1500126 - Assertion failure: NS_IsMainThread(), at /builds/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:150

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 8f709fd4aa46.  Testcase is fairly difficult to reproduce.  In testing I've found that the testcase reproduces the issue approximately 1 in 5 attempts.

Assertion failure: NS_IsMainThread(), at /builds/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:150

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007feba23b4af0
rsi = 0x00007febbd1138b0   rdi = 0x00007febbd112680
rbp = 0x00007feba27fc980   rsp = 0x00007feba27fc970
r8 = 0x00007febbd1138b0    r9 = 0x00007feba27ff700
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x000000000000003e
r14 = 0x00007feba2f7e828   r15 = 0x00007feba23b4af0
rip = 0x00007febac2a11cd
OS|Linux|0.0.0 Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|21
21|0|libxul.so|nsFontMetrics::~nsFontMetrics()|hg:hg.mozilla.org/mozilla-central:gfx/src/nsFontMetrics.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|150|0x21
21|1|libxul.so|nsFontMetrics::Release()|hg:hg.mozilla.org/mozilla-central:gfx/src/nsFontMetrics.h:8f709fd4aa463ecfc38deda95ac9cc68b5095356|65|0x8
21|2|libxul.so|nsFontCache::Flush(int)|hg:hg.mozilla.org/mozilla-central:gfx/src/nsDeviceContext.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|217|0x8
21|3|libxul.so|nsFontCache::GetMetricsFor(nsFont const&, nsFontMetrics::Params const&)|hg:hg.mozilla.org/mozilla-central:gfx/src/nsDeviceContext.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|155|0xd
21|4|libxul.so|nsDeviceContext::GetMetricsFor(nsFont const&, nsFontMetrics::Params const&)|hg:hg.mozilla.org/mozilla-central:gfx/src/nsDeviceContext.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|265|0x1c
21|5|libxul.so|nsLayoutUtils::GetMetricsFor(nsPresContext*, bool, nsStyleFont const*, int, bool, nsLayoutUtils::FlushUserFontSet)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|10121|0x5
21|6|libxul.so|Gecko_GetFontMetrics|hg:hg.mozilla.org/mozilla-central:layout/style/GeckoBindings.cpp:8f709fd4aa463ecfc38deda95ac9cc68b5095356|2488|0x25
21|7|libxul.so|<style::gecko::wrapper::GeckoFontMetricsProvider as style::font_metrics::FontMetricsProvider>::query|hg:hg.mozilla.org/mozilla-central:servo/components/style/gecko/wrapper.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|1047|0x9
21|8|libxul.so|style::values::specified::length::FontRelativeLength::to_computed_value|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/specified/length.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|126|0x17
21|9|libxul.so|style::values::computed::length::<impl style::values::computed::ToComputedValue for style::values::specified::length::LengthOrPercentage>::to_computed_value|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/computed/length.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|34|0xa
21|10|libxul.so|<style::values::generics::basic_shape::BasicShape<H, V, LengthOrPercentage> as style::values::computed::ToComputedValue>::to_computed_value|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/generics/rect.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|23|0x8
21|11|libxul.so|style::properties::longhands::clip_path::cascade_property|hg:hg.mozilla.org/mozilla-central:servo/components/style/values/generics/basic_shape.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|62|0x8
21|12|libxul.so|style::properties::cascade::Cascade::apply_properties|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|463|0xd
21|13|libxul.so|style::properties::cascade::cascade_rules|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|303|0x10
21|14|libxul.so|style::stylist::Stylist::cascade_style_and_visited|hg:hg.mozilla.org/mozilla-central:servo/components/style/properties/cascade.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|93|0x37
21|15|libxul.so|<style::style_resolver::StyleResolverForElement<'a, 'ctx, 'le, E>>::cascade_style_and_visited|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|305|0x28
21|16|libxul.so|<style::style_resolver::StyleResolverForElement<'a, 'ctx, 'le, E>>::cascade_primary_style|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|215|0x17
21|17|libxul.so|<style::style_resolver::StyleResolverForElement<'a, 'ctx, 'le, E>>::cascade_styles_with_default_parents::{{closure}}|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|335|0x8
21|18|libxul.so|<style::style_resolver::StyleResolverForElement<'a, 'ctx, 'le, E>>::cascade_styles_with_default_parents|hg:hg.mozilla.org/mozilla-central:servo/components/style/style_resolver.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|102|0xb
21|19|libxul.so|style::traversal::compute_style|hg:hg.mozilla.org/mozilla-central:servo/components/style/traversal.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|666|0x5
21|20|libxul.so|<style::gecko::traversal::RecalcStyleOnly<'recalc> as style::traversal::DomTraversal<style::gecko::wrapper::GeckoElement<'le>>>::process_preorder|hg:hg.mozilla.org/mozilla-central:servo/components/style/traversal.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|435|0xb
21|21|libxul.so|<std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once|hg:hg.mozilla.org/mozilla-central:servo/components/style/parallel.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|197|0x20
21|22|libxul.so|std::panicking::try::do_call|git:github.com/rust-lang/rust:src/libstd/panicking.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|310|0x18
21|23|libxul.so|__rust_maybe_catch_panic|git:github.com/rust-lang/rust:src/libpanic_abort/lib.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|39|0x5
21|24|libxul.so|<rayon_core::job::HeapJob<BODY> as rayon_core::job::Job>::execute|git:github.com/rust-lang/rust:src/libstd/panicking.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|289|0x5
21|25|libxul.so|rayon_core::registry::WorkerThread::wait_until_cold|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/job.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|60|0x6
21|26|libxul.so|rayon_core::scope::Scope::steal_till_jobs_complete|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|543|0x8
21|27|libxul.so|rayon_core::registry::in_worker|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/scope/mod.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|272|0xb
21|28|libxul.so|std::panicking::try::do_call|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/scope/mod.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|262|0x5
21|29|libxul.so|__rust_maybe_catch_panic|git:github.com/rust-lang/rust:src/libpanic_abort/lib.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|39|0x5
21|30|libxul.so|<rayon_core::job::StackJob<L, F, R> as rayon_core::job::Job>::execute|git:github.com/rust-lang/rust:src/libstd/panicking.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|289|0x5
21|31|libxul.so|rayon_core::registry::WorkerThread::wait_until_cold|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/job.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|60|0x6
21|32|libxul.so|rayon_core::registry::main_loop|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:8f709fd4aa463ecfc38deda95ac9cc68b5095356|543|0x8
21|33|libxul.so|std::panicking::try::do_call|git:github.com/rust-lang/rust:src/libstd/thread/mod.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|409|0x5
21|34|libxul.so|__rust_maybe_catch_panic|git:github.com/rust-lang/rust:src/libpanic_abort/lib.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|39|0x5
21|35|libxul.so|<F as alloc::boxed::FnBox<A>>::call_box|git:github.com/rust-lang/rust:src/libstd/panicking.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|289|0x5
21|36|libxul.so|std::sys_common::thread::start_thread|git:github.com/rust-lang/rust:src/liballoc/boxed.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|652|0x3
21|37|libxul.so|std::sys::unix::thread::Thread::new::thread_start|git:github.com/rust-lang/rust:src/libstd/sys/unix/thread.rs:aa3ca1994904f2e056679fce1f185db8c7ed2703|90|0x5
21|38|libpthread-2.27.so||||0x76db
21|39|libc-2.27.so||||0x12188f

Comment 1

[Jonathan Kew [:jfkthame]]

This'll be a regression from bug 1498316. The specific testcase is fairly irrelevant, anything that causes stylo to access new font metrics might hit this, if it gets unlucky.

Comment 2

[Jonathan Kew [:jfkthame]]

Attachment: Flushing the font metrics cache needs to be done on the main thread

The main caller of GetMetricsFor is the stylo traversal threads, which can't be allowed to flush the font metrics cache directly because this may result in releasing various non-thread-safe font objects. So instead we should post a task back to the main thread, and let the flush happen there.

Comment 3

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/214e786d1ca0
Flushing the font metrics cache needs to be done on the main thread. r=lsalzman

Comment 4

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/214e786d1ca0

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Is this testcase worth landing as a crashtest?

Comment 6

[Jonathan Kew [:jfkthame]]

I suppose it wouldn't hurt. (I was hoping to come up with a testcase that hit the assertion more reliably, but my initial attempts, at least, didn't work out any better.)