Closed Bug 1553228 Opened 3 months ago Closed Last month

Crash in [@ arena_dalloc | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()]

Categories

(Core :: Graphics: Text, defect, P3, critical)

66 Branch
Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 68+ fixed
firefox68 + fixed
firefox69 + fixed
firefox70 + fixed

People

(Reporter: lizzard, Assigned: lsalzman)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-975d398c-708e-4bc3-b054-ef1520190521.

Early results from the initial nightly 69 builds. Low volume so far.

Top 10 frames of crashing thread:

0 firefox-bin arena_dalloc memory/build/mozjemalloc.cpp:3283
1 libxul.so gfxFcPlatformFontList::ReadSystemFontList const gfx/thebes/gfxFcPlatformFontList.cpp:1659
2 libxul.so void gfxFontconfigFontFamily::AddFacesToFontList<gfxFcPlatformFontList::ReadSystemFontList gfx/thebes/gfxFcPlatformFontList.cpp:1366
3 libxul.so gfxFcPlatformFontList::ReadSystemFontList gfx/thebes/gfxFcPlatformFontList.cpp:1650
4 libxul.so mozilla::dom::ContentParent::InitInternal dom/ipc/ContentParent.cpp:2389
5 libxul.so mozilla::dom::ContentParent::LaunchSubprocessInternal const dom/ipc/ContentParent.cpp:2145
6 libxul.so mozilla::dom::ContentParent::LaunchSubprocessInternal dom/ipc/ContentParent.cpp:2184
7 libxul.so mozilla::dom::ContentParent::GetNewOrUsedBrowserProcess dom/ipc/ContentParent.cpp:898
8 libxul.so mozilla::dom::ContentParent::CreateBrowser dom/ipc/ContentParent.cpp:1142
9 libxul.so nsFrameLoader::TryRemoteBrowser dom/base/nsFrameLoader.cpp:2736

Lee is this actionable?

Flags: needinfo?(lsalzman)
Priority: -- → P3

It looks like all these reports are coming from one single ancient Linux installation (kernel 3.13). Other than that, it just looks like Fontconfig is handing off some bad data to us, which may be related to the weird/ancient Linux setup of this user. Offhand, I am not sure there is anything we can do about it right now.

Flags: needinfo?(lsalzman)

this crash is showing up more commonly with the [@ free | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator() ] signature which seems to be newly regressing in 68. could this be related to bug 1514869?

Crash Signature: [@ arena_dalloc | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] → [@ arena_dalloc | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] [@ free | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator() ]
Flags: needinfo?(jfkthame)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
See Also: → 1565882
Duplicate of this bug: 1566062

(In reply to Lee Salzman [:lsalzman] from comment #2)

It looks like all these reports are coming from one single ancient Linux installation (kernel 3.13). Other than that, it just looks like Fontconfig is handing off some bad data to us, which may be related to the weird/ancient Linux setup of this user. Offhand, I am not sure there is anything we can do about it right now.

We're getting some reports from other 3.x kernels as well; I've seen 3.2.0, 3.8.0, 3.11.0, and maybe more. I think it's quite likely this relates to old fontconfig versions, but we really should try to figure out what's breaking and how we can work around it (and why it's spiking...)

Flags: needinfo?(jfkthame)
Crash Signature: [@ arena_dalloc | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] [@ free | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator() ] → [@ arena_dalloc | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] [@ free | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] [@ arena_dalloc | free | gfxFcPlatformFontList::ReadSystemFontList::$_0::operator()] [@ libpthread-2.15.…

I tracked this down to a patch in bug 1514869 causing us to erroneously free Fontconfig data that we should not be freeing... Oops. This will cause us to crash pretty badly on any Fontconfig version < 2.9.

Regressed by: 1514869
See Also: 1565882
Duplicate of this bug: 1565882
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/49e41231b35b
Don't free result of FcPatternGetString. r=jfkthame

Comment on attachment 9078320 [details]
Bug 1553228 - Don't free result of FcPatternGetString. r?jfkthame

Beta/Release Uplift Approval Request

  • User impact if declined: Consistent start-up crashes on older Linux distros (i.e. Ubuntu 12.04)
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just removes a free() of memory that was never supposed to be freed.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Consistent start-up crashes on older Linux distros (i.e. Ubuntu 12.04)
  • User impact if declined:
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just removes a free() of memory that was never supposed to be freed.
  • String or UUID changes made by this patch:
Attachment #9078320 - Flags: approval-mozilla-release?
Attachment #9078320 - Flags: approval-mozilla-esr68?
Attachment #9078320 - Flags: approval-mozilla-beta?
Status: NEW → RESOLVED
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Assignee: nobody → lsalzman

Comment on attachment 9078320 [details]
Bug 1553228 - Don't free result of FcPatternGetString. r?jfkthame

linux crash fix, approved for 69.0b6, 68.0.1, 68.1esr

Attachment #9078320 - Flags: approval-mozilla-release?
Attachment #9078320 - Flags: approval-mozilla-release+
Attachment #9078320 - Flags: approval-mozilla-esr68?
Attachment #9078320 - Flags: approval-mozilla-esr68+
Attachment #9078320 - Flags: approval-mozilla-beta?
Attachment #9078320 - Flags: approval-mozilla-beta+

Per discussion with jcristau, we're uplifting this to 68.0.1esr also to maintain parity with the non-ESR 68.0.1 release and hopefully avoid some confusion.

You need to log in before you can comment on or make changes to this bug.