1808832 - heap-use-after-free in [@ nsFontFaceLoader::Cancel]

Status: RESOLVED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20221106-8d685d6d9ce8 (--enable-address-sanitizer --enable-fuzzing)

A reduced reliable test case is not available.

A Pernosco session is available here: https://pernos.co/debug/nrWGNRdUQSrfZEn9BTyCPQ/index.html

==376128==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00016ebc5 at pc 0x7f083c7b78c5 bp 0x7ffcbdd6ad50 sp 0x7ffcbdd6ad48
READ of size 1 at 0x60b00016ebc5 thread T0 (Isolated Web Co)
    #0 0x7f083c7b78c4 in nsFontFaceLoader::Cancel() /gecko/layout/style/nsFontFaceLoader.cpp:356:3
    #1 0x7f083c75c930 in mozilla::dom::FontFaceSetWorkerImpl::Destroy()::DestroyRunnable::Run() /gecko/layout/style/FontFaceSetWorkerImpl.cpp:152:14
    #2 0x7f08338b2749 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:539:16
    #3 0x7f08338a9567 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:852:26
    #4 0x7f08338a67e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:684:15
    #5 0x7f08338a6f10 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:462:36
    #6 0x7f08338b8851 in operator() /gecko/xpcom/threads/TaskController.cpp:188:37
    #7 0x7f08338b8851 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #8 0x7f08338db9b4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:16
    #9 0x7f08338e5da4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #10 0x7f083504d11e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #11 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #12 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #13 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #14 0x7f083c2221b9 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #15 0x7f0841195428 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #16 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #17 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #18 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #19 0x7f0841194bbf in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #20 0x55bb18b67454 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #21 0x55bb18b67917 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #22 0x7f0855e05082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #23 0x55bb18aa5ed8 in _start (/home/worker/builds/m-c-20230105034049-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: 331e83691ba124041576a40572f1250258b70ebf)

0x60b00016ebc5 is located 101 bytes inside of 104-byte region [0x60b00016eb60,0x60b00016ebc8)
freed by thread T0 (Isolated Web Co) here:
    #0 0x55bb18b2a602 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7f083c7b5e48 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7f083c7b5e48 in nsFontFaceLoader::Release() /gecko/layout/style/nsFontFaceLoader.cpp:213:1
    #3 0x7f0833d2ac49 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:377:7
    #4 0x7f0833d2ac49 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:400:20
    #5 0x7f0833d2ac49 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:696:5
    #6 0x7f0833d2ac49 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/netwerk/base/nsStreamLoader.cpp:100:22
    #7 0x7f0834874919 in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsresult) /gecko/netwerk/protocol/http/nsCORSListenerProxy.cpp:677:27
    #8 0x7f0834771834 in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult) /gecko/netwerk/protocol/http/HttpChannelChild.cpp:1055:15
    #9 0x7f0834770818 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /gecko/netwerk/protocol/http/HttpChannelChild.cpp:932:5
    #10 0x7f083480d9cb in operator() /gecko/netwerk/protocol/http/HttpChannelChild.cpp:806:15
    #11 0x7f083480d9cb in std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool)::$_22>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
    #12 0x7f0834b357cc in mozilla::net::ChannelEventQueue::FlushQueue() /gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12
    #13 0x7f0834b7ed96 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17
    #14 0x7f08338b2749 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:539:16
    #15 0x7f08338a9567 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:852:26
    #16 0x7f08338a67e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:684:15
    #17 0x7f08338a6f10 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:462:36
    #18 0x7f08338b8851 in operator() /gecko/xpcom/threads/TaskController.cpp:188:37
    #19 0x7f08338b8851 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #20 0x7f08338db9b4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:16
    #21 0x7f08338e5da4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #22 0x7f083504d11e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #23 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #24 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #25 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #26 0x7f083c2221b9 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #27 0x7f0841195428 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #28 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #29 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #30 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #31 0x7f0841194bbf in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #32 0x55bb18b67454 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #33 0x55bb18b67917 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #34 0x7f0855e05082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x55bb18b2a8ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55bb18b6e045 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f083c7141cc in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f083c7141cc in mozilla::dom::FontFaceSetWorkerImpl::StartLoad(gfxUserFontEntry*, unsigned int) /gecko/layout/style/FontFaceSetWorkerImpl.cpp:294:7
    #4 0x7f08362bf425 in gfxUserFontEntry::DoLoadNextSrc(bool) /gecko/gfx/thebes/gfxUserFontSet.cpp:532:34
    #5 0x7f083c70c10f in operator() /gecko/layout/style/FontFaceImpl.cpp:358:53
    #6 0x7f083c70c10f in mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #7 0x7f08338b2749 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:539:16
    #8 0x7f08338a9567 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:852:26
    #9 0x7f08338a67e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:684:15
    #10 0x7f08338a6f10 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:462:36
    #11 0x7f08338b8851 in operator() /gecko/xpcom/threads/TaskController.cpp:188:37
    #12 0x7f08338b8851 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #13 0x7f08338db9b4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:16
    #14 0x7f08338e5da4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #15 0x7f083504d11e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #16 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #17 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #18 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #19 0x7f083c2221b9 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #20 0x7f0841195428 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #21 0x7f0834ecff77 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #22 0x7f0834ecff77 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #23 0x7f0834ecff77 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #24 0x7f0841194bbf in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #25 0x55bb18b67454 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #26 0x55bb18b67917 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #27 0x7f0855e05082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /gecko/layout/style/nsFontFaceLoader.cpp:356:3 in nsFontFaceLoader::Cancel()
Shadow bytes around the buggy address:
  0x0c1680025d20: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1680025d30: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1680025d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1680025d50: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1680025d60: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c1680025d70: fd fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa
  0x0c1680025d80: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1680025d90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1680025da0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c1680025db0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1680025dc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 1

[Tyson Smith [:tsmith]]

This also seems related

Assertion failure: mFontFaceSet, at /builds/worker/checkouts/gecko/layout/style/nsFontFaceLoader.cpp:358

#0 0x7fdd43560359 in nsFontFaceLoader::Cancel() /builds/worker/checkouts/gecko/layout/style/nsFontFaceLoader.cpp:358:3
#1 0x7fdd4352a269 in mozilla::dom::FontFaceSetWorkerImpl::Destroy()::DestroyRunnable::Run() /builds/worker/checkouts/gecko/layout/style/FontFaceSetWorkerImpl.cpp:152:14
#2 0x7fdd3e1c4b75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#3 0x7fdd3e1c014c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#4 0x7fdd3e1bed1a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#5 0x7fdd3e1bf075 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#6 0x7fdd3e1c8476 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#7 0x7fdd3e1c8476 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#8 0x7fdd3e1ddd15 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#9 0x7fdd3e1e425d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#10 0x7fdd3edd46e3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#11 0x7fdd3ecf81a8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#12 0x7fdd3ecf80b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#13 0x7fdd3ecf80b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#14 0x7fdd4322fc98 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#15 0x7fdd4546693b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#16 0x7fdd3edd55a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#17 0x7fdd3ecf81a8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#18 0x7fdd3ecf80b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#19 0x7fdd3ecf80b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#20 0x7fdd45466498 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#21 0x55b9d7bd8ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#22 0x55b9d7bd8ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#23 0x7fdd51784082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#24 0x55b9d7baf308 in _start (/home/worker/builds/m-c-20230104163752-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 69c1ffca5b49370d7e0abb0b81ef1b7fcf842d41)

Comment 2

[Daniel Holbert [:dholbert]]

Jonathan, would you mind seeing if you can make sense of this from the pernosco session?

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Having raw pointers in a runnable https://searchfox.org/mozilla-central/rev/d62c4c4d5547064487006a1506287da394b64724/layout/style/FontFaceSetWorkerImpl.cpp#160 is suspicious.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1808832 - Fix FontFaceSetWorkerImpl main-thread destruction. r=aosmond,jfkthame

Comment 5

[Emilio Cobos Álvarez (:emilio)]

Comment on attachment 9317163 [details]
Bug 1808832 - Fix FontFaceSetWorkerImpl main-thread destruction. r=aosmond,jfkthame

Security Approval Request

• How easily could an exploit be constructed based on the patch?: It's not too hard to see what the bug is... Whether it's reliably exploitable or so, I'm not sure.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: All but ESR
• If not all supported branches, which bug introduced the flaw?: Bug 1779009
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: Should apply cleanly.
• How likely is this patch to cause regressions; how much testing does it need?: not much, it's a very straight-forward refactor.
• Is Android affected?: Yes

Comment 6

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9317163 [details]
Bug 1808832 - Fix FontFaceSetWorkerImpl main-thread destruction. r=aosmond,jfkthame

Approved to request uplift and land

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Comment on attachment 9317163 [details]
Bug 1808832 - Fix FontFaceSetWorkerImpl main-thread destruction. r=aosmond,jfkthame

Beta/Release Uplift Approval Request

• User impact if declined: crashes
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce: No clear STR
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Relatively straight-forward fix. If it sticks on try I'm moderately sure it should be fine to uplift.
• String changes made/needed: none
• Is Android affected?: Yes

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Landed: https://hg.mozilla.org/integration/autoland/rev/6b03dec3dd59066292c0af03beadd5e561936815

Backed out for bustages in FontFaceSetWorkerImpl.cpp:
https://hg.mozilla.org/integration/autoland/rev/27ee909a955804fc127a1aa12929b6b1f2b6281f

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=6b03dec3dd59066292c0af03beadd5e561936815&selectedTaskRun=Lg_kVepLRs2FFervMQUbUQ.0
Failure log: https://treeherder.mozilla.org/logviewer?job_id=405482600&repo=autoland

layout/style/FontFaceSetWorkerImpl.cpp:141:5: error: bad implicit conversion constructor for 'DestroyLoadersRunnable'

Comment 9

[Emilio Cobos Álvarez (:emilio)]

Grr, re-landed with that explicit added back

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Fix FontFaceSetWorkerImpl main-thread destruction. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/f4e41d9f43808bb542fc48344722b2aa051f91f2
https://hg.mozilla.org/mozilla-central/rev/f4e41d9f4380

Comment 11

[Donal Meehan [:dmeehan]]

Comment on attachment 9317163 [details]
Bug 1808832 - Fix FontFaceSetWorkerImpl main-thread destruction. r=aosmond,jfkthame

Approved for 111.0b2
Rejecting release uplift approval the issue is not new in 110, draws less attention rolling out with 111 unless anyone disagrees?

Comment 12

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-beta/rev/533ee13eab83