WR on Pixel 2 crashes in [@ FT_Done_Face]

RESOLVED FIXED in Firefox 69

Status

()

Product:
Core
Component:
Graphics: WebRender
Type:
defect
Importance:
P3
critical
Status:
RESOLVED FIXED
Opened:
2 months ago
Updated:
2 months ago

People

(Reporter: intermittent-bug-filer, Assigned: lsalzman)

Tracking

({crash})

Version:
unspecified
Target:
mozilla69
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox67 wontfix, firefox68 wontfix, firefox69 fixed)

Details

(crash signature)

Attachments

(1 attachment)

Bug 1559957 - reset Cairo data in WillShutdown before gfxPlatform destructor is called. r?jfkthame
47 bytes, text/x-phabricator-request
Details | Review

Filed by: kgupta [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=252209984&repo=try
Full log: https://queue.taskcluster.net/v1/task/YIBh6D5uQqiigZW6CL_U-Q/runs/0/artifacts/public/logs/live_backing.log

Looks like a double free of font stuff during shutdown

22:17:05     INFO -  Crash reason:  SIGSEGV /SEGV_ACCERR
22:17:05     INFO -  Crash address: 0xe5e5e625
22:17:05     INFO -  Process uptime: not available
22:17:05     INFO -  Thread 11 (crashed)
22:17:05     INFO -   0  libxul.so!FT_Done_Face [ftobjs.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 2776 + 0x4]
22:17:05     INFO -       r0 = 0xe5e5e5e5    r1 = 0xd8ccce48    r2 = 0x00000001    r3 = 0x80000000
22:17:05     INFO -       r4 = 0xc0af7800    r5 = 0xf60691b8    r6 = 0xd8ccce3c    r7 = 0xd8ccce30
22:17:05     INFO -       r8 = 0xd8ccce40    r9 = 0xd6091a2c   r10 = 0xd608ddd9   r12 = 0xd465eaf5
22:17:05     INFO -       fp = 0xd60919e1    sp = 0xd8ccce18    lr = 0xd28056e1    pc = 0xd465eb08
22:17:05     INFO -      Found by: given as instruction pointer in context
22:17:05     INFO -   1  libxul.so!mozilla::gfx::Factory::ReleaseFTFace(FT_FaceRec_*) [Factory.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 731 + 0x5]
22:17:05     INFO -       r4 = 0xc0af7800    r5 = 0xf60691b8    r6 = 0xd8ccce3c    r7 = 0xd8ccce60
22:17:05     INFO -       r8 = 0xd8ccce40    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccce38    lr = 0xd28056e1    pc = 0xd28056e1
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   2  libxul.so!mozilla::gfx::NativeFontResourceFreeType::~NativeFontResourceFreeType() [NativeFontResourceFreeType.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 20 + 0x3]
22:17:05     INFO -       r4 = 0xbe50f140    r5 = 0x00000001    r6 = 0xbe5020d4    r7 = 0xd8ccce70
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccce68    lr = 0xd2816923    pc = 0xd2816923
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   3  libxul.so!mozilla::gfx::NativeFontResourceFreeType::~NativeFontResourceFreeType() [NativeFontResourceFreeType.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 18 + 0x7]
22:17:05     INFO -       r4 = 0xbe5121fc    r5 = 0x00000001    r6 = 0xbe5020d4    r7 = 0xd8ccce78
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccce78    lr = 0xd2816945    pc = 0xd2816945
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   4  libxul.so!_cairo_user_data_array_fini [cairo-array.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 417 + 0x1]
22:17:05     INFO -       r4 = 0xbe5121fc    r5 = 0x00000001    r6 = 0xbe5020d4    r7 = 0xd8ccce90
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccce80    lr = 0xd400689b    pc = 0xd400689b
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   5  libxul.so!_moz_cairo_font_face_destroy [cairo-font-face.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 162 + 0x7]
22:17:05     INFO -       r4 = 0xbe5121f0    r5 = 0xbe5121f8    r6 = 0xbe5176e8    r7 = 0xd8cccea8
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccce98    lr = 0xd400e877    pc = 0xd400e877
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   6  libxul.so!_cairo_ft_unscaled_font_destroy [cairo-ft-font.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 662 + 0x7]
22:17:05     INFO -       r4 = 0xbe51e100    r5 = 0xbe51e1b0    r6 = 0xbe5176e8    r7 = 0xd8cccec0
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8ccceb0    lr = 0xd3ff6cfb    pc = 0xd3ff6cfb
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   7  libxul.so!_cairo_unscaled_font_destroy [cairo-font-face.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 323 + 0x7]
22:17:05     INFO -       r4 = 0xbe51e100    r5 = 0xbe517580    r6 = 0xbe5176e8    r7 = 0xd8ccced8
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8cccec8    lr = 0xd400ea0b    pc = 0xd400ea0b
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   8  libxul.so!_cairo_scaled_font_fini_internal [cairo-scaled-font.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 843 + 0x3]
