Closed
Bug 1425346
Opened 7 years ago
Closed 7 years ago
Crash in _cairo_user_data_array_set_data.cold.16
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | disabled |
People
(Reporter: jan, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: crash, nightly-community)
Crash Data
Attachments
(1 file)
|
4.43 KB,
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
Seen on Socorro. This signature is reappearing after a month of silence.
bug 1412545 was about it in the past. Regression?
bp-3a587a0e-a3e8-4385-b69b-5fd840171213 20171212100127 (2017-12-12) Linux
> 0 libxul.so _cairo_user_data_array_set_data.cold.16
> 1 libxul.so mozilla::gfx::ScaledFontFontconfig::CreateFromInstanceData gfx/2d/ScaledFontFontconfig.cpp:420
> 2 libxul.so mozilla::gfx::UnscaledFontFontconfig::CreateScaledFont gfx/2d/ScaledFontFontconfig.cpp:368
> 3 libxul.so mozilla::gfx::RecordedScaledFontCreationByIndex::PlayEvent gfx/2d/RecordedEventImpl.h:3022
> 4 libxul.so mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, size_t)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, size_t)::<lambda(mozilla::gfx::RecordedEvent*)> > gfx/2d/InlineTranslator.cpp:84
> 5 libxul.so mozilla::gfx::InlineTranslator::TranslateRecording gfx/2d/InlineTranslator.cpp:89
> 6 libxul.so mozilla::wr::Moz2DRenderCallback gfx/webrender_bindings/Moz2DImageRenderer.cpp:232
> 7 libxul.so wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:263
> 8 libxul.so rayon_core::job::{{impl}}::execute<closure> gfx/webrender_bindings/src/moz2d_renderer.rs:171
> 9 libxul.so rayon_core::registry::WorkerThread::wait_until<rayon_core::latch::CountLatch> third_party/rust/rayon-core/src/job.rs:55
> 10 libxul.so std::sys_common::backtrace::__rust_begin_short_backtrace<closure, ()> third_party/rust/rayon-core/src/registry.rs:559
> 11 libxul.so alloc::boxed::{{impl}}::call_box<(), closure> src/libstd/thread/mod.rs:400
> 12 libxul.so std::sys::imp::thread::{{impl}}::new::thread_start src/liballoc/boxed.rs:736
> Ø 13 libpthread-2.26.so libpthread-2.26.so@0x77fb
> Ø 14 libc-2.26.so libc-2.26.so@0x114b0e
|
Reporter | |
Updated•7 years ago
|
Blocks: wr-stability
|
||
Updated•7 years ago
|
Blocks: stage-wr-trains
Priority: -- → P3
|
Assignee | |
Comment 1•7 years ago
|
||
There is a nasty potential race inside cairo_ft_font_face_create_for_pattern where it is accessing a shared cairo_ft_unscaled_font's faces list and modifying it without any sort of locking. This means we can ultimately pull a bogus face off this list, which can then blow up when try to do things like set user data on it.
So this patch takes the unscaled font's mutex temporarily before it does things with the list, which should prevent this particular brand of race.
|
||
Updated•7 years ago
|
Attachment #8940902 -
Flags: review?(jmuizelaar) → review+
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fa08ddd9db32
lock access to cairo_ft_unscaled_font_t's faces list. r=jrmuizel
|
||
Comment 3•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in
before you can comment on or make changes to this bug.
Description
•