Open Bug 1962172 Opened 7 months ago Updated 5 days ago

Intermittent Assertion failure: sInServoTraversal || NS_IsMainThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33

Categories

(Core :: Layout: Text and Fonts, defect, P5)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox142 --- affected

People

(Reporter: intermittent-bug-filer, Assigned: jfkthame, NeedInfo)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: assertion, intermittent-failure, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Bug 1962172 - Store CJK font-selection fallback order in the cached FontPrefs. r=#gfx-reviewers
48 bytes, text/x-phabricator-request
Details | Review
testcase.zip
4.59 KB, application/zip
Details

Filed by: agoloman [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=505162005&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/YOpxnZpzR02z98d_Kw5PjA/runs/0/artifacts/public/logs/live_backing.log

[task 2025-04-23T13:55:16.378Z] 13:55:16     INFO - TEST-START | /html/canvas/offscreen/text/2d.text.measure.actualBoundingBox.whitespace.worker.html
[task 2025-04-23T13:55:16.415Z] 13:55:16     INFO - Closing window 037f5436-75ec-4dd4-8a67-53dfe11c6fd5
[task 2025-04-23T13:55:17.542Z] 13:55:17     INFO - PID 7040 | [WARN  glean_core::error_recording] memory.vsize: Sample is bigger than 1 terabyte
[task 2025-04-23T13:55:17.635Z] 13:55:17     INFO - PID 7040 | [Child 12080, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, NS_ERROR_INVALID_ARG) failed with result 0x80520012 (NS_ERROR_FILE_NOT_FOUND): file /builds/worker/checkouts/gecko/intl/l10n/L10nRegistry.cpp:385
[task 2025-04-23T13:55:17.819Z] 13:55:17     INFO - PID 7040 | [12080] Assertion failure: sInServoTraversal || NS_IsMainThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33
[task 2025-04-23T13:55:17.947Z] 13:55:17     INFO - STDOUT: Initializing stack-fixing for the first stack frame, this may take a while...
[task 2025-04-23T13:55:18.451Z] 13:55:18     INFO - Browser not responding, setting status to CRASH
[task 2025-04-23T13:55:18.455Z] 13:55:18     INFO - mozcrash Copy/paste: D:\task_174541533962969\fetches\minidump-stackwalk\minidump-stackwalk.exe --symbols-url=https://symbols.mozilla.org/ --cyborg=C:\Users\task_174541533962969\AppData\Local\Temp\tmp4rbrdk88\e77d5df8-15bc-42fb-878c-0de2f79be46a.trace C:\Users\task_174541533962969\AppData\Local\Temp\tmpnvu28_w0\minidumps\e77d5df8-15bc-42fb-878c-0de2f79be46a.dmp D:\task_174541533962969\build\symbols
[task 2025-04-23T13:55:30.847Z] 13:55:30     INFO - mozcrash Saved minidump as D:\task_174541533962969\build\blobber_upload_dir\e77d5df8-15bc-42fb-878c-0de2f79be46a.dmp
[task 2025-04-23T13:55:30.849Z] 13:55:30     INFO - mozcrash Saved app info as D:\task_174541533962969\build\blobber_upload_dir\e77d5df8-15bc-42fb-878c-0de2f79be46a.extra
[task 2025-04-23T13:55:31.131Z] 13:55:31     INFO - PROCESS-CRASH | MOZ_ASSERT(sInServoTraversal || NS_IsMainThread()) [@ mozilla::IsInServoTraversal] | /html/canvas/offscreen/text/2d.text.measure.actualBoundingBox.whitespace.worker.html 
[task 2025-04-23T13:55:31.131Z] 13:55:31     INFO - Process type: content
[task 2025-04-23T13:55:31.131Z] 13:55:31     INFO - Process pid: 12080
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - Mozilla crash reason: MOZ_ASSERT(sInServoTraversal || NS_IsMainThread())
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - Crash dump filename: C:\Users\task_174541533962969\AppData\Local\Temp\tmpnvu28_w0\minidumps\e77d5df8-15bc-42fb-878c-0de2f79be46a.dmp
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - Operating system: Windows NT
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO -                   10.0.26100
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - CPU: amd64
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO -      family 6 model 79 stepping 1
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO -      12 CPUs
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - 
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - Crash reason:  EXCEPTION_BREAKPOINT
[task 2025-04-23T13:55:31.132Z] 13:55:31     INFO - Crash address: 0x00007fff0a2fd6a6
[task 2025-04-23T13:55:31.133Z] 13:55:31     INFO - Crashing instruction: `int 0x3`
[task 2025-04-23T13:55:31.133Z] 13:55:31     INFO - No memory accessed by instruction
[task 2025-04-23T13:55:31.133Z] 13:55:31     INFO - No instruction pointer update by instruction
[task 2025-04-23T13:55:31.133Z] 13:55:31     INFO - Process uptime: 71 seconds
[task 2025-04-23T13:55:31.133Z] 13:55:31     INFO -

The problem here occurs when the canvas worker thread encounters a CJK character, and needs to access the preferred fallback order to search the CJK font prefs. This is cached in gfxPlatformFontList::mCJKPrefLangs; but if it hasn't initialized this yet, then it'll try to read a couple of list-valued preferences (intl.accept-languages, font.cjk_pref_fallback_order), and that's not thread-safe.

A simple solution here should be to move mCJKPrefLangs into the FontPrefs object that we already use to cache the various font.name-list.* preferences (etc.) for off-main-thread access. Then it will be initialized together with the other font prefs, and available for the worker to use.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Whiteboard: [collect_confirm_failure]
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/07eb5acbf0d7 Store CJK font-selection fallback order in the cached FontPrefs. r=gfx-reviewers,lsalzman
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5069b2b0132d Revert "Bug 1962172 - Store CJK font-selection fallback order in the cached FontPrefs. r=gfx-reviewers,lsalzman" for causing failures at accesskey.xhtml.

There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:jfkthame, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(lsalzman)
Flags: needinfo?(jfkthame)
Flags: needinfo?(lsalzman)

This is also being reported by live site testing.

Blocks: site-scout
URL: https://app.jointherealworld.com/overdue
status-firefox142: --- → affected

Update blocks for tracking.

Blocks: crash-scout
No longer blocks: site-scout
Whiteboard: [fuzzblocker]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jfkthame, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev caf560206ff2 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$  fuzzfetch --build caf560206ff2 --debug --fuzzing -n firefox
$ unzip testcase.zip -d testcase
$ grizzly-replay ./firefox/firefox ./testcase

Assertion failure: sInServoTraversal || NS_IsMainThread(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33

    ==1714852==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7cdcefc15d0e bp 0x7cdc9766e220 sp 0x7cdc9766e200 T1714959)
    ==1714852==The signal is caused by a WRITE memory access.
    ==1714852==Hint: address points to the zero page.
        #0 0x7cdcefc15d0e in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x7cdcefc15d0e in IsInServoTraversal /builds/worker/workspace/obj-build/dist/include/mozilla/ServoUtils.h:33:3
        #2 0x7cdcefc15d0e in IsInServoTraversal /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleSet.h:120:45
        #3 0x7cdcefc15d0e in mozilla::Preferences::InitStaticMembers() /modules/libpref/Preferences.cpp:3883:3
        #4 0x7cdcefc0c0cf in mozilla::Preferences::HasUserValue(char const*) /modules/libpref/Preferences.cpp:5508:3
        #5 0x7cdcefd381b8 in mozilla::intl::LocaleService::GetAcceptLanguages(nsTSubstring<char>&) /intl/locale/LocaleService.cpp:741:7
        #6 0x7cdcf13787c5 in gfxPlatformFontList::AppendCJKPrefLangs(eFontPrefLang*, unsigned int&, eFontPrefLang, eFontPrefLang) /gfx/thebes/gfxPlatformFontList.cpp:2505:34
        #7 0x7cdcf1378360 in gfxPlatformFontList::GetLangPrefs(eFontPrefLang*, unsigned int&, eFontPrefLang, eFontPrefLang) /gfx/thebes/gfxPlatformFontList.cpp:2477:5
        #8 0x7cdcf139b4c9 in gfxFontGroup::WhichPrefFontSupportsChar(unsigned int, unsigned int, FontPresentation) /gfx/thebes/gfxTextRun.cpp:3865:8
        #9 0x7cdcf1396f10 in gfxFontGroup::FindFontForChar(unsigned int, unsigned int, unsigned int, mozilla::intl::Script, gfxFont*, FontMatchType*) /gfx/thebes/gfxTextRun.cpp:3502:26
        #10 0x7cdcf13b7073 in void gfxFontGroup::ComputeRanges<char16_t>(nsTArray<gfxFontGroup::TextRange>&, char16_t const*, unsigned int, mozilla::intl::Script, mozilla::gfx::ShapedTextFlags) /gfx/thebes/gfxTextRun.cpp:3645:11
        #11 0x7cdcf13b4043 in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, gfxMissingFontRecorder*) /gfx/thebes/gfxTextRun.cpp:2843:3
        #12 0x7cdcf139981a in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) /gfx/thebes/gfxTextRun.cpp:0:11
        #13 0x7cdcf1398f05 in already_AddRefed<gfxTextRun> gfxFontGroup::MakeTextRun<char16_t>(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) /gfx/thebes/gfxTextRun.cpp:2539:3
        #14 0x7cdcf31331af in MakeTextRun<char16_t> /builds/worker/workspace/obj-build/dist/include/gfxTextRun.h:992:12
        #15 0x7cdcf31331af in mozilla::dom::CanvasBidiProcessor::SetText(char16_t const*, int, mozilla::intl::BidiDirection) /dom/canvas/CanvasRenderingContext2D.cpp:4722:26
        #16 0x7cdcf5b81484 in nsBidiPresUtils::ProcessText(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, mozilla::intl::Bidi&) /layout/base/nsBidiPresUtils.cpp:2259:18
        #17 0x7cdcf309d19a in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:5126:12
        #18 0x7cdcf309e04d in mozilla::dom::CanvasRenderingContext2D::MeasureText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4608:10
        #19 0x7cdcf230f077 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:4128:78
        #20 0x7cdcf2f75b4d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #21 0x7cdcf699b8b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:490:13
        #22 0x7cdcf699b10f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #23 0x7cdcf69ac202 in CallFromStack /js/src/vm/Interpreter.cpp:658:10
        #24 0x7cdcf69ac202 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3272:16
        #25 0x7cdcf699a76a in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:460:13
        #26 0x7cdcf699b135 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:618:13
        #27 0x7cdcf699c55c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:685:8
        #28 0x7cdcf6a84d6b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #29 0x7cdcf2d36a15 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
        #30 0x7cdcf38a549b in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
        #31 0x7cdcf38a3fe2 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
        #32 0x7cdcf387f6a1 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1273:22
        #33 0x7cdcf38807f9 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1579:12
        #34 0x7cdcf38800e1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1484:35
        #35 0x7cdcf3874b7e in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #36 0x7cdcf3874b7e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #37 0x7cdcf387424c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:605:16
        #38 0x7cdcf3876a02 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1260:11
        #39 0x7cdcf387958a in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp:0:0
        #40 0x7cdcf384acfb in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:153:17
        #41 0x7cdcf38871d7 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /dom/events/EventTarget.cpp:215:9
        #42 0x7cdcf5198101 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /dom/workers/MessageEventRunnable.cpp:79:12
        #43 0x7cdcf51e307a in mozilla::dom::WorkerThreadRunnable::Run() /dom/workers/WorkerRunnable.cpp:440:12
        #44 0x7cdcefb97bf2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1158:16
        #45 0x7cdcefb9e31f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #46 0x7cdcf51d1af4 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3977:7
        #47 0x7cdcf51b4884 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2311:42
        #48 0x7cdcefb97bf2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1158:16
        #49 0x7cdcefb9e31f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #50 0x7cdcf078f6a8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #51 0x7cdcf06e9a31 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #52 0x7cdcf06e9a31 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #53 0x7cdcefb9382e in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:373:10
        #54 0x7cdd00cb23ac in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #55 0x7cdd00d56aa3 in start_thread ./nptl/pthread_create.c:447:8
        #56 0x7cdd00de3c6b in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78:0
    
    ==1714852==Register values:
    rax = 0x0000000000000000  rbx = 0x00007cdc9766e6d0  rcx = 0x0000000000000021  rdx = 0x00007cdd00ebe563
    rdi = 0x00007cdd00ebf700  rsi = 0x0000000000000000  rbp = 0x00007cdc9766e220  rsp = 0x00007cdc9766e200
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293
    r12 = 0x000000000000001d  r13 = 0x0000000000000000  r14 = 0x00007cdcec4bcac1  r15 = 0x00005ba7a881f440
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20251119095727-fuzzing-debug/libxul.so+0x44e9d0e) (BuildId: d335436ffcbb6e1570451c1056f722cd396be0c1)
    ==1714852==ABORTING
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: