Closed Bug 1702865 Opened 3 years ago Closed 3 years ago

Crash in [@ gfxUserFontSet::UserFontCache::CacheFont] / [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- fixed

People

(Reporter: aryx, Unassigned)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

18 crashes on 3+ machines, both Fission and non-Fission

Is this a regression from bug 1694123?

Crash report: https://crash-stats.mozilla.org/report/index/558a2a5e-4556-489f-a6b7-16bc50210402

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll static gfxUserFontSet::UserFontCache::CacheFont gfx/thebes/gfxUserFontSet.cpp:1215
1 xul.dll gfxUserFontEntry::LoadPlatformFont gfx/thebes/gfxUserFontSet.cpp:768
2 xul.dll gfxUserFontEntry::ContinuePlatformFontLoadOnMainThread gfx/thebes/gfxUserFontSet.cpp:879
3 xul.dll static mozilla::detail::RunnableMethodArguments<const unsigned char*, unsigned int, gfxUserFontType, const unsigned char*, unsigned int, nsTArray<gfxUserFontEntry::OTSMessage>&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback> >::applyImpl<gfxUserFontEntry, void  xpcom/threads/nsThreadUtils.h:1148
4 xul.dll mozilla::detail::RunnableMethodImpl<gfxUserFontEntry*, void  xpcom/threads/nsThreadUtils.h:1201
5 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:754
6 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1155
7 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:328
9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:310
Flags: needinfo?(jfkthame)

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #0)

18 crashes on 3+ machines, both Fission and non-Fission

Is this a regression from bug 1694123?

Ugh - yeah, almost certainly. It's probably like what's mentioned in 1694123 comment 7, but the fix there wasn't quite sufficient.

Flags: needinfo?(jfkthame)
Keywords: regression
Regressed by: 1694123
Has Regression Range: --- → yes

Not sure how easy it is to hit this in practice (I didn't see it in my local testing, obviously); if it becomes at all high-frequency we should probably back out bug 1694123 for now. Leaving ni? on myself to follow up.

Flags: needinfo?(jfkthame)

[@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging] - e.g. bp-5c531f0a-4d34-4c2e-98c2-8f6d60210402 - also stems from this change. 8 content crashes on 5+ devices, all on startup. Let's back out bug 1694123.

Crash Signature: [@ gfxUserFontSet::UserFontCache::CacheFont] → [@ gfxUserFontSet::UserFontCache::CacheFont] [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging]
Summary: Crash in [@ gfxUserFontSet::UserFontCache::CacheFont] → Crash in [@ gfxUserFontSet::UserFontCache::CacheFont] / [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging]

Fair enough, thanks. That sounds like the same root cause (we end up looking at the wrong entry in the source list after the off-main-thread font decoding completes, because decoding raced with the main thread updating the source index); depending on exactly what's in the list, that may or may not cause an actual crash, but it's definitely broken behavior.

Flags: needinfo?(jfkthame)

Bug 1694123 got backed out from autoland.

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
You need to log in before you can comment on or make changes to this bug.