[Win32k lockdown] Text layout crash in gdi32full.dll [@ RtlpWaitOnCriticalSection | XLATEOBJ_piVector]
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
People
(Reporter: cpeterson, Unassigned)
References
Details
(Keywords: crash, regression, Whiteboard: [not-a-fission-bug])
Crash Data
Maybe Fission related. (DOMFissionEnabled=1)
One Beta 89 user in the Fission experiment has hit this content process crash 12 times. The crash reports have two different stack traces through layout code calling into gdi32full.dll:
Crash report: https://crash-stats.mozilla.org/report/index/a651fb51-7e2e-414c-acfc-e84e80210426
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 ntdll.dll RtlpWaitOnCriticalSection
1 gdi32full.dll XLATEOBJ_piVector
2 gdi32full.dll long ScriptTokenize
3 gdi32full.dll long ScriptItemizeCommon
4 gdi32full.dll ScriptBreak
5 xul.dll NS_GetComplexLineBreaks intl/lwbrk/nsUniscribeBreaker.cpp:69
6 xul.dll mozilla::intl::LineBreaker::GetJISx4051Breaks intl/lwbrk/LineBreaker.cpp:1113
7 xul.dll nsLineBreaker::FlushCurrentWord dom/base/nsLineBreaker.cpp:83
8 xul.dll nsLineBreaker::Reset dom/base/nsLineBreaker.cpp:501
9 xul.dll BuildTextRunsScanner::FlushLineBreaks layout/generic/nsTextFrame.cpp:1678
Crash report: https://crash-stats.mozilla.org/report/index/fe5ff239-1e49-4373-a15b-947ec0210424
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 ntdll.dll RtlpWaitOnCriticalSection
1 gdi32full.dll XLATEOBJ_piVector
2 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2498
3 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2598
4 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1665
5 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:2999
6 xul.dll nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8574
7 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:806
8 xul.dll static nsLayoutUtils::IntrinsicForAxis layout/base/nsLayoutUtils.cpp:4866
9 xul.dll static nsLayoutUtils::IntrinsicForContainer layout/base/nsLayoutUtils.cpp:5062
Reporter | ||
Comment 1•3 years ago
|
||
11 of the 12 crashes have a pt-BR AMO URL like https://addons.mozilla.org/pt-BR/firefox/ or https://addons.mozilla.org/pt-BR/firefox/search/?q=cookie.
Reporter | ||
Comment 2•3 years ago
|
||
P5 until more than one person hits this crash.
Comment 3•3 years ago
|
||
The signature seems to be showing up in 90.0 beta, with different stacks, from a few users, some with fission and some not.
The stack in bp-4729ee78-c303-4cd5-9a18-c82420210601 does look similar to the first one in comment 0, and has fission enabled.
Updated•3 years ago
|
Comment 4•3 years ago
|
||
This looks a lot like bug 1713973, in which case it's probably a result of people enabling win32k lockdown.
I had a problem and it does look like it is related to win32k lockdown. All is working fine now. Everything seemed to, sort of, work until I tried to open a tab in a container, bit it didn't always. Where the latest ones have one thing in common where I where the tab crashed every single time
I tried to access accounts.google.com
.
I had enabled security.sandbox.content.win32k-disable
. Seen this bug report, remembered I enabled it. Disabled and all is now working. Hope he crash reports are of use to whoever will be looking into this.
I'm on FF 90.0b9.
