1463542 - AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsMappedAttributes.cpp:285:19 in nsMappedAttributes::IndexOfAttr(nsAtom*) const

Status: RESOLVED INVALID

(Core :: DOM: Core & HTML, defect)

Description

[Francisco A.]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3418.2 Safari/537.36
Firefox for Android

Steps to reproduce:

No repro so far, yesterday's Mozilla Nightly build.


Actual results:

==31541==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020003962d0 at pc 0x7fbdda676a3b bp 0x7fffcb968950 sp 0x7fffcb968948
READ of size 2 at 0x6020003962d0 thread T0 (file:// Content)
    #0 0x7fbdda676a3a in nsMappedAttributes::IndexOfAttr(nsAtom*) const /builds/worker/workspace/build/src/dom/base/nsMappedAttributes.cpp:285:19
    #1 0x7fbdda476ec9 in nsAttrAndChildArray::IndexOfAttr(nsAtom*, int) const /builds/worker/workspace/build/src/dom/base/nsAttrAndChildArray.cpp:561:32
    #2 0x7fbdda3b85f3 in HasAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:2000:28
    #3 0x7fbdda3b85f3 in mozilla::dom::Link::ElementHasHref() const /builds/worker/workspace/build/src/dom/base/Link.cpp:78
    #4 0x7fbddd5a3893 in nsMathMLElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/mathml/nsMathMLElement.cpp:138:37
    #5 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #6 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #7 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #8 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #9 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #10 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #11 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #12 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #13 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #14 0x7fbddd51ef72 in nsGenericHTMLElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:489:20
    #15 0x7fbdda369eaf in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2029:37
    #16 0x7fbddd51ef72 in nsGenericHTMLElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:489:20
    #17 0x7fbddd4b0ca9 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/HTMLSharedElement.cpp:258:25
    #18 0x7fbdda525493 in nsDocument::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:1995:14
    #19 0x7fbddd540cdd in nsHTMLDocument::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:194:1
    #20 0x7fbdd71f20b4 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3401:26
    #21 0x7fbdd71f4d61 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3769:24
    #22 0x7fbdd71f9005 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4330:21
    #23 0x7fbdda63eda2 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1544:3
    #24 0x7fbdda63f863 in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1603:3
    #25 0x7fbdd731abcd in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #26 0x7fbdd731abcd in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:62
    #27 0x7fbdd735fa16 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #28 0x7fbdd737b950 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #29 0x7fbdd825bbba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7fbddedc649a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #34 0x7fbde301a1bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #35 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7fbde3019b80 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #39 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #40 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #41 0x7fbdf6694b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #42 0x42476c in _start (/home/fuzzer/browsers/firefox/firefox+0x42476c)

0x6020003962d0 is located 0 bytes inside of 16-byte region [0x6020003962d0,0x6020003962e0)
freed by thread T0 (file:// Content) here:
    #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fbddf1db9e4 in mozilla::LangGroupFontPrefs::~LangGroupFontPrefs() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPresData.h:19:8
    #2 0x7fbddf1db9c4 in ~nsAutoPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:78:5
    #3 0x7fbddf1db9c4 in mozilla::LangGroupFontPrefs::~LangGroupFontPrefs() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPresData.h:19
    #4 0x7fbddf4dcfc8 in nsPresContext::~nsPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:364:1
    #5 0x7fbddf4eff6d in nsRootPresContext::~nsRootPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:3030:1
    #6 0x7fbdd71ed4a0 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #7 0x7fbdd71f862d in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #8 0x7fbdd71f862d in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4293
    #9 0x7fbdd8c998c9 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:126:34
    #10 0x7fbdd7382b0a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:343:22
    #11 0x7fbdd735fa16 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #12 0x7fbdd737b950 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #13 0x7fbdd825bbba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #14 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #15 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #16 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #17 0x7fbddedc649a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #18 0x7fbde301a1bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #19 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #20 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #21 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #22 0x7fbde3019b80 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #23 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #24 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #25 0x7fbdf6694b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7fbdd95a922b in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7fbdd95a922b in MakeNotNull<mozilla::SharedFontList *, mozilla::FontFamilyType &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/NotNull.h:201
    #4 0x7fbdd95a922b in mozilla::FontFamilyList::FontFamilyList(mozilla::FontFamilyType) /builds/worker/workspace/build/src/obj-firefox/dist/include/gfxFontFamilyList.h:265
    #5 0x7fbdd95a8f21 in nsFont::nsFont(mozilla::FontFamilyType, int) /builds/worker/workspace/build/src/gfx/src/nsFont.cpp:28:5
    #6 0x7fbddf3c12b7 in LangGroupFontPrefs /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPresData.h:29:7
    #7 0x7fbddf3c12b7 in mozilla::StaticPresData::GetFontPrefsForLangHelper(nsAtom*, mozilla::LangGroupFontPrefs const*, bool*) const /builds/worker/workspace/build/src/layout/base/StaticPresData.cpp:270
    #8 0x7fbddf4e7b20 in GetFontPrefsForLang /builds/worker/workspace/build/src/layout/base/nsPresContext.h:1238:35
    #9 0x7fbddf4e7b20 in GetDefaultFont /builds/worker/workspace/build/src/layout/base/nsPresContext.h:371
    #10 0x7fbddf4e7b20 in nsPresContext::CacheAllLangs() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:1962
    #11 0x7fbddf20734e in mozilla::ServoStyleSet::ResolveStyleFor(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::LazyComputeBehavior) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:386:5
    #12 0x7fbddf4e55b3 in GetPropagatedScrollbarStylesForViewport(nsPresContext*, mozilla::ScrollbarStyles*) /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:1451:15
    #13 0x7fbddf3f838d in nsPresContext::UpdateViewportScrollbarStylesOverride() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:1497:7
    #14 0x7fbddf3f4793 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2437:41
    #15 0x7fbddf4155ae in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7492:9
    #16 0x7fbddf3563d9 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1806:26
    #17 0x7fbdda4c0c12 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1273:26
    #18 0x7fbdd9378c42 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:673:18
    #19 0x7fbdd93741ab in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1199:17
    #20 0x7fbdd9371136 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:17
    #21 0x7fbdd937d1ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
    #22 0x7fbdd73410f1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #23 0x7fbdd735fa16 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #24 0x7fbdd737b950 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #25 0x7fbdd825bbba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #26 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7fbddedc649a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #30 0x7fbde301a1bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #31 0x7fbdd81af259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #32 0x7fbdd81af259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #33 0x7fbdd81af259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #34 0x7fbde3019b80 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #35 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #36 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #37 0x7fbdf6694b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsMappedAttributes.cpp:285:19 in nsMappedAttributes::IndexOfAttr(nsAtom*) const
Shadow bytes around the buggy address:
  0x0c048006ac00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c048006ac10: fa fa fd fd fa fa fd fd fa fa 05 fa fa fa fa fa
  0x0c048006ac20: fa fa fd fd fa fa fd fa fa fa 04 fa fa fa fa fa
  0x0c048006ac30: fa fa fa fa fa fa 00 00 fa fa 02 fa fa fa fd fd
  0x0c048006ac40: fa fa fa fa fa fa fd fd fa fa fd fd fa fa fa fa
=>0x0c048006ac50: fa fa fd fd fa fa fa fa fa fa[fd]fd fa fa fa fa
  0x0c048006ac60: fa fa 00 04 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048006ac70: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04
  0x0c048006ac80: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa fa fa
  0x0c048006ac90: fa fa fa fa fa fa 00 00 fa fa fd fd fa fa 05 fa
  0x0c048006aca0: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31541==ABORTING

Comment 1

[Francisco A.]

Attachment: log_ffp_asan_10012.log.10144.txt

Same crash in another machine, but this happens using ffpuppet + xvfb instead of my setup. Same Mozilla Firefox Nightly build.

Comment 2

[Andrew McCreight [:mccr8]]

Heycam, could you take a look at this, please? It looks like you may have done some work on this SharedFontList stuff, so maybe you understand how the lifetime could be going awry.

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Oh, I just commented on bug 1463524 mentioning that all the style callers I found of nsAtom's unsafe methods looked mostly sane... The refcount messup being in nsMappedAttributes would explain it crashing on style.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

The relevant atom comes from font code... There's an existing data race here (bug 1463884) which may be related...

Comment 5

[Francisco A.]

Likely related to CSS fonts, afaik that fuzzer round was MathML + CSS.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Yeah... I'll try to audit our font related code tomorrow if nobody wins me to find it...

Comment 7

[Francisco A.]

