Open Bug 1750071 Opened 2 years ago Updated 17 days ago

Crash in [@ libfreetype.so.6@0x10de0 | webrender::platform::unix::font::FontContext::load_glyph]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
Desktop
Linux
Type:
defect

Tracking

()

People

(Reporter: sefeng, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/6a55d585-dcd3-4f97-a4a1-621c60220113

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0 libfreetype.so.6 libfreetype.so.6@0x0000000000010de0 
1 libxul.so webrender::platform::unix::font::FontContext::load_glyph /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/gfx/wr/webrender/src/platform/unix/font.rs:522
2 libxul.so webrender::glyph_rasterizer::GlyphRasterizer::flush_glyph_requests::{{closure}} /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/gfx/wr/webrender/src/glyph_rasterizer/mod.rs:157
3 libxul.so rayon::iter::plumbing::bridge_producer_consumer::helper /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/third_party/rust/rayon/src/iter/plumbing/mod.rs:438
4 libxul.so rayon_core::join::join_context::{{closure}} /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/third_party/rust/rayon-core/src/join/mod.rs:141
5 libxul.so rayon::iter::plumbing::bridge_producer_consumer::helper /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/third_party/rust/rayon/src/iter/plumbing/mod.rs:416
6 libxul.so <rayon_core::job::StackJob<L, F, R> as rayon_core::job::Job>::execute /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/third_party/rust/rayon-core/src/job.rs:119
7 libxul.so rayon_core::registry::WorkerThread::wait_until_cold /usr/src/debug/firefox-95.0.2-2.fc34.x86_64/third_party/rust/rayon-core/src/registry.rs:726
8 libxul.so std::sys_common::backtrace::__rust_begin_short_backtrace /builddir/build/BUILD/rustc-1.57.0-src/library/std/src/sys_common/backtrace.rs:123
9 libxul.so core::ops::function::FnOnce::call_once{{vtable.shim}} /builddir/build/BUILD/rustc-1.57.0-src/library/core/src/ops/function.rs:227

This seems to be a Fedora-specific (actually not, seeing this on other distros) bug, crashed in the FreeType library. I am not sure if this bug belongs to third party affecting Firefox component, however I decided to start with the graphic component

Crash Signature: [@ libfreetype.so.6@0x10de0 | webrender::platform::unix::font::FontContext::load_glyph] → [@ libfreetype.so.6@0x10de0 | webrender::platform::unix::font::FontContext::load_glyph] [@ libfreetype.so.6@0x68309 | libfreetype.so.6@0x14ac0 | webrender::platform::unix::font::FontContext::load_glyph ] [@ libfreetype.so.6@0x69698 | libfreetype.so.6@0x…

More related crash signatures. It seems that webrender::platform::unix::font::FontContext::load_glyph() is passing a NULL pointer into the freetype code.

Crash Signature: libfreetype.so.6@0x417d1 | libfreetype.so.6@0x19f03 | webrender::platform::unix::font::FontContext::load_glyph ] [@ libfreetype.so.6@0x1060c | webrender::platform::unix::font::FontContext::load_glyph ] → libfreetype.so.6@0x417d1 | libfreetype.so.6@0x19f03 | webrender::platform::unix::font::FontContext::load_glyph ] [@ libfreetype.so.6@0x1060c | webrender::platform::unix::font::FontContext::load_glyph ] [@ FT_Set_Transform] [@ FT_Request_Size]
Severity: S2 → S3

We seems to have more crashes in libfreetype.

There's a mix of very old distros in there, but also a few new ones for which we don't have symbols. I'll investigate.

You need to log in before you can comment on or make changes to this bug.