Closed Bug 1878182 Opened 1 year ago Closed 1 year ago

Assertion failure: mScaledFont, at /builds/worker/checkouts/gecko/gfx/2d/ScaledFontBase.cpp:130

Categories

(Core :: Printing: Output, defect)

Product:
Core
Component:
Printing: Output
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- fixed
firefox122 --- wontfix
firefox123 --- fixed
firefox124 --- verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
185 bytes, text/html
Details
Bug 1878182 - Instantiate Cairo scaled font for ScaledFontBase::GetPathForGlyphs. r?jfkthame
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
pascalc
: approval-mozilla-esr115+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240121-b6f41f48017c (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mScaledFont, at /builds/worker/checkouts/gecko/gfx/2d/ScaledFontBase.cpp:130

#0 0x7f4c17c8b1a1 in mozilla::gfx::ScaledFontBase::GetPathForGlyphs(mozilla::gfx::GlyphBuffer const&, mozilla::gfx::DrawTarget const*) /builds/worker/checkouts/gecko/gfx/2d/ScaledFontBase.cpp:130:5
#1 0x7f4c17c25086 in mozilla::gfx::DrawTarget::StrokeGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&) /builds/worker/checkouts/gecko/gfx/2d/DrawTarget.cpp:201:30
#2 0x7f4c17c11556 in mozilla::gfx::RecordedDrawGlyphs<mozilla::gfx::RecordedStrokeGlyphs>::PlayEvent(mozilla::gfx::Translator*) const /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2649:3
#3 0x7f4c17c87b81 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#4 0x7f4c17c87b81 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventStream>(mozilla::gfx::EventStream&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4356:5
#5 0x7f4c1c830a97 in mozilla::layout::PrintTranslator::TranslateRecording(mozilla::layout::PRFileDescStream&) /builds/worker/checkouts/gecko/layout/printing/PrintTranslator.cpp:54:20
#6 0x7f4c1c8334ac in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:179:26
#7 0x7f4c1c8332e5 in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:158:17
#8 0x7f4c1c83303d in mozilla::layout::RemotePrintJobParent::RecvProcessPage(int const&, int const&, nsTArray<unsigned long>&&) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:132:5
#9 0x7f4c1c2b5fc4 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:389:52
#10 0x7f4c1b8c78a5 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6814:32
#11 0x7f4c177577cf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#12 0x7f4c17754522 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#13 0x7f4c177551a2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#14 0x7f4c177562ef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#15 0x7f4c16a65a77 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#16 0x7f4c16a5b1e6 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#17 0x7f4c16a599c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#18 0x7f4c16a59e45 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#19 0x7f4c16a69a16 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#20 0x7f4c16a69a16 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#21 0x7f4c16a7ed82 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#22 0x7f4c16a85ecd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#23 0x7f4c1775d735 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#24 0x7f4c176779d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#25 0x7f4c176779d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#26 0x7f4c1bfafda8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#27 0x7f4c1c06d3e8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#28 0x7f4c1dd123c4 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296:30
#29 0x7f4c1de7ba42 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5729:22
#30 0x7f4c1de7d0f0 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5941:8
#31 0x7f4c1de7dd72 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5998:21
#32 0x55850a6a32c7 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
#33 0x55850a6a32c7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
#34 0x7f4c2ba29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#35 0x7f4c2ba29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#36 0x55850a6790e8 in _start (/home/user/workspace/browsers/m-c-20240201173838-fuzzing-debug/firefox-bin+0x590e8) (BuildId: 3158970e7ac1bc3dd3d8206f2d8c2427846e3ccf)
Flags: in-testsuite?

The testcase leads to 7GB+ memory use, causing an OOM crash : https://crash-stats.mozilla.org/report/index/d6c1fd95-5201-4bdf-8114-9a3740240202

Verified bug as reproducible on mozilla-central 20240201173838-366005a91eda.
The bug appears to have been introduced in the following build range:

Start: 2a7dd75d1bfc1693115b94b3e424e58b331cefab (20240117040825)
End: 71000174812fc0992b6793e53ac5f11f1b87bdc0 (20240117050436)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a7dd75d1bfc1693115b94b3e424e58b331cefab&tochange=71000174812fc0992b6793e53ac5f11f1b87bdc0

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:lsalzman can you take a look? This might be caused by bug 1874810.

status-firefox122: --- → unaffected
status-firefox123: --- → affected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(lsalzman)
Regressed by: 1874810
Flags: needinfo?(lsalzman)

This bug likely dates back to bug 1584268, which makes it so that Cairo scaled fonts must be
instantiated on demand for their first use. It seems like some StrokeGlyphs machinery got
overlooked and somehow never caused a problem till now.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Severity: -- → S3
status-firefox122: unaffectedaffected
status-firefox-esr115: unaffectedaffected
Regressed by: 1584268
No longer regressed by: 1874810
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/99e2c56136a6 Instantiate Cairo scaled font for ScaledFontBase::GetPathForGlyphs. r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/99e2c56136a6

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

Verified bug as fixed on rev mozilla-central 20240203092120-f8d442e9495d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox124: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:lsalzman, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(lsalzman)

Comment on attachment 9377987 [details]
Bug 1878182 - Instantiate Cairo scaled font for ScaledFontBase::GetPathForGlyphs. r?jfkthame

Beta/Release Uplift Approval Request

  • User impact if declined: Printing may fail to render text or crash.
  • Is this code covered by automated tests?: Unknown
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fairly small, isolated change to some context instantiation code.
  • String changes made/needed:
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined:
  • Fix Landed on Version: 124
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
Flags: needinfo?(lsalzman)
Attachment #9377987 - Flags: approval-mozilla-esr115?
Attachment #9377987 - Flags: approval-mozilla-beta?

Comment on attachment 9377987 [details]
Bug 1878182 - Instantiate Cairo scaled font for ScaledFontBase::GetPathForGlyphs. r?jfkthame

Approved for 123 beta 8 and ESR, thanks.

Attachment #9377987 - Flags: approval-mozilla-esr115?
Attachment #9377987 - Flags: approval-mozilla-esr115+
Attachment #9377987 - Flags: approval-mozilla-beta?
Attachment #9377987 - Flags: approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: