Closed Bug 1578154 Opened 3 months ago Closed 3 months ago

Crash in [@ gfxFontGroup::GetUnderlineOffset]

Categories

(Core :: Layout: Text and Fonts, defect, P3, critical)

70 Branch
x86_64
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox70 --- disabled
firefox71 --- fixed

People

(Reporter: over68, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Crash Data

Attachments

(2 files)

Attached file testcase

Steps to reproduce:

  1. Set gfx.e10s.font-list.shared to true.
  2. Restart Firefox.
  3. Download Font Loader.
  4. Download Franklin Gothic Book Regular.ttf.
  5. Open the <select> menu in the testcase.
  6. Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
  7. Click on the Load button.
  8. Open the <select> menu in the testcase.

Actual results:

Browser crashes.

Crash report: bp-6f8a0fca-486e-4f79-a40e-7d86d0190902

Top 10 frames of crashing thread:

0 xul.dll gfxFontGroup::GetUnderlineOffset gfx/thebes/gfxTextRun.cpp:2737
1 xul.dll nsFontMetrics::MaxHeight gfx/src/nsFontMetrics.cpp:228
2 xul.dll void nsTextBoxFrame::GetTextSize layout/xul/nsTextBoxFrame.cpp:982
3 xul.dll void nsTextBoxFrame::CalcTextSize layout/xul/nsTextBoxFrame.cpp:993
4 xul.dll struct nsSize nsTextBoxFrame::GetXULPrefSize layout/xul/nsTextBoxFrame.cpp:1053
5 xul.dll nsSprocketLayout::GetXULPrefSize layout/xul/nsSprocketLayout.cpp:1248
6 xul.dll nsBoxFrame::GetXULPrefSize layout/xul/nsBoxFrame.cpp:690
7 xul.dll struct nsSize nsMenuFrame::GetXULPrefSize layout/xul/nsMenuFrame.cpp:1220
8 xul.dll nsSprocketLayout::GetXULPrefSize layout/xul/nsSprocketLayout.cpp:1248
9 xul.dll nsBoxFrame::GetXULPrefSize layout/xul/nsBoxFrame.cpp:690

See Also: → 1578427

Note that this is disabled by default (bug 1533462 is about turning on the pref for dev builds); adjusting firefox-70 status accordingly.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jfkthame)
Priority: -- → P3

The crash here occurs because when the new font is activated, we rebuild the font list; but when we do that, we fail to flush the nsFontCache attached to each device context, and this means we may retrieve and try to use a cached nsFontMetrics that contains stale references to fonts from the old font-list.

(This was probably a bug that might have been observable in some obscure cases even without the shared font list; I think we might have temporarily used the wrong metrics, or something like that. But with the shared font list, we end up trying to use a pointer to a shared-memory object that is no longer present, and so we crash.)

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f65904c67692
Ensure all device contexts flush their nsFontCache when the platform font list is reinitialized. r=jwatt
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → jfkthame
Blocks: 1571347

Marking based on #c0 steps.

Has STR: --- → yes
Flags: qe-verify+

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
You need to log in before you can comment on or make changes to this bug.