Closed Bug 1872917 Opened 1 year ago Closed 10 months ago

firefox: /gfx/cairo/cairo/src/cairo-ft-font.c:555: void _cairo_ft_unscaled_font_fini(cairo_ft_unscaled_font_t *): Assertion `unscaled->face == ((void*)0)' failed.

Categories

(Core :: Graphics: Text, defect, P3)

x86_64
Linux
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev cc67c788cded (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cc67c788cded --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
firefox: /gfx/cairo/cairo/src/cairo-ft-font.c:555: void _cairo_ft_unscaled_font_fini(cairo_ft_unscaled_font_t *): Assertion `unscaled->face == ((void*)0)' failed.

    ==1535077==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e800176c65 (pc 0x7fe16422a9fc bp 0x000000176c65 sp 0x7ffca56566d0 T1535077)
        #0 0x7fe16422a9fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
        #1 0x7fe16422a9fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
        #2 0x7fe16422a9fc in pthread_kill nptl/pthread_kill.c:89:10
        #3 0x7fe1641d6475 in gsignal signal/../sysdeps/posix/raise.c:26:13
        #4 0x7fe1641bc7f2 in abort stdlib/abort.c:79:7
        #5 0x7fe1641bc71a in __assert_fail_base assert/assert.c:92:3
        #6 0x7fe1641cde95 in __assert_fail assert/assert.c:101:3
        #7 0x7fe154eed4c7 in _cairo_ft_unscaled_font_fini /gfx/cairo/cairo/src/cairo-ft-font.c:555:5
        #8 0x7fe154eed4c7 in _cairo_ft_unscaled_font_map_pluck_entry /gfx/cairo/cairo/src/cairo-ft-font.c:374:5
        #9 0x7fe154f418ce in _cairo_hash_table_foreach /gfx/cairo/cairo/src/cairo-hash.c:567:6
        #10 0x7fe154ee8fb6 in _cairo_ft_unscaled_font_map_destroy /gfx/cairo/cairo/src/cairo-ft-font.c:389:2
        #11 0x7fe154ee8fb6 in _cairo_ft_font_reset_static_data /gfx/cairo/cairo/src/cairo-ft-font.c:4087:5
        #12 0x7fe154f3a922 in _moz_cairo_debug_reset_static_data /gfx/cairo/cairo/src/cairo-debug.c:72:5
        #13 0x7fe1502873df in gfxPlatform::Shutdown() /gfx/thebes/gfxPlatform.cpp:1295:14
        #14 0x7fe1549ea8b7 in nsLayoutModuleDtor() /layout/build/nsLayoutModule.cpp:238:3
        #15 0x7fe14ebf7851 in nsComponentManagerImpl::Shutdown() /xpcom/components/nsComponentManager.cpp:564:3
        #16 0x7fe14ec7a457 in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:717:54
        #17 0x7fe15604c59d in ScopedXPCOMStartup::~ScopedXPCOMStartup() /toolkit/xre/nsAppRunner.cpp:1985:5
        #18 0x7fe15605bb1f in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
        #19 0x7fe15605bb1f in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
        #20 0x7fe15605bb1f in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
        #21 0x7fe15605bb1f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5939:16
        #22 0x7fe15605c6f2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5974:21
        #23 0x55ba126db067 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #24 0x55ba126db067 in main /browser/app/nsBrowserApp.cpp:445:16
        #25 0x7fe1641bdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #26 0x7fe1641bde3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #27 0x55ba126b0e88 in _start (/home/jkratzer/builds/m-c-20240103050624-fuzzing-debug/firefox-bin+0x58e88) (BuildId: aa23fae85b8207972de3dfc7e203b3a922740df3)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: ABRT nptl/pthread_kill.c:44:76 in __pthread_kill_implementation
    ==1535077==ABORTING
Attached file Testcase

Jonathan, appears to be in your wheelhouse. Mind having a look?

Severity: -- → S3
Component: Graphics → Graphics: Text
Flags: needinfo?(jfkthame)
Priority: -- → P3
Attachment #9370937 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20240104213501-45533d2448ef.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: db88fa190f63506c1da204a5ff73202d679611e9 (20230106041444)
End: cc67c788cded515a24f96c72c8a12b87a2cd1b3a (20240103050624)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20240103050624-cc67c788cded) but not with tip (mozilla-central 20240412214434-be4463b26a49.)

The bug appears to have been fixed in the following build range:

Start: c01d5c731e217f060f33a08b9cc9216d1b352b17 (20240409214147)
End: c6228adca1a9c453ab8514c86ee26ee9a7903d27 (20240410001840)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c01d5c731e217f060f33a08b9cc9216d1b352b17&tochange=c6228adca1a9c453ab8514c86ee26ee9a7903d27

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jfkthame) → needinfo?(jkratzer)
Keywords: bugmon

I'm not sure exactly why but https://hg.mozilla.org/integration/autoland/rev/c6228adca1a9c453ab8514c86ee26ee9a7903d27 is the only thing that touches printing. Jonathan, any idea if this may have inadvertently fixed the issue?

Flags: needinfo?(jkratzer) → needinfo?(jfkthame)

I don't see anything there that makes sense to me as fixing this; but maybe something affected the pattern of cairo object lifetimes in some way such that they now get cleaned up more correctly. Given that this code that only runs in debug builds, as part of shutdown, it's probably not worth spending a lot of time to try and figure out exactly what changed.

So for now, I think we can just close as WFM. If it reappears in some form, probably the best chance of resolving it would be if we can capture a pernosco trace.

Status: NEW → RESOLVED
Closed: 10 months ago
Flags: needinfo?(jfkthame)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: