Closed
Bug 1829255
Opened 1 year ago
Closed 3 months ago
Crash in [@ mozilla::dom::FontFaceSet::cycleCollection::TraverseNative]
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mccr8, Unassigned, NeedInfo)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/628864f5-965a-4bcd-81d6-c96bc0230416
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so mozilla::dom::FontFaceSet::cycleCollection::TraverseNative layout/style/FontFaceSet.cpp:71
1 libxul.so nsCycleCollectionParticipant::TraverseNativeAndJS xpcom/base/nsCycleCollectionParticipant.h:228
1 libxul.so CCGraphBuilder::BuildGraph xpcom/base/nsCycleCollector.cpp:2058
2 libxul.so nsCycleCollector::MarkRoots xpcom/base/nsCycleCollector.cpp:2681
3 libxul.so nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3441
4 libxul.so nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:3945
5 libxul.so mozilla::dom::workerinternals:: dom/workers/RuntimeService.cpp:817
6 libxul.so mozilla::CycleCollectedJSRuntime::OnGC xpcom/base/CycleCollectedJSRuntime.cpp:1884
7 libxul.so js::gc::GCRuntime::callGCCallback const js/src/gc/GC.cpp:1448
7 libxul.so js::gc::GCRuntime::maybeCallGCCallback js/src/gc/GC.cpp:4110
This one is fun. We're crashing on a null deref on this line:
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_RAWPTR(mImpl->GetDocument());
I think this means that mImpl is null.
How does that happen? Well, if you look way, way up the stack you can see that we're inside a nested event loop that FontFaceSetWorkerImpl::Initialize is spinning. I suspect the FontFaceSet we're initializing is the same one we're crashing on in the cycle collector.
|
||
Updated•1 year ago
|
Severity: -- → S3
Flags: needinfo?(jfkthame)
|
||
Comment 1•3 months ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•