Closed Bug 1741453 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::gfx::GlyphCacheEntry::Unlink]

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- unaffected
firefox96 --- fixed

People

(Reporter: aryx, Assigned: lsalzman)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1741453 - Unlink GlyphCacheEntry on failure.
48 bytes, text/x-phabricator-request
Details | Review

10 Nightly crashes from 3 installations, Linux, macOS, Windows; from bug macOS

Crash report: https://crash-stats.mozilla.org/report/index/201ab7fa-5043-4aad-b298-bf6c20211116

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL mozilla::gfx::GlyphCacheEntry::Unlink dom/canvas/DrawTargetWebgl.cpp:1478
1 XUL mozilla::gfx::GlyphCache::~GlyphCache dom/canvas/DrawTargetWebgl.cpp:1484
2 XUL mozilla::gfx::ReleaseGlyphCache dom/canvas/DrawTargetWebgl.cpp:1489
3 XUL mozilla::gfx::UserData::RemoveAndDestroy gfx/2d/UserData.h:81
4 XUL mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl dom/canvas/DrawTargetWebgl.cpp:185
5 XUL mozilla::gfx::DrawTargetWebgl::~DrawTargetWebgl dom/canvas/DrawTargetWebgl.cpp:183
6 XUL mozilla::layers::PersistentBufferProviderBasic::~PersistentBufferProviderBasic gfx/layers/PersistentBufferProvider.cpp:32
7 XUL mozilla::layers::PersistentBufferProviderAccelerated::~PersistentBufferProviderAccelerated gfx/layers/PersistentBufferProvider.cpp:105
8 XUL mozilla::dom::CanvasRenderingContext2D::Reset dom/canvas/CanvasRenderingContext2D.cpp:1047
9 XUL mozilla::dom::CanvasRenderingContext2D::ClearTarget dom/canvas/CanvasRenderingContext2D.cpp:1536
Flags: needinfo?(lsalzman)

If we fail to rasterize text for a GlyphCacheEntry, it may not have a linked TextureHandle by the time it is destructed.
Check that a handle exists before we try to unlink it. Also, if rasterization fails, just unlink it immediately so we
don't keep around a bunch of empty entries in the glyph cache.

This also fixes some incidental debug assertions that were hit while debugging this - passing rectData on the stack to
the GL, and the mTextureHandles linked list needs to be empty before its destructor is hit.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e51d895aa692 Unlink GlyphCacheEntry on failure. r=gfx-reviewers,jrmuizel

https://hg.mozilla.org/mozilla-central/rev/e51d895aa692

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox96: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
Flags: needinfo?(lsalzman)
Blocks: gpu-canvas
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: