Crash in [@ mozilla::ipc::MessageChannel::Send | mozilla::ipc::IProtocol::ChannelSend]
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox77 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | disabled |
firefox80 | --- | fixed |
People
(Reporter: over68, Assigned: jfkthame)
References
(Regression)
Details
(Keywords: csectype-race, regression, sec-moderate, Whiteboard: [post-critsmash-triage])
Crash Data
Attachments
(1 file)
Steps to reproduce:
- Set
gfx.e10s.font-list.shared
totrue
. - Restart Firefox.
- Download Font Loader.
- Download Franklin Gothic Book Regular.ttf.
- Open
data:text/html;charset=utf-8,<u>🏴
- Open https://archive.org/ in new tab.
- Open the Font Loader, Click on the Add Fonts button, Select the font file Franklin Gothic Book Regular.ttf then click Open.
- Click on the Load button.
- Wait two minutes.
Actual results:
Browser crashes.
Crash report: bp-f39f22ec-c0cc-4e32-b941-060240200625
Top 10 frames of crashing thread:
0 xul.dll mozilla::ipc::MessageChannel::Send ipc/glue/MessageChannel.cpp
1 xul.dll mozilla::ipc::IProtocol::ChannelSend ipc/glue/ProtocolUtils.cpp:477
2 xul.dll mozilla::dom::PContentChild::SendGetFontListShmBlock ipc/ipdl/PContentChild.cpp:5139
3 xul.dll mozilla::fontlist::FontList::GetBlockFromParent gfx/thebes/SharedFontList.cpp:582
4 xul.dll mozilla::fontlist::FontList::UpdateShmBlocks gfx/thebes/SharedFontList.cpp:602
5 xul.dll mozilla::fontlist::FontList::FindFamily gfx/thebes/SharedFontList.cpp:825
6 xul.dll gfxPlatformFontList::FindAndAddFamilies gfx/thebes/gfxPlatformFontList.cpp:1075
7 xul.dll gfxDWriteFontList::FindAndAddFamilies gfx/thebes/gfxDWriteFontList.cpp:1764
8 xul.dll gfxFontGroup::AddPlatformFont gfx/thebes/gfxTextRun.cpp:1825
9 xul.dll gfxFontGroup::BuildFontList gfx/thebes/gfxTextRun.cpp:1740
Comment 1•4 years ago
|
||
This looks like a thread safety assertion from a Stylo thread sending a message via PContentChild. That sounds bad.
Assignee | ||
Comment 2•4 years ago
|
||
Normally, if IsNull() is false, we'd expect ToPtr() to return a valid pointer,
but for code that may run on a stylo thread in the child process this is not
necessarily true: if resolving the pointer requires accessing a new shared-mem
block, we can't make that IPC call from the stylo thread. So in this case, we
let ToPtr() return null, and the caller needs to handle this safely.
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1)
This looks like a thread safety assertion from a Stylo thread sending a message via PContentChild.
We have MOZ_RELEASE_ASSERT there so we detect this and safely crash the content process, and this depends on the user installing/uninstalling fonts locally while the browser is running, it's not something a site can trigger by itself.
So yes, that's what is going on here; but it's not clear to me how this would be a sec-high issue; seems to me like it would be sec-moderate at most?
Comment 4•4 years ago
|
||
:jfkthame, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Ah, I didn't realize that this was a release assert and not just something in Nightly.
Updated•4 years ago
|
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/3e78b6a57f062559963f618bb12275dc1431f36b
https://hg.mozilla.org/mozilla-central/rev/3e78b6a57f06
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•