Closed Bug 1417790 Opened 7 years ago Closed 6 years ago

Crash in gfxFontSrcPrincipal with MOZ_CRASH(extended principal should never be used as key in a hash map)

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jchen, Assigned: kmag)

References

Details

(Keywords: crash, Whiteboard: [fixed by bug 1412345])

Crash Data

This bug was filed from the Socorro interface and is report bp-c8ca8f88-7825-45d4-b5f5-f28f60171115. ============================================================= Top 10 frames of crashing thread: 0 libxul.so <name omitted> caps/ExpandedPrincipal.cpp:143 1 libxul.so gfxFontSrcPrincipal::gfxFontSrcPrincipal gfx/thebes/gfxFontSrcPrincipal.cpp:19 2 libxul.so mozilla::dom::FontFaceSet::FindOrCreateUserFontEntryFromFontFace layout/style/FontFaceSet.cpp:1135 3 libxul.so mozilla::dom::FontFaceSet::InsertRuleFontFace layout/style/FontFaceSet.cpp:945 4 libxul.so mozilla::dom::FontFaceSet::UpdateRules layout/style/FontFaceSet.cpp:767 5 libxul.so nsIDocument::FlushUserFontSet dom/base/nsDocument.cpp:13592 6 libxul.so mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4175 7 libxul.so nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:1882 8 libxul.so mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:306 9 libxul.so mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:327 ============================================================= Not new crash, but there seems to be a recent uptick in the number of crashes. Can you take a look, Cameron, since you worked on bug 1376964?
Flags: needinfo?(cam)
Interesting that this is only on Fennec. I don't know much about ExpandedPrincipals but I think they're used by addons, and many of the crashes do have addons installed. So we must somehow have a style sheet with an ExpandedPrincipal that has an @font-face rule in it. Maybe a style sheet loaded from a moz-extension://... URL that has a @font-face rule init?
Andrea, do you know why ExpandedPrincipal::GetHashValue crashes? What is that trying to protect against, and would it be OK if I just implemented it?
Flags: needinfo?(cam) → needinfo?(amarchesini)
Kris, is this something you were working on?
Flags: needinfo?(amarchesini) → needinfo?(kmaglione+bmo)
(In reply to Andrea Marchesini [:baku] from comment #3) > Kris, is this something you were working on? No, but related. From bug 1412345, it seems like this happens when extensions create Blobs from data: URLs using fetch(), and then load them as stylesheets. I'm not sure why it only seems to happen on Android, though. Either way, we probably need to make sure blob URLs always wind up with inheriting a constituent principal when we try to create them from an expanded principal origin, the same way we deal with principal inheritance for channels.
Assignee: nobody → kmaglione+bmo
Flags: needinfo?(kmaglione+bmo)
See Also: → 1412345
Priority: -- → P3
There are no reported crashes for this signature in recent versions, so I'll assume it was fixed by bug 1412345.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1412345]
Depends on: 1412345
You need to log in before you can comment on or make changes to this bug.