Closed Bug 1425346 Opened 2 years ago Closed 2 years ago

Crash in _cairo_user_data_array_set_data.cold.16

Categories

(Core :: Graphics: WebRender, defect, P3, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- disabled

People

(Reporter: darkspirit, Assigned: lsalzman)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, nightly-community)

Crash Data

Attachments

(1 file)

Seen on Socorro. This signature is reappearing after a month of silence.
bug 1412545 was about it in the past. Regression?

bp-3a587a0e-a3e8-4385-b69b-5fd840171213 20171212100127 (2017-12-12) Linux
> 0 	libxul.so 	_cairo_user_data_array_set_data.cold.16 	
> 1 	libxul.so 	mozilla::gfx::ScaledFontFontconfig::CreateFromInstanceData 	gfx/2d/ScaledFontFontconfig.cpp:420
> 2 	libxul.so 	mozilla::gfx::UnscaledFontFontconfig::CreateScaledFont 	gfx/2d/ScaledFontFontconfig.cpp:368
> 3 	libxul.so 	mozilla::gfx::RecordedScaledFontCreationByIndex::PlayEvent 	gfx/2d/RecordedEventImpl.h:3022
> 4 	libxul.so 	mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, size_t)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, size_t)::<lambda(mozilla::gfx::RecordedEvent*)> > 	gfx/2d/InlineTranslator.cpp:84
> 5 	libxul.so 	mozilla::gfx::InlineTranslator::TranslateRecording 	gfx/2d/InlineTranslator.cpp:89
> 6 	libxul.so 	mozilla::wr::Moz2DRenderCallback 	gfx/webrender_bindings/Moz2DImageRenderer.cpp:232
> 7 	libxul.so 	wr_moz2d_render_cb 	gfx/webrender_bindings/Moz2DImageRenderer.cpp:263
> 8 	libxul.so 	rayon_core::job::{{impl}}::execute<closure> 	gfx/webrender_bindings/src/moz2d_renderer.rs:171
> 9 	libxul.so 	rayon_core::registry::WorkerThread::wait_until<rayon_core::latch::CountLatch> 	third_party/rust/rayon-core/src/job.rs:55
> 10 	libxul.so 	std::sys_common::backtrace::__rust_begin_short_backtrace<closure, ()> 	third_party/rust/rayon-core/src/registry.rs:559
> 11 	libxul.so 	alloc::boxed::{{impl}}::call_box<(), closure> 	src/libstd/thread/mod.rs:400
> 12 	libxul.so 	std::sys::imp::thread::{{impl}}::new::thread_start 	src/liballoc/boxed.rs:736
> Ø 13 	libpthread-2.26.so 	libpthread-2.26.so@0x77fb 	
> Ø 14 	libc-2.26.so 	libc-2.26.so@0x114b0e
There is a nasty potential race inside cairo_ft_font_face_create_for_pattern where it is accessing a shared cairo_ft_unscaled_font's faces list and modifying it without any sort of locking. This means we can ultimately pull a bogus face off this list, which can then blow up when try to do things like set user data on it.

So this patch takes the unscaled font's mutex temporarily before it does things with the list, which should prevent this particular brand of race.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #8940902 - Flags: review?(jmuizelaar)
Attachment #8940902 - Flags: review?(jmuizelaar) → review+
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fa08ddd9db32
lock access to cairo_ft_unscaled_font_t's faces list. r=jrmuizel
https://hg.mozilla.org/mozilla-central/rev/fa08ddd9db32
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.