Closed Bug 1588418 Opened 10 months ago Closed 3 months ago

Crash in [@ gfxFontEntry::HasCharacter]

Categories

(Core :: Layout: Text and Fonts, defect, P3)

71 Branch
x86_64
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla78
Tracking Status
firefox-esr68 --- disabled
firefox69 --- disabled
firefox70 --- disabled
firefox71 --- disabled
firefox72 --- disabled
firefox76 --- disabled
firefox77 --- disabled
firefox78 --- fixed

People

(Reporter: over68, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Steps to reproduce:

  1. Set gfx.e10s.font-list.shared to true.
  2. Restart Firefox.
  3. Download Font Loader.
  4. Download Franklin Gothic Book Regular.ttf.
  5. Log in to Outlook.
  6. Click on the Help icon (? in the top right) to open the sidebar.
  7. Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
  8. Click on the Load button.
  9. Close the sidebar.

See https://youtu.be/u7jHCbSYKdk

Actual results:

The tab crashed.

Crash report: bp-7b83effb-713d-4691-bff6-fefb60191014

Top 10 frames of crashing thread:

0 xul.dll gfxFontEntry::HasCharacter gfx/thebes/gfxFontEntry.h:214
1 xul.dll gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2495
2 xul.dll static void gfxFontGroup::InitTextRun<char16_t> gfx/thebes/gfxTextRun.cpp:2417
3 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2289
4 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2482
5 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1640
6 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrame.cpp:1964
7 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:2937
8 xul.dll void nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8490
9 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:723

Jonathan fyi.

Flags: needinfo?(jfkthame)
Status: UNCONFIRMED → NEW
Has Regression Range: --- → yes
Has STR: --- → yes
Ever confirmed: true
Keywords: crash
Priority: -- → P3

I suspect the patch in bug 1581715 may also resolve this one. Could you confirm whether you can reproduce this with the try build from https://bugzilla.mozilla.org/show_bug.cgi?id=1581715#c4, which includes the patch awaiting review there? Thanks!

Flags: needinfo?(jfkthame) → needinfo?(over68)

I can reproduce the crash with the build in bug 1581715 comment 4.

bp-b2bc4371-2291-412a-982d-d707a0191119

Flags: needinfo?(over68)

Ah, that's disappointing -- OK, thanks for testing.

I've not yet managed to reproduce this locally; I expect it may be dependent on details of the system font configuration and/or timing issues, etc. Do you have other sites where you can reproduce a similar crash? Could you please add a fresh crash report from current Nightly (which should show a more useful stack than we get from the tryserver build)? Thanks.

Flags: needinfo?(over68)

Note the crash only occurs if the ad contains text like this screenshot. I have no other sites i can reproduce a similar crash.

Crash report: bp-c0636170-504b-47dc-9766-590550191210

Top 10 frames of crashing thread:

0 xul.dll gfxFontEntry::HasCharacter gfx/thebes/gfxFontEntry.h:214
1 xul.dll static void gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2496
2 xul.dll static void gfxFontGroup::InitTextRun<char16_t> gfx/thebes/gfxTextRun.cpp:2418
3 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2290
4 xul.dll void BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1646
5 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:2979
6 xul.dll void nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8446
7 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:768
8 xul.dll nsHTMLScrollFrame::GetMinISize layout/generic/nsGfxScrollFrame.cpp:898
9 xul.dll nsFrame::ShrinkWidthToFit layout/generic/nsFrame.cpp:6560

Flags: needinfo?(over68)

The crash signature has changed to gfxFontGroup::InitScriptRun<T>.

bp-a5c64bdc-df9a-4166-8d16-6b8310200323

Crash Signature: [@ gfxFontEntry::HasCharacter] → [@ gfxFontGroup::InitScriptRun<T> ] [@ gfxFontEntry::HasCharacter]

I can still reproduce the crash on Win10 and Win7 with latest Nightly build.

Steps to reproduce 2:

  1. Set gfx.e10s.font-list.shared to true.
  2. Restart Firefox.
  3. Download Font Loader.
  4. Download Franklin Gothic Book Regular.ttf.
  5. Log in to Outlook.
  6. Wait for the ad to display on the right side of the page.
  7. Click on the Help icon (? in the top right) to open the sidebar.
  8. Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
  9. Click on the Load button.
  10. Close the sidebar.

Here is an attempt to reproduce the crash https://youtu.be/CPz8LLPBKIk.

Actual results:

The tab crashed.

Crash report: bp-819099c9-9b2d-4541-8c71-836300200323

Top 10 frames of crashing thread:

0 xul.dll gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2524
1 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2318
2 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2525
3 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1646
4 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrame.cpp:2004
5 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:2979
6 xul.dll nsTextFrame::ReflowText layout/generic/nsTextFrame.cpp:9150
7 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:881
8 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:4279
9 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:2685

Note the crash only occurs if the ad contains the Ad icon which appears in green, see screenshot.

This is a saved page contains the ad causing the crash (The green icon does not appear because the page is saved) https://onedrive.live.com/download?cid=F96BA52A2AF70D03&resid=F96BA52A2AF70D03%211511&authkey=AJdcrWFNEmmAWZI.

Thanks for the update, blinky -- really appreciate your testing!

One thing I notice is that the great majority of crashes here seem to be on 32-bit builds, with only a handful of 64-bit. Maybe there's a 32-bit specific flaw that we need to pin down (or maybe it's just the more restricted address space that makes the problem easier to hit).

See Also: → 1622724
Blocks: 1622724
See Also: 1622724

This has proved tricky for me to reproduce, but I did finally catch it under a debugger and poke around a bit. It seems the issue occurs as a result of the frame with Taboola ads using Segoe UI via a @font-face rule with src:local(...), at the same time as the font is also used "normally" on the page; we're ending up with the user font set having references to font entries that become invalid when the font list is rebuilt, but it tries to continue using them.

Verifying a fix is a bit uncertain because I haven't always been able to reproduce the crash reliably, but I believe I have a patch that should resolve this. Blinky, if you could try the build from https://treeherder.mozilla.org/#/jobs?repo=try&revision=13d13e90eab34230e3fc6191a3196a79b47b6d36 and confirm whether you still see the crash, that would be awesome -- thanks!

Flags: needinfo?(over68)

I can not reproduce the crash with the build in comment 13. Thanks.

Flags: needinfo?(over68)

Thanks so much for all your testing!

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/497bed0b00e3
Ensure font entries for src:local faces are flushed when the fontlist is rebuilt. r=jwatt
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Flags: qe-verify+
Duplicate of this bug: 1622724
You need to log in before you can comment on or make changes to this bug.