Closed Bug 1707767 Opened 3 years ago Closed 3 years ago

[Win32k lockdown] Text layout crash in gdi32full.dll [@ RtlpWaitOnCriticalSection | XLATEOBJ_piVector]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1713973

People

(Reporter: cpeterson, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [not-a-fission-bug])

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

One Beta 89 user in the Fission experiment has hit this content process crash 12 times. The crash reports have two different stack traces through layout code calling into gdi32full.dll:

Crash report: https://crash-stats.mozilla.org/report/index/a651fb51-7e2e-414c-acfc-e84e80210426

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 ntdll.dll RtlpWaitOnCriticalSection 
1 gdi32full.dll XLATEOBJ_piVector 
2 gdi32full.dll long ScriptTokenize 
3 gdi32full.dll long ScriptItemizeCommon 
4 gdi32full.dll ScriptBreak 
5 xul.dll NS_GetComplexLineBreaks intl/lwbrk/nsUniscribeBreaker.cpp:69
6 xul.dll mozilla::intl::LineBreaker::GetJISx4051Breaks intl/lwbrk/LineBreaker.cpp:1113
7 xul.dll nsLineBreaker::FlushCurrentWord dom/base/nsLineBreaker.cpp:83
8 xul.dll nsLineBreaker::Reset dom/base/nsLineBreaker.cpp:501
9 xul.dll BuildTextRunsScanner::FlushLineBreaks layout/generic/nsTextFrame.cpp:1678

Crash report: https://crash-stats.mozilla.org/report/index/fe5ff239-1e49-4373-a15b-947ec0210424

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 ntdll.dll RtlpWaitOnCriticalSection 
1 gdi32full.dll XLATEOBJ_piVector 
2 xul.dll gfxFontGroup::MakeTextRun gfx/thebes/gfxTextRun.cpp:2498
3 xul.dll BuildTextRunsScanner::BuildTextRunForFrames layout/generic/nsTextFrame.cpp:2598
4 xul.dll BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrame.cpp:1665
5 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrame.cpp:2999
6 xul.dll nsTextFrame::AddInlineMinISize layout/generic/nsTextFrame.cpp:8574
7 xul.dll nsBlockFrame::GetMinISize layout/generic/nsBlockFrame.cpp:806
8 xul.dll static nsLayoutUtils::IntrinsicForAxis layout/base/nsLayoutUtils.cpp:4866
9 xul.dll static nsLayoutUtils::IntrinsicForContainer layout/base/nsLayoutUtils.cpp:5062

11 of the 12 crashes have a pt-BR AMO URL like https://addons.mozilla.org/pt-BR/firefox/ or https://addons.mozilla.org/pt-BR/firefox/search/?q=cookie.

Hardware: Unspecified → x86_64

P5 until more than one person hits this crash.

Severity: -- → S2
Fission Milestone: ? → Future
Priority: -- → P5

The signature seems to be showing up in 90.0 beta, with different stacks, from a few users, some with fission and some not.

The stack in bp-4729ee78-c303-4cd5-9a18-c82420210601 does look similar to the first one in comment 0, and has fission enabled.

status-firefox88: disabledunaffected
status-firefox89: affectedunaffected
status-firefox90: ?affected
status-firefox-esr78: disabledunaffected
Keywords: regression
Priority: P5 → --

This looks a lot like bug 1713973, in which case it's probably a result of people enabling win32k lockdown.

See Also: → 1713973

I had a problem and it does look like it is related to win32k lockdown. All is working fine now. Everything seemed to, sort of, work until I tried to open a tab in a container, bit it didn't always. Where the latest ones have one thing in common where I where the tab crashed every single time
I tried to access accounts.google.com.

I had enabled security.sandbox.content.win32k-disable. Seen this bug report, remembered I enabled it. Disabled and all is now working. Hope he crash reports are of use to whoever will be looking into this.

I'm on FF 90.0b9.

Related (multiple) crash reports:

bp-cd4f294c-8909-4ee3-857f-de4580210618 	18/06/2021, 12:32 	
bp-9efff08f-1a7c-49cd-a20c-1a8270210618 	18/06/2021, 12:32 	
bp-56ef3d01-c14f-4e76-ba69-545310210618 	18/06/2021, 12:29 	
bp-18bf83c5-26eb-4daf-84f5-6b9d90210618 	18/06/2021, 12:29 	
bp-37a26b19-e0e3-4666-9d93-cd6420210618 	18/06/2021, 12:21 	
bp-d028e681-a3d5-4289-b777-28e630210618 	18/06/2021, 12:19 	
bp-4a3f1d8c-5091-46cd-a4dc-d83420210618 	18/06/2021, 12:19 	
bp-8879d4f2-c0c4-434b-8391-649fd0210618 	18/06/2021, 12:18 	
bp-590f8647-102a-48d3-80fc-7a06d0210618 	18/06/2021, 12:17 	
bp-9f919eae-4e63-4bcf-97d9-b3b7e0210618 	18/06/2021, 12:17 	
bp-31ceba46-c859-464e-83bb-4a4730210617 	17/06/2021, 17:51 	
bp-49a4b65d-1442-4723-8a9d-45e880210617 	17/06/2021, 17:51 	
bp-215c71c8-a945-4b6b-8ed8-9f66c0210617 	17/06/2021, 17:51 	
bp-95dd0bba-3463-4285-99c0-fa1a40210617 	17/06/2021, 17:51 	
bp-96998fed-6c01-42ba-b6d9-2fa590210617 	17/06/2021, 17:51 	
bp-dbbfad14-1370-4f45-b220-ce0870210617 	17/06/2021, 17:51 	
bp-86aecfc0-cea3-411c-9bdf-ddd830210617 	17/06/2021, 17:51 	
bp-b27baac7-01a8-4fe2-a71b-c3db80210617 	17/06/2021, 17:51 	
bp-a99c232f-45ac-49d9-a9fc-d5a5c0210617 	17/06/2021, 17:51 	
bp-5f938042-9799-4b32-9b3a-9a5fb0210617 	17/06/2021, 17:51 	
bp-bce9623c-e8b9-4ec4-8aea-4c3600210617 	17/06/2021, 17:51 	
bp-5730703c-4750-465b-ba68-8f0720210617 	17/06/2021, 17:51 	
bp-7d5cdee9-712a-4318-9512-ff2fd0210617 	17/06/2021, 17:51 	
bp-dc431137-e6e0-4ce4-af16-5fd380210617 	17/06/2021, 17:51 	
bp-8c3533d8-dbc4-4a88-a4f9-7ecde0210617 	17/06/2021, 17:51 	
bp-ff32e4c0-0523-43ab-b3bd-a346d0210617 	17/06/2021, 17:51 	
bp-ed0f07ea-17a8-4584-acc7-618820210617 	17/06/2021, 17:51 	
bp-a13e818c-4275-486c-985e-71cae0210617 	17/06/2021, 17:51 	
bp-ac868e9a-1168-4122-8899-317260210617 	17/06/2021, 17:50 	
bp-6dc31c73-2e7b-4e3c-99cf-5264c0210617 	17/06/2021, 17:50 	
bp-5c1a8c73-33e2-415d-a217-65c570210617 	17/06/2021, 17:50 	
bp-fec59fdb-7954-4dc9-b2b5-e52100210617 	17/06/2021, 17:50 	
bp-ed874129-2246-45ff-a6f5-f7efb0210617 	17/06/2021, 17:50 	
bp-d1849b45-2c30-4626-a815-9484d0210617 	17/06/2021, 17:49 	
bp-00fbe052-732f-40c4-b801-0c7ec0210617 	17/06/2021, 17:48 	
bp-374e1ba1-dde5-40d0-b0ff-3687d0210617 	17/06/2021, 17:48 	
bp-de338bf0-bbeb-442e-8792-8a53f0210617 	17/06/2021, 17:48 	
bp-3552e5d9-e1ec-4d63-aea7-a3a0c0210617 	17/06/2021, 17:47 	
bp-9089670f-32ad-445d-9437-2d1c90210616 	16/06/2021, 17:40 	
bp-362d8f1c-d596-492a-a634-b226a0210616 	16/06/2021, 17:39

It was not Fission. Same crashes were occurring when I turned off Fission as I've been using Fission now for quite a number of weeks.

It was not Fission. Same crashes were occurring when I turned off Fission as I've been using Fission now for quite a number of weeks.

Thanks for confirming! And for testing Fission. :)

Blocks: 1383524
Fission Milestone: Future → ---
Summary: Fission? Text layout crash in gdi32full.dll [@ RtlpWaitOnCriticalSection | XLATEOBJ_piVector] → [Win32k lockdown] Text layout crash in gdi32full.dll [@ RtlpWaitOnCriticalSection | XLATEOBJ_piVector]

Not a Fission bug, even though comment 0 includes DOMFissionEnabled=1.

Whiteboard: [not-a-fission-bug]

I've checked the dump from the second crash that didn't seem to go through ScriptBreak and something must have gone wrong in crash-stats stack scanning.
So, I'll duplicate this over to bug 1713973.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.