1845813 - [macOS 14] Crash in font code on Apple Silicon, on macOS 14 Beta 4

Status: VERIFIED FIXED

(Core :: Graphics: Text, defect, P3)

Description

[Ryan VanderMeulen [:RyanVM]]

Crash report: https://crash-stats.mozilla.org/report/index/5c7acb71-9cdc-4abe-8d53-5745e0230727

MOZ_CRASH Reason: MOZ_CRASH(Unhandled exception)

Top 10 frames of crashing thread:

0  XUL  CrashReporter::TerminateHandler  toolkit/crashreporter/nsExceptionHandler.cpp:1866
1  libc++abi.dylib  libc++abi.dylib@0x10a98  
2  libc++abi.dylib  libc++abi.dylib@0x13a44  
3  libc++abi.dylib  libc++abi.dylib@0x139f0  
4  libobjc.A.dylib  libobjc.A.dylib@0x1a018  
5  CoreFoundation  CoreFoundation@0x3847c  
6  CoreFoundation  CoreFoundation@0x65620  
7  CoreText  CoreText@0x26234  
8  CoreText  CoreText@0x25f84  
9  CoreText  CoreText@0x25ec4  

Comment 1

[Steven Michaud [:smichaud] (Retired)]

This looks like a bug in macOS 14 Beta 4 (build 23A5301g), which came out a few days ago.

https://crash-stats.mozilla.org/search/?proto_signature=~ScaledFont&platform_version=%21%5E10.&platform=Mac%20OS%20X&date=%3E%3D2023-07-20T21%3A20%3A00.000Z&date=%3C2023-07-27T21%3A20%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_version

I've scraped its symbols, but they haven't yet been uploaded to the symbol server. So this bug's crash stacks aren't yet symbolicated.

Comment 2

[Steven Michaud [:smichaud] (Retired)]

There are lots of these, especially in proportion to the (presumably small) number of Firefox users on macOS 14, and they're all on Apple Silicon. They're also mostly startup crashes.

https://crash-stats.mozilla.org/search/?proto_signature=~ScaledFont&platform_version=%21%5E10.&platform=Mac%20OS%20X&date=%3E%3D2023-07-20T21%3A27%3A00.000Z&date=%3C2023-07-27T21%3A27%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_facets=cpu_arch&_facets=uptime&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-uptime

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Comment 4

[:glob ✱]

I've been told that ctrl-tabbing between tab is a reliable way to reproduce this crash.

Comment 5

[Steven Michaud [:smichaud] (Retired)]

The symbols I scraped have now been uploaded to the symbol server, and the last week's macOS 14 Beta 4 crash reports have been reprocessed. So the signature of these crashes has "changed".

Here's a typical crash stack. (Edit: This one is much more typical.)

Crashing Thread (0), Name: MainThread
Frame  Module  Signature  Source  Trust
0  XUL  CrashReporter::TerminateHandler()  toolkit/crashreporter/nsExceptionHandler.cpp:1866  context
1  libc++abi.dylib  std::__terminate(void (*)())   cfi
2  libc++abi.dylib  __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*)   cfi
3  libc++abi.dylib  __cxa_throw   cfi
4  libobjc.A.dylib  objc_exception_throw   cfi
5  CoreFoundation  -[__NSDictionaryM setObject:forKey:]   cfi
6  CoreFoundation  -[NSMutableDictionary addEntriesFromDictionary:]   cfi
7  CoreText  TDescriptor::TDescriptor(TDescriptor const&, __CFDictionary const*)   cfi
8  CoreText  TCFBase_NEW<CTFontDescriptor, CTFontDescriptor*, __CFDictionary const*>(CTFontDescriptor*, __CFDictionary const*&&)   frame_pointer
9  CoreText  CTFontDescriptorCreateCopyWithAttributes   frame_pointer
10  XUL  mozilla::gfx::UnscaledFontMac::CreateScaledFont(float, unsigned char const*, unsigned int, mozilla::gfx::FontVariation const*, unsigned int)  gfx/2d/ScaledFontMac.cpp:724  frame_pointer
11  XUL  mozilla::gfx::RecordedScaledFontCreation::PlayEvent(mozilla::gfx::Translator*) const  gfx/2d/RecordedEventImpl.h:3803  cfi
12  XUL  mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0::operator()(mozilla::gfx::RecordedEvent*) const  gfx/2d/InlineTranslator.cpp:78  inlined
12  XUL  std::__1::__invoke[abi:v15006]<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0&, mozilla::RecordedEvent*>(mozilla::RecordedEvent*&&, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0&)  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/invoke.h:394  inlined
12  XUL  std::__1::__invoke_void_return_wrapper<bool, false>::__call<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0&, mozilla::gfx::RecordedEvent*>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0&, mozilla::gfx::RecordedEvent*)  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/invoke.h:470  inlined
12  XUL  std::__1::__function::__alloc_func<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0, std::__1::allocator<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>, bool (mozilla::gfx::RecordedEvent*)>::operator()[abi:v15006](mozilla::gfx::RecordedEvent*&&)  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/function.h:185  inlined
12  XUL  std::__1::__function::__func<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0, std::__1::allocator<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>, bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*&&)  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/function.h:359  cfi
13  XUL  std::__1::__function::__value_func<bool (mozilla::gfx::RecordedEvent*)>::operator()[abi:v15006](mozilla::gfx::RecordedEvent*&&) const  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/function.h:512  inlined
13  XUL  std::__1::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__functional/function.h:1197  inlined
13  XUL  mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::__1::function<bool (mozilla::gfx::RecordedEvent*)> const&)  gfx/2d/RecordedEventImpl.h:4191  cfi
14  XUL  mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)  gfx/2d/InlineTranslator.cpp:68  cfi
15  XUL  mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0::operator()(nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&) const  gfx/ipc/CrossProcessPaint.cpp:267  inlined
15  XUL  mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::InvokeMethod<mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0, void (mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0::*)(nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&) const, nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> > >(mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0*, void (mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0::*)(nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&) const, nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&)  xpcom/threads/MozPromise.h:654  inlined
15  XUL  mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::InvokeCallbackMethod<false, mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0, void (mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0::*)(nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&) const, nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, RefPtr<mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::Private> >(mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0*, void (mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0::*)(nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&) const, nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >&&, RefPtr<mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::Private>&&)  xpcom/threads/MozPromise.h:685  inlined
15  XUL  mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::ThenValue<mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_0, mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags, mozilla::dom::Promise*)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::ResolveOrRejectValue&)  xpcom/threads/MozPromise.h:870  cfi
16  XUL  mozilla::MozPromise<nsRefCountedHashtable<nsIntegralHashKey<unsigned long long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run()  xpcom/threads/MozPromise.h:490  cfi
17  XUL  mozilla::RunnableTask::Run()  xpcom/threads/TaskController.cpp:559  cfi
18  XUL  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)  xpcom/threads/TaskController.cpp:886  cfi
19  XUL  mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)  xpcom/threads/TaskController.cpp:709  inlined
19  XUL  mozilla::TaskController::ProcessPendingMTTask(bool)  xpcom/threads/TaskController.cpp:495  inlined
19  XUL  mozilla::TaskController::TaskController()::$_0::operator()() const  xpcom/threads/TaskController.cpp:218  inlined
19  XUL  mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run()  xpcom/threads/nsThreadUtils.h:548  cfi
20  XUL  nsThread::ProcessNextEvent(bool, bool*)  xpcom/threads/nsThread.cpp:1199  inlined
20  XUL  NS_ProcessPendingEvents(nsIThread*, unsigned int)  xpcom/threads/nsThreadUtils.cpp:445  cfi
21  XUL  nsBaseAppShell::NativeEventCallback()  widget/nsBaseAppShell.cpp:87  cfi
22  XUL  nsAppShell::ProcessGeckoEvents(void*)  widget/cocoa/nsAppShell.mm:514  cfi
23  CoreFoundation  __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__   cfi
24  CoreFoundation  __CFRunLoopDoSource0   cfi
25  CoreFoundation  __CFRunLoopDoSources0   cfi
26  CoreFoundation  __CFRunLoopRun   cfi
27  CoreFoundation  CFRunLoopRunSpecific   cfi
28  HIToolbox  RunCurrentEventLoopInMode   cfi
29  HIToolbox  ReceiveNextEventCommon   cfi
30  HIToolbox  _BlockUntilNextEventMatchingListInModeWithFilter   cfi
31  AppKit  _DPSNextEvent   cfi
32  AppKit  -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]   cfi
33  XUL  -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]  widget/cocoa/nsAppShell.mm:178  cfi
34  AppKit  -[NSApplication run]   cfi
35  XUL  nsAppShell::Run()  widget/cocoa/nsAppShell.mm:838  cfi
36  XUL  nsAppStartup::Run()  toolkit/components/startup/nsAppStartup.cpp:295  cfi
37  XUL  XREMain::XRE_mainRun()  toolkit/xre/nsAppRunner.cpp:5672  cfi
38  XUL  XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)  toolkit/xre/nsAppRunner.cpp:5873  cfi
39  XUL  XRE_main(int, char**, mozilla::BootstrapConfig const&)  toolkit/xre/nsAppRunner.cpp:5929  cfi
40  firefox  do_main(int, char**, char**)  browser/app/nsBrowserApp.cpp:227  inlined
40  firefox  main  browser/app/nsBrowserApp.cpp:445  cfi
41  dyld  start   cfi

Comment 6

[Steven Michaud [:smichaud] (Retired)]

Another way to search for these crashes:

https://crash-stats.mozilla.org/search/?signature=~failed_throw&platform_version=~14.0.0%2023A5301g&platform=Mac%20OS%20X&date=%3E%3D2023-07-17T15%3A00%3A00.000Z&date=%3C2023-07-31T15%3A00%3A00.000Z&_facets=signature&_facets=proto_signature&_facets=cpu_arch&_facets=uptime&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-proto_signature

Comment 7

[Steven Michaud [:smichaud] (Retired)]

(In reply to :glob ✱ from comment #4)

I've been told that ctrl-tabbing between tab is a reliable way to reproduce this crash.

Not for me. There must be some other, additional factor involved. I tested with Firefox 15.0.3 on macOS 14 Beta 4 (build 23A5301g), running on an Apple Silicon machine (a 2020 Mac Mini).

By the way, this feature is off by default. You may need to turn it on to use it.

Comment 9

[Steven Michaud [:smichaud] (Retired)]

These crashes are still happening on macOS 14 Beta 4 Update (build 23A5301h, aka Public Beta 2), which came out yesterday:

https://crash-stats.mozilla.org/search/?proto_signature=~CTFontDescriptorCreateCopyWithAttributes&platform=Mac%20OS%20X&date=%3E%3D2023-07-19T02%3A17%3A00.000Z&date=%3C2023-08-02T02%3A17%3A00.000Z&_facets=signature&_facets=platform_version&_facets=cpu_arch&_facets=proto_signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_version

Comment 10

[Haik Aftandilian [:haik]]

(In reply to :glob ✱ from comment #4)

I've been told that ctrl-tabbing between tab is a reliable way to reproduce this crash.

I've been seeing it when dragging a Google docs tab out of the tab bar to a new window.

Comment 11

[Haik Aftandilian [:haik]]

I can reproduce this reliably and in the two crashes I looked into the font causing the crash was GoogleSans-Regular_Text-Regular.

My steps to reproduce on a local build are to open a second tab and visit fonts.google.com, then wait for the fonts to load, scroll down through several pages of fonts and then drag the font off the tab bar to move it to a new window. That triggers a browser crash.

Looking at the stack frame for CreateScaledFont, I see that the font is GoogleSans-Regular_Text-Regular:

(lldb) frame info
frame #13: 0x0000000110d072d0 XUL`mozilla::gfx::UnscaledFontMac::CreateScaledFont(this=0x000000012cb4b2c0, aGlyphSize=<unavailable>, aInstanceData="", aInstanceDataLength=<unavailable>, aVariations=<unavailable>, aNumVariations=<unavailable>) at ScaledFontMac.cpp:722:11 [opt]
(lldb) print (CGFontRef)(*this).mFont
(CGFontRef) 0x00000001480eb800
(lldb) po 0x00000001480eb800
<CGFont (0x1480eb800): GoogleSans-Regular_Text-Regular>

@jfkthame or @lsalzman, do we have enough information to say if this is a macOS bug or our bug at this point?

Comment 12

[Jonathan Kew [:jfkthame]]

It smells like a macOS bug to me, but I don't have any sort of proof of that. Can you try examining (*this).mFontDesc (which should be a CTFontDescriptorRef) in that same frame?

Comment 13

[Haik Aftandilian [:haik]]

Sure, here are both args.

(lldb) up
frame #13: 0x000000028304a100 XUL`mozilla::gfx::UnscaledFontMac::CreateScaledFont(this=0x000000010b095c80, aGlyphSize=24, aInstanceData="", aInstanceDataLength=20, aVariations=0x00000001650ee2f8, aNumVariations=1) at ScaledFontMac.cpp:722:11
   719 	          (const void**)&varDict, 1, &kCFTypeDictionaryKeyCallBacks,
   720 	          &kCFTypeDictionaryValueCallBacks);
   721 	      AutoRelease<CTFontDescriptorRef> fontDesc(
-> 722 	          CTFontDescriptorCreateCopyWithAttributes(mFontDesc, varAttr));
   723 	      if (!fontDesc) {
   724 	        return nullptr;
   725 	      }
(lldb) frame variabl
(mozilla::gfx::UnscaledFontMac *) this = 0x000000010b095c80
(mozilla::gfx::Float) aGlyphSize = 24
(const uint8_t *) aInstanceData = 0x000000011c521300 ""
(uint32_t) aInstanceDataLength = 20
(const mozilla::gfx::FontVariation *) aVariations = 0x00000001650ee2f8
(uint32_t) aNumVariations = 1
(const mozilla::gfx::ScaledFontMac::InstanceData &) instanceData = 0x000000011c521300: {
  mFontSmoothingBackgroundColor = (r = 0, g = 0, b = 0, a = 0)
  mUseFontSmoothing = true
  mApplySyntheticBold = false
  mHasColorGlyphs = false
}
(RefPtr<mozilla::gfx::ScaledFontMac>) scaledFont = {
  mRawPtr = nullptr
}
(mozilla::gfx::AutoRelease<const __CTFont *>) font = (mObject = 0x0000000125b91600)
(mozilla::gfx::AutoRelease<const __CFDictionary *>) varDict = {
  mObject = nullptr
}
(CFDictionaryRef) varAttr = 0x000000010b0961c0 1 key/value pair
(mozilla::gfx::AutoRelease<const __CTFontDescriptor *>) fontDesc = (mObject = 0xaaaaaaaaaaaaaaaa)

(lldb) po (*this).mFontDesc
NSCTFontDescriptor <0x100372740> = {
    NSFontNameAttribute = "GoogleSans-Regular";
}

(lldb) po varAttr
{
    NSCTFontVariationAttribute = (null);
}

Comment 14

[Haik Aftandilian [:haik]]

And here's the exception message referring to the null NSCTFontVariationAttribute attribute.

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '
*** -[__NSDictionaryM setObject:forKey:]: object cannot be nil (key: NSCTFontVariationAttribute)'

Comment 15

[Haik Aftandilian [:haik]]

Attachment: Apple Feedback Assistant Request FB12837292

I've filed FB12837292 "macOS Sonoma Beta Crash in CTFontDescriptorCreateCopyWithAttributes" and made our Apple contact aware of it.

Comment 16

[Jonathan Kew [:jfkthame]]

This may actually be our bug. Given the details above, I found what looks suspiciously like a missing null-check in UnscaledFontMac::CreateScaledFont. I'll attach a patch that I think may fix this, but it's untested as I don't have a suitable system to test locally.

Haik (or anyone with the right system!), if you can confirm whether this resolves the crash that would be great - thanks!

Comment 17

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1845813 - Null-check the variation tag dictionary before trying to apply it to the font. r=#gfx-reviewers

Comment 18

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b2cc22534ecd
Null-check the variation tag dictionary before trying to apply it to the font. r=gfx-reviewers,lsalzman

Comment 19

[Haik Aftandilian [:haik]]

(In reply to Jonathan Kew [:jfkthame] from comment #16)

Haik (or anyone with the right system!), if you can confirm whether this resolves the crash that would be great - thanks!

I haven't been able to reproduce the problem with the patch so far. I've tried my repro steps about 10 times so it's looking good.

Comment 20

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/b2cc22534ecd

Comment 21

[Ryan VanderMeulen [:RyanVM]]

Grafts cleanly all the way to ESR102, so that's nice.

Comment 22

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox117 to wontfix.

For more information, please visit BugBot documentation.

Comment 23

[Jonathan Kew [:jfkthame]]

Comment on attachment 9347108 [details]
Bug 1845813 - Null-check the variation tag dictionary before trying to apply it to the font. r=#gfx-reviewers

Beta/Release Uplift Approval Request

• User impact if declined: Crashiness on recent macOS versions
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Trivial patch, just adds a null-check before calling a macOS API
• String changes made/needed:
• Is Android affected?: No

Comment 24

[Dianna Smith [:diannaS]]

Comment on attachment 9347108 [details]
Bug 1845813 - Null-check the variation tag dictionary before trying to apply it to the font. r=#gfx-reviewers

Approved for 117.0b6

Comment 25

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/3742282c18a9

Comment 26

[Catalin Sasca, Desktop Test Engineering [:csasca]]

We were able to reproduce the crash on two systems (M1 and M2) on Firefox 117.0a1 (2023-07-27) on macOS 14 Developer Beta 4 (build 23A5301g) and Public Beta 2 (23A5301h).

The crash is no longer reproducible on Firefox 117.0b6 and Firefox 118.0a1 (2023-08-10) on the same systems above mentioned.

Seems that Apple fixed the issue on their part as well, so on macOS 14 Public Beta 3 (23A5312d) which was just released, the crash is no longer ocurring even on the affected builds.

Comment 27

[Steven Michaud [:smichaud] (Retired)]

I've opened bug 1848567 about the sudden appearance of [@ libc++abi.dylib@0x10a98] in this bug's signatures.

Comment 28

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9347108 [details]
Bug 1845813 - Null-check the variation tag dictionary before trying to apply it to the font. r=#gfx-reviewers

Approved for 115.2esr and 102.15esr.

Comment 29

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/18b5b844ca52

Comment 30

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr102/rev/98cdbe116092

Comment 31

[Catalin Sasca, Desktop Test Engineering [:csasca]]

Verified that the issue is fixed on both Firefox 102.15.0esr and Firefox 115.2.0esr as well.