Closed Bug 1886924 Opened 11 months ago Closed 11 months ago

Assertion failure: mFontFaceSet, at /home/user/code/mozilla-unified/layout/style/nsFontFaceLoader.cpp:355

Categories

(Core :: Layout: Text and Fonts, defect)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 + fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, pernosco, regression)

Crash Data

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site
  • Close tab once page loads

This issue was triggered by visiting http://xbox.com/.

Assertion failure: mFontFaceSet, at /home/user/code/mozilla-unified/layout/style/nsFontFaceLoader.cpp:355

0|0|libxul.so|nsFontFaceLoader::Cancel()|hg:hg.mozilla.org/mozilla-unified:layout/style/nsFontFaceLoader.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|355|0x268
0|1|libxul.so|mozilla::dom::FontFaceSetImpl::DestroyLoaders()|hg:hg.mozilla.org/mozilla-unified:layout/style/FontFaceSetImpl.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|98|0xcd
0|2|libxul.so|mozilla::dom::FontFaceSetImpl::Destroy()|hg:hg.mozilla.org/mozilla-unified:layout/style/FontFaceSetImpl.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|134|0x76
0|3|libxul.so|mozilla::dom::FontFaceSetDocumentImpl::Destroy()|hg:hg.mozilla.org/mozilla-unified:layout/style/FontFaceSetDocumentImpl.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|104|0x87
0|4|libxul.so|mozilla::dom::FontFaceSet::cycleCollection::Unlink(void*)|hg:hg.mozilla.org/mozilla-unified:layout/style/FontFaceSet.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|82|0x40
0|5|libxul.so|nsCycleCollector::CollectWhite()|hg:hg.mozilla.org/mozilla-unified:xpcom/base/nsCycleCollector.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|3161|0x43e
0|6|libxul.so|nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool)|hg:hg.mozilla.org/mozilla-unified:xpcom/base/nsCycleCollector.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|3527|0x2fc
0|7|libxul.so|nsCycleCollector::ShutdownCollect()|hg:hg.mozilla.org/mozilla-unified:xpcom/base/nsCycleCollector.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|3438|0xad
0|8|libxul.so|nsCycleCollector::Shutdown(bool)|hg:hg.mozilla.org/mozilla-unified:xpcom/base/nsCycleCollector.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|3737|0x46
0|9|libxul.so|nsCycleCollector_shutdown(bool)|hg:hg.mozilla.org/mozilla-unified:xpcom/base/nsCycleCollector.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|4063|0xd8
0|10|libxul.so|mozilla::ShutdownXPCOM(nsIServiceManager*)|hg:hg.mozilla.org/mozilla-unified:xpcom/build/XPCOMInit.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|706|0x474
0|11|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-unified:toolkit/xre/nsEmbedFunctions.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|651|0x625
0|12|firefox|main|hg:hg.mozilla.org/mozilla-unified:browser/app/nsBrowserApp.cpp:d9466bebb4c96b99a227f35b5a7e86bd0c8f5bb5|375|0x439

A Pernosco session is available here: https://pernos.co/debug/ecfyuJ6vm-9-8FKeF80GfQ/index.html

This was created with an -O1 build. If there are any issue preventing debugging please let me know.

Keywords: pernosco
Crash Signature: [@ nsFontFaceLoader::Cancel ]
Keywords: regression
Regressed by: 1808813

This assertion is also being reported with a similar stack:

Assertion failure: !mInLoadTimerCallback, at /builds/worker/checkouts/gecko/layout/style/nsFontFaceLoader.cpp:353

Set release status flags based on info from the regressing bug 1808813

:jfkthame, since you are the author of the regressor, bug 1808813, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)

I'm going to request the Sheriffs backout Bug 1808813.
The volume is low now but don't want to head into the weekend with this.

Yeah, that's probably best for now - thanks. (I think I have a fix for this but was on PTO the last couple days and haven't had time to get it tested/reviewed/landed yet. Will follow up next week.)

Flags: needinfo?(jfkthame)
Crash Signature: [@ nsFontFaceLoader::Cancel ] → [@ gfxUserFontEntry::LoadCanceled] [@ nsFontFaceLoader::Cancel ]
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED

It looks like this crash also showed up on Android under the not-very-signature [@ __aarch64_ldadd8_rel ]: bp-8cc066b1-94a1-4fd1-bcd1-ef8240240323

Crash Signature: [@ gfxUserFontEntry::LoadCanceled] [@ nsFontFaceLoader::Cancel ] → [@ gfxUserFontEntry::LoadCanceled] [@ nsFontFaceLoader::Cancel ] [@ __aarch64_ldadd8_rel ]
You need to log in before you can comment on or make changes to this bug.