Closed Bug 1616798 Opened 5 years ago Closed 5 years ago

Crash in [@ IPC::ParamTraits<nsTArray<T> >::Write]

Categories

(Core :: Layout: Text and Fonts, defect, P3)

Product:
Core
Component:
Layout: Text and Fonts
Version:
75 Branch
Platform:
x86
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- unaffected
firefox75 --- fixed

People

(Reporter: calixte, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1616798 - Ensure SetCharMapRunnable holds a reference to the charmap. r=jwatt
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-3dbad4ce-2ee4-45d7-8e45-a46880200220.

Top 10 frames of crashing thread:

0 xul.dll static IPC::ParamTraits<nsTArray<unsigned short> >::Write ipc/glue/IPCMessageUtils.h:549
1 xul.dll mozilla::ipc::WriteIPDLParam<const gfxSparseBitSet&> ipc/glue/IPDLParamTraits.h:59
2 xul.dll mozilla::dom::PContentChild::SendSetCharacterMap ipc/ipdl/PContentChild.cpp:5830
3 xul.dll mozilla::fontlist::SetCharMapRunnable::Run gfx/thebes/SharedFontList.cpp:106
4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1220
5 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:481
6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:308
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:290
9 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137

There are 3 crashes (from 1 installation) in nightly 75 with buildid 20200219215002. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1616193.

[1] https://hg.mozilla.org/mozilla-central/rev?node=eeef960d6919

Flags: needinfo?(jfkthame)

Yes, this is definitely related to bug 1616193 (although in the same circumstances, it would have already crashed with a different stack before that patch landed, so in that sense it's no worse!)

I must have been mistaken about the lifetime of the gfxSparseBitSet; let's try a different approach.

Flags: needinfo?(jfkthame)

Yeah, I just wasn't thinking straight in bug 1616193, and the comment here was a lie. :(

At call sites like this it's entirely possible for TrySetShmemCharacterMap() to succeed immediately, as someone else may have already stored an identical charmap, in which case the reference here will not be retained.

So the runnable needs to take a strong reference to the charmap. Fortunately, gfxCharacterMap is refcounted, so that's an easy tweak.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
See Also: → 1616734
Priority: -- → P3
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/83815c4cf97f Ensure SetCharMapRunnable holds a reference to the charmap. r=jwatt

https://hg.mozilla.org/mozilla-central/rev/83815c4cf97f

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: