Closed Bug 1746997 Opened 3 years ago Closed 2 years ago

Infinite recursion in FontFaceSet_Binding

Categories

(Core :: DOM: Bindings (WebIDL), defect)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- fixed

People

(Reporter: toshi, Assigned: peterv)

References

Details

Crash Data

Attachments

(2 files)

Bug 1746997 - Infinite recursion in FontFaceSet_Binding. r?emilio!
48 bytes, text/x-phabricator-request
Details | Review
Diff of generated binding code
180.72 KB, patch
Details | Diff | Splinter Review

The crash https://crash-stats.mozilla.org/report/index/49671fbc-f387-4917-bf72-8f4ca0211208 shows the process entered into an infinite recursion in FontFaceSet_Binding::CreateInterfaceObjects, resuting in stack overflow.

0:000> .excr
rax=0000000000000009 rbx=000001ae6f9024c0 rcx=000001ae6f9024c0
rdx=0000004c2ba04078 rsi=0000004c2ba04078 rdi=000000000000005a
rip=00007ffde56190a2 rsp=0000004c2ba04000 rbp=0000000000000000
 r8=7efefefefefefeff  r9=c41f1eff666d6873 r10=00000fffad2ef866
r11=8101010101010100 r12=00000000dffadb03 r13=0000000000000003
r14=000001ae75e24000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!RtlAcquireSRWLockExclusive+0x2:
00007ffd`e56190a2 56              push    rsi
0:000> knL:
Numeric expression missing from ':'
0:000> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 0000004c`2ba04000 00007ffd`677ab166 ntdll!RtlAcquireSRWLockExclusive+0x2
01 (Inline Function) --------`-------- xul!mozilla::OffTheBooksMutex::Lock+0x9
02 (Inline Function) --------`-------- xul!mozilla::detail::BaseAutoLock<mozilla::Mutex &>::BaseAutoLock+0x9
03 0000004c`2ba04010 00007ffd`6977c74b xul!CrashReporter::AnnotateCrashReport+0x26
04 0000004c`2ba04050 00007ffd`6977c351 xul!mozilla::CycleCollectedJSRuntime::AnnotateAndSetOutOfMemory+0x7b
05 (Inline Function) --------`-------- xul!mozilla::CycleCollectedJSRuntime::OnOutOfMemory+0x18
06 0000004c`2ba040b0 00007ffd`6baebd92 xul!mozilla::CycleCollectedJSRuntime::OutOfMemoryCallback+0x21
07 0000004c`2ba040f0 00007ffd`693c36ef xul!js::ReportOutOfMemory+0x77
08 (Inline Function) --------`-------- xul!js::gc::GCRuntime::tryNewTenuredThing+0x132d
09 (Inline Function) --------`-------- xul!js::gc::GCRuntime::tryNewTenuredObject+0x1336
0a 0000004c`2ba04150 00007ffd`693734cf xul!js::AllocateObject<js::CanGC>+0x172f
0b (Inline Function) --------`-------- xul!js::NativeObject::create+0x57
0c (Inline Function) --------`-------- xul!NewObject+0x30f
0d 0000004c`2ba04220 00007ffd`68ea7e56 xul!js::NewObjectWithGivenTaggedProto+0x65f
0e (Inline Function) --------`-------- xul!js::NewObjectWithGivenTaggedProto+0x3c
0f (Inline Function) --------`-------- xul!js::NewObjectWithGivenProto+0x3c
10 0000004c`2ba04300 00007ffd`684d4569 xul!JS_NewObjectWithGivenProto+0x46
11 (Inline Function) --------`-------- xul!mozilla::dom::CreateInterfacePrototypeObject+0xe
12 0000004c`2ba04340 00007ffd`6a5ff020 xul!mozilla::dom::CreateInterfaceObjects+0x149
13 0000004c`2ba04460 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x180
14 0000004c`2ba04580 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
15 (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25
16 0000004c`2ba04620 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x1a5
17 0000004c`2ba04740 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
18 (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25
19 0000004c`2ba047e0 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x1a5
1a 0000004c`2ba04900 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
1b (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25
...

The severity field is not set for this bug.
:dholbert, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dholbert)

So the infinite recursion here seems to be this repeating pattern from the bottom of comment 0 (blank lines inserted for clarity):

13 0000004c`2ba04460 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x180
14 0000004c`2ba04580 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
15 (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25

16 0000004c`2ba04620 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x1a5
17 0000004c`2ba04740 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
18 (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25

19 0000004c`2ba047e0 00007ffd`68eb2901 xul!mozilla::dom::FontFaceSet_Binding::CreateInterfaceObjects+0x1a5
1a 0000004c`2ba04900 00007ffd`6a5ff045 xul!mozilla::dom::GetPerInterfaceObjectHandle+0x291
1b (Inline Function) --------`-------- xul!mozilla::dom::FontFaceSet_Binding::GetProtoObjectHandle+0x25

(The functions inside there^ seem to just be helpers that are the straw that breaks the camel's back, while we're deeply recursively nested.)

This all seems to be in generated DOM bindings code; we don't have enough of a backtrace to see what's outside of that, I guess.

smaug, perhaps you could take a look from a DOM bindings perspective & see if you know what's going on & where the problem lies?

Flags: needinfo?(dholbert) → needinfo?(bugs)
Severity: -- → S3

Moving to DOM/CSSOM, and resetting severity for triage over there (though it feels no-more-severe than S3, since it appears to be annoying-but-not-exploitable, and fortunately we only have one crash report with this issue at this point, so it's perhaps rare).

Severity: S3 → --
Component: Layout → DOM: CSS Object Model
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)

The severity field is not set for this bug.
:jfkthame, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)

Marking as S3 for now (in line with comment 3), but feel free to adjust if you think appropriate, Peter.

Severity: -- → S3
Flags: needinfo?(jfkthame) → needinfo?(peterv)

While perusing stack overflow crashes, I came across another instance signature that looks like this: bp-2128ca6b-e4f9-4395-889c-da4d60220209

Crash Signature: [@ mozilla::Internals::GetPrefValue<T> ]
Flags: needinfo?(peterv)
Duplicate of this bug: 1803682
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/538dd2bb87a2 Infinite recursion in FontFaceSet_Binding. r=emilio

https://hg.mozilla.org/mozilla-central/rev/538dd2bb87a2

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox109: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch
Component: DOM: CSS Object Model → DOM: Bindings (WebIDL)

These crashes have been around a while, but the volume on ESR doesn't really look high enough to make it worth backporting this. I'll add some signatures I found by searching for stack overflow crashes where the proto stack contains CreateInterfaceObjects.

Crash Signature: [@ mozilla::Internals::GetPrefValue<T> ] → [@ mozilla::Internals::GetPrefValue<T> ] [@ stackoverflow | mozilla::Internals::GetPrefValue<T> ] [@ stackoverflow | js::SharedShape::getInitialShape ] [@ stackoverflow | pref_Lookup ]
status-firefox107: --- → wontfix
status-firefox108: --- → wontfix
status-firefox-esr102: --- → wontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: