1802382 - Assertion failure: NS_IsMainThread(), at /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.h:102

Status: VERIFIED FIXED

(Core :: Graphics: Text, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.zip

Found while fuzzing m-c 20221123-eac66a6b1959 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: NS_IsMainThread(), at /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.h:102

#0 0x7f8effa35411 in operator==(gfxFontFaceSrc const&, gfxFontFaceSrc const&) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.h:102:3
#1 0x7f8effa145f5 in bool nsTArray_Impl<gfxFontFaceSrc, nsTArrayInfallibleAllocator>::operator==<nsTArrayInfallibleAllocator>(nsTArray_Impl<gfxFontFaceSrc, nsTArrayInfallibleAllocator> const&) const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1116:27
#2 0x7f8effa1438c in gfxUserFontEntry::Matches(nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:121:19
#3 0x7f8effa197c1 in gfxUserFontSet::FindExistingUserFontEntry(gfxUserFontFamily*, nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:1009:14
#4 0x7f8effa193e9 in gfxUserFontSet::FindOrCreateUserFontEntry(nsTSubstring<char> const&, nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:970:13
#5 0x7f8f03726305 in mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(nsTSubstring<char> const&, mozilla::dom::FontFaceImpl*, mozilla::StyleOrigin) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:629:41
#6 0x7f8f03725342 in mozilla::dom::FontFaceSetImpl::InsertNonRuleFontFace(mozilla::dom::FontFaceImpl*, bool&) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:318:38
#7 0x7f8f0372e741 in mozilla::dom::FontFaceSetWorkerImpl::FlushUserFontSet() /builds/worker/checkouts/gecko/layout/style/FontFaceSetWorkerImpl.cpp:247:5
#8 0x7f8f0371f91e in FlushUserFontSet /builds/worker/checkouts/gecko/layout/style/FontFaceSet.cpp:480:47
#9 0x7f8f0371f91e in mozilla::dom::FontFaceSet::Has(mozilla::dom::FontFace&) /builds/worker/checkouts/gecko/layout/style/FontFaceSet.cpp:294:3
#10 0x7f8f013da782 in mozilla::dom::FontFaceSet_Binding::has(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/FontFaceSetBinding.cpp:318:36
#11 0x7f8f015f7db2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#12 0x7f8f058cadec in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#13 0x7f8f058ca70f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#14 0x7f8f058ba684 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
#15 0x7f8f058ba684 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3375:16
#16 0x7f8f058ac78e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
#17 0x7f8f058ca60b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
#18 0x7f8f058cbb4c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
#19 0x7f8f05982f0c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7f8f012f5225 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
#21 0x7f8f01bd3f39 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#22 0x7f8f01bd3154 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#23 0x7f8f01bb3dcd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1317:22
#24 0x7f8f01bb4a39 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
#25 0x7f8f01ba9a46 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
#26 0x7f8f01ba9a46 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#27 0x7f8f01ba8f7b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#28 0x7f8f01bab73b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
#29 0x7f8f01bae216 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#30 0x7f8f01b8319b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:176:17
#31 0x7f8f01bbb4a2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13
#32 0x7f8f02f507fe in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp:104:12
#33 0x7f8f02f9646e in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
#34 0x7f8efe498c57 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#35 0x7f8efe49f30d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#36 0x7f8f02f85384 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3227:7
#37 0x7f8f02f6c71d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42
#38 0x7f8efe498c57 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#39 0x7f8efe49f30d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#40 0x7f8eff0879da in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#41 0x7f8efefac608 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#42 0x7f8efefac511 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#43 0x7f8efefac511 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#44 0x7f8efe494007 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#45 0x7f8f1110ac86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#46 0x7f8f11e93608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#47 0x7f8f11a3e132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221124212638-e12f31999d33.
The bug appears to have been introduced in the following build range:

Start: 14bbdad41ca8f9cbe874b8e1adf10a701ff81517 (20220711154729)
End: 0fa881dedc30efcf53f1419737a9f3d7d2fc5521 (20220711143742)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=14bbdad41ca8f9cbe874b8e1adf10a701ff81517&tochange=0fa881dedc30efcf53f1419737a9f3d7d2fc5521

Comment 2

[Jonathan Kew [:jfkthame]]

It looks like the assertion we're hitting here is rather more aggressive than it needs to be. The only part of the gfxFontFaceSrc comparison that is main-thread-only is the mOriginPrincipal comparison, and in this case we're not actually going to hit that codepath at all.

Once bug 1443925 lands, we'll be able to safely use this from other threads anyhow; but until then, we can move the assertion so that it only happens on the specific codepath where it matters.

Comment 3

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1802382 - Main-thread assertion in gfxFontFaceSrc comparison is overly zealous. r=aosmond

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jfkthame, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Comment 5

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0759474f0ab2
Main-thread assertion in gfxFontFaceSrc comparison is overly zealous. r=aosmond

Comment 6

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/0759474f0ab2

Comment 7

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221201161829-4ec5232d1c53.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.