Related (multiple) crash reports:
bp-cd4f294c-8909-4ee3-857f-de4580210618 18/06/2021, 12:32
bp-9efff08f-1a7c-49cd-a20c-1a8270210618 18/06/2021, 12:32
bp-56ef3d01-c14f-4e76-ba69-545310210618 18/06/2021, 12:29
bp-18bf83c5-26eb-4daf-84f5-6b9d90210618 18/06/2021, 12:29
bp-37a26b19-e0e3-4666-9d93-cd6420210618 18/06/2021, 12:21
bp-d028e681-a3d5-4289-b777-28e630210618 18/06/2021, 12:19
bp-4a3f1d8c-5091-46cd-a4dc-d83420210618 18/06/2021, 12:19
bp-8879d4f2-c0c4-434b-8391-649fd0210618 18/06/2021, 12:18
bp-590f8647-102a-48d3-80fc-7a06d0210618 18/06/2021, 12:17
bp-9f919eae-4e63-4bcf-97d9-b3b7e0210618 18/06/2021, 12:17
bp-31ceba46-c859-464e-83bb-4a4730210617 17/06/2021, 17:51
bp-49a4b65d-1442-4723-8a9d-45e880210617 17/06/2021, 17:51
bp-215c71c8-a945-4b6b-8ed8-9f66c0210617 17/06/2021, 17:51
bp-95dd0bba-3463-4285-99c0-fa1a40210617 17/06/2021, 17:51
bp-96998fed-6c01-42ba-b6d9-2fa590210617 17/06/2021, 17:51
bp-dbbfad14-1370-4f45-b220-ce0870210617 17/06/2021, 17:51
bp-86aecfc0-cea3-411c-9bdf-ddd830210617 17/06/2021, 17:51
bp-b27baac7-01a8-4fe2-a71b-c3db80210617 17/06/2021, 17:51
bp-a99c232f-45ac-49d9-a9fc-d5a5c0210617 17/06/2021, 17:51
bp-5f938042-9799-4b32-9b3a-9a5fb0210617 17/06/2021, 17:51
bp-bce9623c-e8b9-4ec4-8aea-4c3600210617 17/06/2021, 17:51
bp-5730703c-4750-465b-ba68-8f0720210617 17/06/2021, 17:51
bp-7d5cdee9-712a-4318-9512-ff2fd0210617 17/06/2021, 17:51
bp-dc431137-e6e0-4ce4-af16-5fd380210617 17/06/2021, 17:51
bp-8c3533d8-dbc4-4a88-a4f9-7ecde0210617 17/06/2021, 17:51
bp-ff32e4c0-0523-43ab-b3bd-a346d0210617 17/06/2021, 17:51
bp-ed0f07ea-17a8-4584-acc7-618820210617 17/06/2021, 17:51
bp-a13e818c-4275-486c-985e-71cae0210617 17/06/2021, 17:51
bp-ac868e9a-1168-4122-8899-317260210617 17/06/2021, 17:50
bp-6dc31c73-2e7b-4e3c-99cf-5264c0210617 17/06/2021, 17:50
bp-5c1a8c73-33e2-415d-a217-65c570210617 17/06/2021, 17:50
bp-fec59fdb-7954-4dc9-b2b5-e52100210617 17/06/2021, 17:50
bp-ed874129-2246-45ff-a6f5-f7efb0210617 17/06/2021, 17:50
bp-d1849b45-2c30-4626-a815-9484d0210617 17/06/2021, 17:49
bp-00fbe052-732f-40c4-b801-0c7ec0210617 17/06/2021, 17:48
bp-374e1ba1-dde5-40d0-b0ff-3687d0210617 17/06/2021, 17:48
bp-de338bf0-bbeb-442e-8792-8a53f0210617 17/06/2021, 17:48
bp-3552e5d9-e1ec-4d63-aea7-a3a0c0210617 17/06/2021, 17:47
bp-9089670f-32ad-445d-9437-2d1c90210616 16/06/2021, 17:40
bp-362d8f1c-d596-492a-a634-b226a0210616 16/06/2021, 17:39
It was not Fission. Same crashes were occurring when I turned off Fission as I've been using Fission now for quite a number of weeks.
Reporter | ||
Comment 6•3 years ago
|
||
It was not Fission. Same crashes were occurring when I turned off Fission as I've been using Fission now for quite a number of weeks.
Thanks for confirming! And for testing Fission. :)
Reporter | ||
Comment 7•3 years ago
|
||
Not a Fission bug, even though comment 0 includes DOMFissionEnabled=1.
Updated•3 years ago
|
Comment 8•3 years ago
|
||
I've checked the dump from the second crash that didn't seem to go through ScriptBreak and something must have gone wrong in crash-stats stack scanning.
So, I'll duplicate this over to bug 1713973.
Updated•3 years ago
|
Description
•