on Windows 7 x32, using the steps from comment 8.
I can confirm this issue is fixed on Fx 52.0a2 (build ID: 20161121004022) and Fx 53.0a1(build ID: 20161120030205).

However I can still reproduce this issue on Fx 51.0b1 - build 2 (build ID: 20161115182233)

Crash reports:

- https://crash-stats.mozilla.com/report/index/dbe6d384-141c-4cbf-9f16-893db2161121
- https://crash-stats.mozilla.com/report/index/b289b7ec-b5c7-4cd7-9f94-745522161121
- https://crash-stats.mozilla.com/report/index/d1850b07-22b9-414f-8f59-0b9532161121
- https://crash-stats.mozilla.com/report/index/eb6e581a-81a6-4118-b9b2-aa8b52161121


Note: This crash also occurs using Fx 51.0b1 on Windows 10 x64 as well. 
 - https://crash-stats.mozilla.com/report/index/6008ebcc-f942-4dea-b915-c7e5b2161121
status-firefox52: fixedverified
status-firefox53: fixedverified
Flags: qe-verify+
(In reply to Cristian Comorasu from comment #21)
> However I can still reproduce this issue on Fx 51.0b1 - build 2 (build ID:
> 20161115182233)

That's expected; the patch didn't land on beta until 2016-11-17 (comment 20), so that build is too early to include the fix.
I verified again using Fx 51.0b2 (build ID:20161121093909) on Windows 10 x64 and Windows 7 x32. The crash did not occur.
Status: RESOLVED → VERIFIED
status-firefox51: fixedverified
(In reply to [:philipp] from comment #24)
> hi, the signature is spiking up again since yesterday on beta:
> https://crash-stats.mozilla.com/signature/
> ?product=Firefox&release_channel=beta&signature=mozalloc_abort%20%7C%20NS_Deb
> ugBreak%20%7C%20gfxFontGroup%3A%3AGetDefaultFont&date=%3E%3D2016-09-
> 07T20%3A57%3A54.000Z&date=%3C2016-12-07T20%3A57%3A54.000Z#graphs
> 
> should we file a new bug about this?

Yes, I think so. The issue here was specific to the GDI font backend. I looked at a bunch of the current crash reports, and all the ones I checked had the DirectWrite backend active. So whatever they are, they're definitely not the same as the issue this bug was about.
Flags: needinfo?(jfkthame)
See Also: → 1322437
See Also: → 1712165
You need to log in before you can comment on or make changes to this bug.