Closed Bug 1645645 Opened 4 years ago Closed 4 years ago

Crash in [@ gfxDWriteFontList::CreateFontEntry]

Categories

(Core :: Layout: Text and Fonts, defect, P2)

Product:
Core
Component:
Layout: Text and Fonts
Version:
79 Branch
Platform:
x86_64
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox79 --- verified
firefox80 --- verified

People

(Reporter: over68, Assigned: jfkthame)

References

Details

Crash Data

Attachments

(1 file)

Bug 1645645 - Fix error handling in gfxDWriteFontList::CreateFontEntry to avoid risk of null-deref. r=jwatt
47 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

  1. Set gfx.e10s.font-list.shared to true.
  2. Restart Firefox.
  3. Download Font Loader.
  4. Download and extracts the archive.
  5. Open https://emojipedia.org/emoji/ in three tabs.
  6. Open the Font Loader, Click on the Add Fonts button, Select the extracted font files then click Open.
  7. Click on the Load button then Unload.
  8. Open https://emojipedia.org/emoji/ in new tab.
  9. Switch between tabs.

See https://youtu.be/wiatFCir-uM

Actual results:

The tab crashed when clicking on the Unload button then switch between tabs.

Crash report: bp-4e7babc2-b0a2-41b7-88d9-e9c530200614

0 xul.dll gfxDWriteFontList::CreateFontEntry gfx/thebes/gfxDWriteFontList.cpp:980
1 xul.dll gfxPlatformFontList::GetOrCreateFontEntry gfx/thebes/gfxPlatformFontList.cpp:1300
2 xul.dll mozilla::fontlist::Family::SearchAllFontsForChar gfx/thebes/SharedFontList.cpp:372
3 xul.dll gfxPlatformFontList::GlobalFontFallback gfx/thebes/gfxPlatformFontList.cpp:1005
4 xul.dll gfxPlatformFontList::SystemFindFontForChar gfx/thebes/gfxPlatformFontList.cpp:885
5 xul.dll gfxFontGroup::WhichSystemFontSupportsChar gfx/thebes/gfxTextRun.cpp:3467
6 xul.dll gfxFontGroup::FindFontForChar gfx/thebes/gfxTextRun.cpp:3101
7 xul.dll gfxFontGroup::InitScriptRun<char16_t> gfx/thebes/gfxTextRun.cpp:2562
8 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2356
9 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2527
Blocks: 1533462

Ah, I see what's broken here... if the FindFamilyName call at https://hg.mozilla.org/mozilla-central/file/1d3eb5f9e1b6e25fa8f6cad8843ae3feef012ca2/gfx/thebes/gfxDWriteFontList.cpp#l970 fails, we leave family as null, but fail to check that properly and bail out of the method. We need to fix up the failure handling here.

Assignee: nobody → jfkthame
Severity: S1 → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d3d13c4bbf9b Fix error handling in gfxDWriteFontList::CreateFontEntry to avoid risk of null-deref. r=jwatt

https://hg.mozilla.org/mozilla-central/rev/d3d13c4bbf9b

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox79: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Flags: qe-verify+

I reproduced the issue on Firefox Nightly (2020-06-13) under Windows 10 by using the STR from Comment 0.

The issue is fixed as I was unable to crash the tabs on Firefox 80.0a1 (2020-07-06) and Firefox 79.0b4 under Windows 10.

Status: RESOLVED → VERIFIED
status-firefox79: fixedverified
status-firefox80: --- → verified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: