Closed Bug 1740682 Opened 3 years ago Closed 1 year ago

Crash in [@ nsTHashtable<T>::PutEntry | nsPresContext::ReportBlockedFontFamilyName]

Categories

(Core :: Layout: Text and Fonts, defect, P2)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix

People

(Reporter: gsvelto, Unassigned)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Visual Studio stack trace
4.79 KB, text/plain
Details

Crash report: https://crash-stats.mozilla.org/report/index/33852b98-6f20-4699-b12b-197030211109

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsTHashtable<nsCStringHashKey>::PutEntry xpcom/ds/nsTHashtable.h:306
1 xul.dll nsPresContext::ReportBlockedFontFamilyName layout/base/nsPresContext.cpp:841
2 xul.dll nsPresContext::ReportBlockedFontFamily layout/base/nsPresContext.cpp:855
3 xul.dll gfxPlatformFontList::FindAndAddFamilies gfx/thebes/gfxPlatformFontList.cpp:1437
4 xul.dll gfxDWriteFontList::FindAndAddFamilies gfx/thebes/gfxDWriteFontList.cpp:2017
5 xul.dll gfxFontGroup::BuildFontList gfx/thebes/gfxTextRun.cpp:1875
6 xul.dll gfxFontGroup::UpdateUserFonts gfx/thebes/gfxTextRun.cpp:3602
7 xul.dll mozilla::dom::CanvasBidiProcessor::SetText dom/canvas/CanvasRenderingContext2D.cpp:3506
8 xul.dll static nsBidiPresUtils::ProcessText layout/base/nsBidiPresUtils.cpp:2227
9 xul.dll mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText dom/canvas/CanvasRenderingContext2D.cpp:3874

This is an odd crash. It's only captured by the Windows Error Reporting interceptor but it should be captured by Breakpad. I suspect it's not because the exception handler cannot unwind the stack for some reason. Either way this seems to be affecting Facebook games, there's three comments mentioning them and two crashes pointing at this page:

https://www.facebook.com/gaming/play/1939015149698140/

Correction: the majority of these crashes are caught by WER but others were caught by the regular exception handler. They also affect older versions of Windows.

OS: Windows 10 → Windows

This is a related signature, also happening on Facebook and it's an OOM, but 32-bit only. I wonder if the main signature is also an OOM-ish issue even though it's not explicitly flagged as such.

Crash Signature: [@ nsTHashtable<T>::PutEntry | nsPresContext::ReportBlockedFontFamilyName] → [@ nsTHashtable<T>::PutEntry | nsPresContext::ReportBlockedFontFamilyName] [@ OOM | unknown | NS_ABORT_OOM | PLDHashTable::WithEntryHandle<T> | nsPresContext::ReportBlockedFontFamilyName]

I've extracted a stack trace with VS from the crash in comment 0. It's a bit more detailed and points to the actual culprit: mOps is NULL here

jfkthame, looks like this is something to do with management of nsTHashSet<nsCString> mBlockedFonts, added in bug 1715537 just to manage some logging. Mind taking a look?

(I don't know a ton about our hashtable internals, but it looks like PLDHashTable::mOps is a pointer to a struct that represents the vtable for whatever category of hash table we're using. So if it's null, we're definitely going to crash. I'm not sure how mOps ends up null here, though.)

Flags: needinfo?(jfkthame)
Regressed by: 1715537
Has Regression Range: --- → yes

(Given how simple the management/lifetime of mBlockedFonts is, it's hard to see how it would end up getting its mOps cleared. So it seems possible that this is really something higher-up getting clobbered, like e.g. maybe the whole document has been torn down when we get this notification, somehow, and our mBlockedFonts instance is just garbage at that point.)

The substantially-older bug 1669191 has a similar backtrace (UpdateUserFonts calling BuildFontList and then crashing/aborting in hashtable manipulation -- though presumably for a different hashtable, given that that bug was filed before mBlockedFonts was added). I wonder if there's a connection.

[EDIT: The bugs are probably unrelated; per bug 1669191 comment 4, that bug seems to be an OOM, whereas this one here does not seem to be.]

See Also: → 1669191

Set release status flags based on info from the regressing bug 1715537

status-firefox94: --- → affected
status-firefox95: --- → affected
status-firefox96: --- → affected
status-firefox-esr91: --- → unaffected

jfkthame, just wanted to be sure this is on your radar. (Looks like this has reduced to be pretty low-volume, fortunately...)

Priority: -- → P2

I don't currently have any ideas here beyond what comment 5 suggests... seems like something has clobbered the mBlockedFonts hashtable, but it's hard to see what it could be.

Flags: needinfo?(jfkthame)

Jonathan, since this seems to be low volume now, should it be S3?

Flags: needinfo?(jfkthame)

I think that makes sense. Still no real ideas how to proceed here, but the volume seems to be staying low.

Severity: S2 → S3
Flags: needinfo?(jfkthame)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: