Closed
Bug 1682607
Opened 4 years ago
Closed 4 years ago
Assertion failure: entry == mFonts.GetEntry(key), at /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:249
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
VERIFIED
FIXED
87 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | wontfix |
| firefox86 | --- | fixed |
| firefox87 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(2 files)
|
322 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev f805f27183c3 (built with --enable-debug).
Assertion failure: entry == mFonts.GetEntry(key), at /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:249
#0 0x7f43f364c390 in gfxFontCache::AddNew(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:249:3
#1 0x7f43f363b8e3 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:290:31
#2 0x7f43f36a8f61 in gfxFontGroup::GetFontAt(int, unsigned int, bool*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2055:16
#3 0x7f43f36a9d21 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2277:12
#4 0x7f43f666367b in Gecko_GetFontMetrics /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:1457:33
#5 0x7f43fad3a911 in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::h18ed029e86cfeff2 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:986:13
#6 0x7f43facf0973 in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::hb3e46624b5a01965 /builds/worker/checkouts/gecko/servo/components/style/values/specified/length.rs:158:13
#7 0x7f43facf0973 in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::hd58c88d194b8b83f /builds/worker/checkouts/gecko/servo/components/style/values/specified/length.rs:213:21
#8 0x7f43facf0973 in style::values::specified::length::FontRelativeLength::to_computed_value::h613835874f87b01b /builds/worker/checkouts/gecko/servo/components/style/values/specified/length.rs:137:40
#9 0x7f43fac67783 in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::h736ad066d91c7d7f /builds/worker/checkouts/gecko/servo/components/style/values/computed/length.rs:36:17
#10 0x7f43faf7e3eb in style::values::computed::length_percentage::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..LengthPercentage$GT$::to_computed_value::hda5e22870039f182 /builds/worker/checkouts/gecko/servo/components/style/values/computed/length_percentage.rs:502:46
#11 0x7f43faf7e3eb in _$LT$style..values..generics..length..GenericLengthPercentageOrAuto$LT$LengthPercent$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::hc9bff59a37eb9cbb /builds/worker/checkouts/gecko/servo/components/style/values/generics/length.rs:27:5
#12 0x7f43faf7e3eb in style::properties::longhands::margin_inline_start::cascade_property::hc01e6a890c07a803 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/debug/build/style-64ef97ee0e073608/out/longhands/margin.rs:778:32
#13 0x7f43fa92c606 in style::properties::cascade::Cascade::apply_declaration::h2bf240c180c367a4 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:556:9
#14 0x7f43fa92c606 in style::properties::cascade::Cascade::apply_properties::h7064d6137fb51c53 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:673:13
#15 0x7f43fa92b1d0 in style::properties::cascade::apply_declarations::h353b9a2af21b0af0 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:349:9
#16 0x7f43fa92b1d0 in style::properties::cascade::cascade_rules::h707a867d437c6ac6 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:210:5
#17 0x7f43fa996abe in style::properties::cascade::cascade::h01c4f96dcd10c87f /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:93:5
#18 0x7f43fa996abe in style::stylist::Stylist::cascade_style_and_visited::h8fc8771cbc53f476 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:905:9
#19 0x7f43fa955311 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h29d17b30734d0075 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:346:22
#20 0x7f43fa9544a0 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_pseudo_style::h617990a2fa5a907d /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:437:14
#21 0x7f43fa9544a0 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::_$u7b$$u7b$closure$u7d$$u7d$::h14b76958b4785dc3 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:267:36
#22 0x7f43fa9544a0 in style::gecko::selector_parser::SelectorImpl::each_eagerly_cascaded_pseudo_element::h9a9223df508d46b4 /builds/worker/checkouts/gecko/servo/components/style/gecko/selector_parser.rs:489:13
#23 0x7f43fa9544a0 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::hb37673c5bb66f163 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:266:13
#24 0x7f43fa9a3bc4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h1a7c2eea1bfc1f90 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:294:13
#25 0x7f43fa9a3bc4 in style::style_resolver::with_default_parent_styles::hd3ad63316e6c693f /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:115:5
#26 0x7f43fa9a3bc4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::hf6ab8e4c6962dbbe /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:293:9
#27 0x7f43fa9a3bc4 in style::traversal::compute_style::hcf730f0dbab9c98a /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:602:25
#28 0x7f43fa97cd46 in style::traversal::recalc_style_at::h4fbecf94a58a4656 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:420:37
#29 0x7f43fa97cd46 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h7ed5360127628244 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#30 0x7f43fa97cd46 in style::driver::traverse_dom::hc30639b4836ba96d /builds/worker/checkouts/gecko/servo/components/style/driver.rs:112:9
#31 0x7f43faa82711 in geckoservo::glue::traverse_subtree::h973c0eaebed98bc2 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:266:5
#32 0x7f43faa82b7e in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:326:5
#33 0x7f43f6689e50 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:744:9
#34 0x7f43f6738597 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2982:20
#35 0x7f43f6712c57 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3112:3
#36 0x7f43f6712c57 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4204:39
#37 0x7f43f66dc462 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2172:22
#38 0x7f43f66e3fe1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:357:13
#39 0x7f43f66e3fe1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:336:7
#40 0x7f43f66e3ebf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:5
#41 0x7f43f66e3468 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:799:5
#42 0x7f43f66e3468 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:722:16
#43 0x7f43f66e2d80 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:624:7
#44 0x7f43f66e27f9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:545:9
#45 0x7f43f5eebcff in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:69:15
#46 0x7f43f2ccfab0 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#47 0x7f43f2a788cc in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#48 0x7f43f273af4e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
#49 0x7f43f273754d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
#50 0x7f43f27389f6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
#51 0x7f43f273973b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
#52 0x7f43f1e1a64f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
#53 0x7f43f1e18c7a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
#54 0x7f43f1e17d24 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
#55 0x7f43f1e17ed7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
#56 0x7f43f1e1df16 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
#57 0x7f43f1e1df16 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#58 0x7f43f1e2f5f5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
#59 0x7f43f1e356ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#60 0x7f43f2740836 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#61 0x7f43f26ac8d3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#62 0x7f43f26ac7ed in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#63 0x7f43f26ac7ed in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#64 0x7f43f6435f58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#65 0x7f43f7c47a43 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#66 0x7f43f274171c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#67 0x7f43f26ac8d3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#68 0x7f43f26ac7ed in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#69 0x7f43f26ac7ed in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#70 0x7f43f7c47618 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#71 0x55d29eecfd96 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#72 0x55d29eecfd96 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
#73 0x7f44080b20b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201215213427-914398229db8.
The bug appears to have been introduced in the following build range:
Start: bf21f044ae70855a7407d7ac247b915dd65ae7a4 (20200622093556)
End: 7a13c77442451fdb9fd1032f605f1322a218702b (20200622094618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bf21f044ae70855a7407d7ac247b915dd65ae7a4&tochange=7a13c77442451fdb9fd1032f605f1322a218702b
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•4 years ago
|
Severity: -- → S3
Flags: needinfo?(jfkthame)
Flags: needinfo?(emilio)
|
Assignee | |
Comment 2•4 years ago
|
||
This is a giant floating point value that ends up being inf in the style struct, and after a bit of other arithmetic we end up with NaN and failing the cache hit...
I'm not familiar with the font cache but I guess we could do saturating arithmetic here, so we end up with FLOAT_MAX effectively. Jonathan does that sound about right?
Flags: needinfo?(emilio)
|
||
Comment 3•4 years ago
|
||
That seems reasonable enough, I guess. Or should we intervene earlier so as to avoid ever getting inf in the style struct? That sounds like it'd be liable to cause unexpected issues (like this) for code that didn't anticipate it.
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → emilio
|
|
Assignee | |
Comment 4•4 years ago
|
||
Depends on D104563
|
||
Comment 5•4 years ago
|
||
:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa1ad21ca19f
Normalize NaN in some other font-related lengths etc. r=jfkthame,layout-reviewers
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27570 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox87:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210211050245-5cbcb80f72bd.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 10•4 years ago
|
||
Comment on attachment 9202123 [details]
Bug 1682607 - Normalize NaN in some other font-related lengths etc. r=jfkthame,#style,#layout-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: Potential weirdness / crashes when very large CSS values are used.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1691652
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just handles edge-cases in floating-point math.
- String changes made/needed: none
Attachment #9202123 -
Flags: approval-mozilla-beta?
|
||
Comment 11•4 years ago
|
||
Comment on attachment 9202123 [details]
Bug 1682607 - Normalize NaN in some other font-related lengths etc. r=jfkthame,#style,#layout-reviewers
Approved for our last beta, thanks.
Attachment #9202123 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 12•4 years ago
|
||
| bugherder uplift | ||
Flags: in-testsuite? → in-testsuite+
|
||
Updated•4 years ago
|
status-firefox85:
--- → wontfix
status-firefox-esr78:
--- → unaffected
|
|
||
Updated•4 years ago
|
Keywords: regression
Upstream PR was closed without merging
Upstream PR merged by jgraham
You need to log in
before you can comment on or make changes to this bug.
Description
•