I do not think this is totally related, this seems like another error when scaling a font. But in case it gives some clue (I do not have reproducer either)

==5659==ERROR: AddressSanitizer: SEGV on unknown address 0x00187fff8015 (pc 0x7fb10f59658e bp 0x7ffdf2e173a0 sp 0x7ffdf2e17330 T0)
==5659==The signal is caused by a READ memory access.
    #0 0x7fb10f59658d in _cairo_scaled_glyph_fini /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:202:53
    #1 0x7fb10f59658d in _cairo_scaled_glyph_page_destroy /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:450
    #2 0x7fb10f5076db in _cairo_cache_remove /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-cache.c:296:2
    #3 0x7fb10f5076db in _cairo_cache_remove_random /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-cache.c:223
    #4 0x7fb10f5076db in _cairo_cache_shrink_to_accommodate /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-cache.c:243
    #5 0x7fb10f5076db in _cairo_cache_thaw /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-cache.c:179
    #6 0x7fb10f5873ac in _cairo_scaled_font_thaw_cache /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:772:2
    #7 0x7fb10f5873ac in _moz_cairo_scaled_font_glyph_extents /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:1571
    #8 0x7fb10817cba5 in GetGlyphExtents /builds/worker/workspace/build/src/gfx/thebes/gfxFT2FontBase.cpp:121:5
    #9 0x7fb10817cba5 in GetCharWidth /builds/worker/workspace/build/src/gfx/thebes/gfxFT2FontBase.cpp:180
    #10 0x7fb10817cba5 in gfxFT2FontBase::InitMetrics() /builds/worker/workspace/build/src/gfx/thebes/gfxFT2FontBase.cpp:405
    #11 0x7fb10817b855 in gfxFT2FontBase::gfxFT2FontBase(RefPtr<mozilla::gfx::UnscaledFontFreeType> const&, _cairo_scaled_font*, gfxFontEntry*, gfxFontStyle const*) /builds/worker/workspace/build/src/gfx/thebes/gfxFT2FontBase.cpp:37:5
    #12 0x7fb1081876c3 in gfxFontconfigFont /builds/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:1423:7
    #13 0x7fb1081876c3 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) /builds/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:1040
    #14 0x7fb108294a32 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /builds/worker/workspace/build/src/gfx/thebes/gfxFontEntry.cpp:258:28
    #15 0x7fb10830911c in gfxFontGroup::GetFontAt(int, unsigned int) /builds/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:1921:20
    #16 0x7fb10830b8b8 in gfxFontGroup::GetFirstValidFont(unsigned int) /builds/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:2100:16
    #17 0x7fb107ab731d in nsFontMetrics::GetMetrics(gfxFont::Orientation) const /builds/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:169:24
    #18 0x7fb107ab8400 in GetMetrics /builds/worker/workspace/build/src/gfx/src/nsFontMetrics.h:244:14
    #19 0x7fb107ab8400 in nsFontMetrics::GetMaxStringLength() /builds/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:309
    #20 0x7fb10d9bf9e5 in GetMaxChunkLength /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5911:32
    #21 0x7fb10d9bf9e5 in nsLayoutUtils::AppUnitBoundsOfString(char16_t const*, unsigned int, nsFontMetrics&, mozilla::gfx::DrawTarget*) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5981
    #22 0x7fb10e0e824b in nsMathMLContainerFrame::ReflowError(mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:56:5
    #23 0x7fb10e119850 in nsMathMLmfracFrame::PlaceInternal(mozilla::gfx::DrawTarget*, bool, mozilla::ReflowOutput&, bool) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfracFrame.cpp:226:12
    #24 0x7fb10e1192c6 in nsMathMLmfracFrame::MeasureForWidth(mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfracFrame.cpp:185:10
    #25 0x7fb10e0f1240 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1038:17
    #26 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #27 0x7fb10e0f092d in UpdateIntrinsicWidth /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:968:5
    #28 0x7fb10e0f092d in nsMathMLContainerFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:992
    #29 0x7fb10d9b5e5c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp
    #30 0x7fb10d9bb0bf in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5487:10
    #31 0x7fb10db7a3fd in nsFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5325:19
    #32 0x7fb10db136aa in nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp
    #33 0x7fb10dc91722 in nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:266:3
    #34 0x7fb10da9f07e in nsBlockFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:860:16
    #35 0x7fb10d9b5e5c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp
    #36 0x7fb10d9bb0bf in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5487:10
    #37 0x7fb10e0f0db2 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1015:9
    #38 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #39 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #40 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #41 0x7fb10e0f092d in UpdateIntrinsicWidth /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:968:5
    #42 0x7fb10e0f092d in nsMathMLContainerFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:992
    #43 0x7fb10d9b5e5c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp
    #44 0x7fb10d9bb0bf in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5487:10
    #45 0x7fb10db7a3fd in nsFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5325:19
    #46 0x7fb10db136aa in nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp
    #47 0x7fb10dc91722 in nsInlineFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:266:3
    #48 0x7fb10da9f07e in nsBlockFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:860:16
    #49 0x7fb10d9b5e5c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp
    #50 0x7fb10d9bb0bf in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5487:10
    #51 0x7fb10e0f0db2 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1015:9
    #52 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #53 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #54 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #55 0x7fb10e0f0d95 in nsMathMLContainerFrame::GetIntrinsicISizeMetrics(gfxContext*, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:1008:23
    #56 0x7fb10e0f05cd in UpdateIntrinsicWidth /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:968:5
    #57 0x7fb10e0f05cd in nsMathMLContainerFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:982
    #58 0x7fb10db13dbd in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6365:22
    #59 0x7fb10db13dbd in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:862
    #60 0x7fb10db1a4d4 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5608:24
    #61 0x7fb10da4cc00 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2473:17
    #62 0x7fb10da4448f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:414:3
    #63 0x7fb10dc95618 in emplace<nsPresContext *&, const mozilla::ReflowInput &, nsIFrame *&, mozilla::LogicalSize &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:599:32
    #64 0x7fb10dc95618 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:864
    #65 0x7fb10dc947de in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:725:15
    #66 0x7fb10dc92bd1 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:607:7
    #67 0x7fb10dc91c8c in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:406:3
    #68 0x7fb10dc968ce in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:924:13
    #69 0x7fb10dac911d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15
    #70 0x7fb10dac7ac7 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5
    #71 0x7fb10dabe7e9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9
    #72 0x7fb10dab6ae0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5
    #73 0x7fb10daac360 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
    #74 0x7fb10daa3ae4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
    #75 0x7fb10dac5047 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #76 0x7fb10dab8e42 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11
    #77 0x7fb10dab6c35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5
    #78 0x7fb10daac360 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
    #79 0x7fb10daa3ae4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
    #80 0x7fb10db03ea6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #81 0x7fb10db026f2 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
    #82 0x7fb10db03ea6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #83 0x7fb10dbedd18 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3
    #84 0x7fb10dbef139 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3
    #85 0x7fb10dbf30e8 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1055:3
    #86 0x7fb10da87c4e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
    #87 0x7fb10da867ce in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7
    #88 0x7fb10d86f120 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8942:11
    #89 0x7fb10d8848d0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9115:24
    #90 0x7fb10d882ce3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4332:11
    #91 0x7fb10d81417d in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:576:5
    #92 0x7fb10d81417d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1923
    #93 0x7fb10d82340b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13
    #94 0x7fb10d82340b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301
    #95 0x7fb10d822fe9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5
    #96 0x7fb10d825b2e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5
    #97 0x7fb10d825b2e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673
    #98 0x7fb10d82572e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:574:9
    #99 0x7fb10e0ca4df in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #100 0x7fb106d7980d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #101 0x7fb106c3defd in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #102 0x7fb10675590e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:25
    #103 0x7fb106752852 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2066:17
    #104 0x7fb10675408c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1912:5
    #105 0x7fb1067546e8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1945:15
    #106 0x7fb105863816 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #107 0x7fb10587f750 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #108 0x7fb10675d5aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #109 0x7fb1066b0c79 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #110 0x7fb1066b0c79 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #111 0x7fb1066b0c79 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #112 0x7fb10d2cbc7a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #113 0x7fb11151de0b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #114 0x7fb1066b0c79 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #115 0x7fb1066b0c79 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #116 0x7fb1066b0c79 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #117 0x7fb11151d7d0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #118 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #119 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #120 0x7fb124bfdb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #121 0x42476c in _start (/home/fuzzer/browsers/firefox/firefox+0x42476c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:202:53 in _cairo_scaled_glyph_fini
==5659==ABORTING

Comment 8

[Emilio Cobos Álvarez (:emilio)]

Hmm, comment 7 doesn't really seem related, it's probably cairo just allocating a huge font or something...

So, I did another round of auditing atom usage near style, and found nothing, though other eyes would be appreciated. I'm very wary of our font-metrics locking stuff, and same for the lang font group caching... But found nothing yet.

Comment 9

[Daniel Veditz [:dveditz]]

Does this reproduce after the fix for bug 1463884 landed last week (may 29)?

Comment 10

[Francisco A.]

(In reply to Daniel Veditz [:dveditz] from comment #9)
> Does this reproduce after the fix for bug 1463884 landed last week (may 29)?

Please cc me on that issue. I have not seen the issue for more or less a couple of weeks.

Comment 11

[Emilio Cobos Álvarez (:emilio)]

Just curious, what turned this into an invalid bug?