22:17:05     INFO -       r4 = 0xbe517580    r5 = 0xbe517580    r6 = 0xbe5176e8    r7 = 0xd8cccef8
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8cccee0    lr = 0xd4028fdf    pc = 0xd4028fdf
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -   9  libxul.so!_cairo_scaled_font_map_destroy [cairo-scaled-font.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 426 + 0xb]
22:17:05     INFO -       r4 = 0xd7c679dc    r5 = 0xbe517580    r6 = 0xbe4e0000    r7 = 0xd8cccf28
22:17:05     INFO -       r8 = 0xf606474c    r9 = 0xd6091a2c   r10 = 0xd608ddd9    fp = 0xd60919e1
22:17:05     INFO -       sp = 0xd8cccf00    lr = 0xd4028c87    pc = 0xd4028c87
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  10  libxul.so!_moz_cairo_debug_reset_static_data [cairo-debug.c:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 64 + 0x3]
22:17:05     INFO -       r4 = 0xc0a96a80    r5 = 0xc0a96aa0    r6 = 0xd7bd5584    r7 = 0xd8cccf30
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf30    lr = 0xd40096f1    pc = 0xd40096f1
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  11  libxul.so!gfxPlatform::~gfxPlatform() [gfxPlatform.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 1349 + 0x3]
22:17:05     INFO -       r4 = 0xc0a96a80    r5 = 0xc0a96aa0    r6 = 0xd7bd5584    r7 = 0xd8cccf48
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf38    lr = 0xd29b6c77    pc = 0xd29b6c77
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  12  libxul.so!gfxAndroidPlatform::~gfxAndroidPlatform() [gfxAndroidPlatform.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 101 + 0x7]
22:17:05     INFO -       r4 = 0xd7bda874    r5 = 0xd1f7ce9d    r6 = 0xd7bd5584    r7 = 0xd8cccf50
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf50    lr = 0xd29a93b5    pc = 0xd29a93b5
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  13  libxul.so!gfxPlatform::Shutdown() [gfxPlatform.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 1255 + 0xb]
22:17:05     INFO -       r4 = 0xd7bda874    r5 = 0xd1f7ce9d    r6 = 0xd7bd5584    r7 = 0xd8cccf68
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf58    lr = 0xd29b6861    pc = 0xd29b6861
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  14  libxul.so!nsLayoutModuleDtor() [nsLayoutModule.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 266 + 0x3]
22:17:05     INFO -       r4 = 0xd7f511c0    r5 = 0xd1f7ce9d    r6 = 0xd7bd5584    r7 = 0xd8cccf70
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf70    lr = 0xd3e024c1    pc = 0xd3e024c1
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  15  libxul.so!nsComponentManagerImpl::Shutdown() [nsComponentManager.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 945 + 0x3]
22:17:05     INFO -       r4 = 0xd7f511c0    r5 = 0xd1f7ce9d    r6 = 0xd7bd5584    r7 = 0xd8cccf80
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf78    lr = 0xd1fbf9bb    pc = 0xd1fbf9bb
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  16  libxul.so!mozilla::ShutdownXPCOM(nsIServiceManager*) [XPCOMInit.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 724 + 0x3]
22:17:05     INFO -       r4 = 0x00000000    r5 = 0xd8cccf90    r6 = 0xd7bd5584    r7 = 0xd8cccfb0
22:17:05     INFO -       r8 = 0xf60691b8    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccf88    lr = 0xd1ff1485    pc = 0xd1ff1485
22:17:05     INFO -      Found by: call frame info
22:17:05     INFO -  17  libxul.so!ScopedXPCOMStartup::~ScopedXPCOMStartup() [nsAppRunner.cpp:2410734f6659fb4bc5f852c10d4294dd9536ba85 : 1248 + 0x5]
22:17:05     INFO -       r4 = 0xd7f010d4    r5 = 0xf60691b8    r6 = 0x00000000    r7 = 0xd8cccfe0
22:17:05     INFO -       r8 = 0xd8ccd070    r9 = 0xd8ccd058   r10 = 0xd8ccd021    fp = 0xf60691b8
22:17:05     INFO -       sp = 0xd8cccfb8    lr = 0xd45f161f    pc = 0xd45f161f
22:17:05     INFO -      Found by: call frame info
Keywords: intermittent-failure, regression
Priority: -- → P3

This is because gfxAndroidPlatform's destructor calls FT_Done_Library, which frees all the FT_Faces instantiated by that library, before cairo_debug_reset_static_data() is called in gfxPlatform's inherited destructor, which then tries to free all the lingering FT_Faces as well.

I am currently investigating a potential fix.

Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0d9f920680e3
reset Cairo data in WillShutdown before gfxPlatform destructor is called. r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/0d9f920680e3

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee: nobody → lsalzman
You need to log in before you can comment on or make changes to this bug.