1353657 - Crash in nsFont::Equals

Status: RESOLVED WORKSFORME

(Core :: Graphics: Text, defect, P3)

Description

[Ting-Yu Chou [:ting] (away)]

This bug was filed from the Socorro interface and is 
report bp-26362ce3-9b09-4263-a348-8c9442170404.
=============================================================
Top #30 of Nightly 20170402030202 on Windows; 84 reports from 50 installations in the past week.

Comment 1

[Ethan Lin[:ethlin]]

According to the minidump, we may dereference a nullptr at [1] to cause the crash, which means the "other##struct_" is nullptr. Based on [2], it looks like we may return nullptr in the DoGetStyle##name_(). i will investigate further.

[1] https://hg.mozilla.org/releases/mozilla-beta/annotate/8b7e2a303954/layout/style/nsStyleContext.cpp#l1098
[2] https://hg.mozilla.org/releases/mozilla-beta/annotate/8b7e2a303954/layout/style/nsStyleContext.h#l621

Comment 2

[Xidorn Quan [:xidorn] UTC+11]

Style##name_() method is not supposed to ever return nullptr. It would be a big problem if that invariant doesn't hold.

Comment 3

[Ethan Lin[:ethlin]]

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #2)
> Style##name_() method is not supposed to ever return nullptr. It would be a
> big problem if that invariant doesn't hold.

Right, I also discussed with heycam. It looks like Style##name_() will always return a non-nullptr. So I have no idea right now.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.