Closed Bug 1779519 Opened 3 years ago Closed 3 years ago

Crash in [@ gfxFont::AddRef]

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox102 --- unaffected
firefox103 --- unaffected
firefox104 --- fixed

People

(Reporter: aosmond, Assigned: aosmond)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1779519 - gfxFontCache expiration tracker operations should be more atomic.
48 bytes, text/x-phabricator-request
Details

Crash report: https://crash-stats.mozilla.org/report/index/c81721aa-0f88-41ed-aff4-98ae50220713

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(false) (Tried to remove an object that's not tracked)

Top 8 frames of crashing thread:

0 xul.dll gfxFont::AddRef gfx/thebes/gfxFont.h:1452
1 xul.dll gfxFontGroup::GetDefaultFont gfx/thebes/gfxTextRun.cpp:2166
2 xul.dll mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText dom/canvas/CanvasRenderingContext2D.cpp:4095
3 xul.dll mozilla::dom::CanvasRenderingContext2D::StrokeText dom/canvas/CanvasRenderingContext2D.cpp:3578
4 xul.dll mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::strokeText dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3975
5 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3285
6 None @0x000003edaf882143 
7 xul.dll js::jit::EqualStringsHelperPure js/src/jit/VMFunctions.cpp:1583
Flags: needinfo?(aosmond)
Crash Signature: [@ gfxFont::AddRef] → [@ gfxFont::AddRef] [@ ExpirationTrackerImpl<T>::RemoveObjectLocked ]
OS: Windows 11 → All
Hardware: Unspecified → All

The ExpirationTrackerImpl signature is for Android (but encompasses a lot more issues than just for OffscreenCanvas on DOM workers).

Set release status flags based on info from the regressing bug 1746110

status-firefox102: --- → unaffected
status-firefox103: --- → unaffected
status-firefox104: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

The expiration state should not be protected by the gfxFont's mutex
since we don't hold it during most operations. Instead we should hold
gfxFontCache's mutex because then we can guarantee the operation is
atomic, particularly when a worker wants a font, and the main thread is
aging the generations.

Attachment #9285473 - Attachment description: Bug 1779519 - gfxFont::mExpirationState should be protected by gfxFontCache::mMutex. → Bug 1779519 - gfxFontCache expiration tracker operations should be more atomic.
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e4cd98b5984d gfxFontCache expiration tracker operations should be more atomic. r=jfkthame

Backed out for causing build bustages. CLOSED TREE
Backout link
Push with failures
Link to failure log
Failure line :
gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:669: Unified_cpp_windows_sdn0.obj] Error 1

Flags: needinfo?(aosmond)

Missed some platform specific instances of the gfxFont already_AddRefed/RefPtr conversion.

Crash Signature: [@ gfxFont::AddRef] [@ ExpirationTrackerImpl<T>::RemoveObjectLocked ] → [@ gfxFont::AddRef] [@ ExpirationTrackerImpl<T>::RemoveObjectLocked ] [@ gfxFontCache::NotifyReleased ]
Flags: needinfo?(aosmond)
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a29ac3a0f194 gfxFontCache expiration tracker operations should be more atomic. r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/a29ac3a0f194

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox104: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch
Crash Signature: [@ gfxFont::AddRef] [@ ExpirationTrackerImpl<T>::RemoveObjectLocked ] [@ gfxFontCache::NotifyReleased ] → [@ gfxFont::AddRef] [@ ExpirationTrackerImpl<T>::RemoveObjectLocked ] [@ gfxFontCache::NotifyReleased ] [@ gfxFontCache::AddObject ]
Regressions: 1780193
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: