Closed Bug 636293 Opened 14 years ago Closed 14 years ago

"Invalid read of size 8: FT_Done_Face" followed by crashes during shutdown in --disable-pango builds

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 605009

People

(Reporter: cjones, Assigned: cjones)

Details

Attachments

(1 file)

Don't double-free freetype stuff
2.20 KB, patch
Details | Diff | Splinter Review 
I'm not sure how much we care about this configuration, but I'll poke a bit and see if this might be a more general bug.  (Not spending too much time though.)

==5070== Invalid read of size 8
==5070==    at 0xB7AD099: FT_Done_Face (in /usr/lib/libfreetype.so.6.6.0)
==5070==    by 0x7DEF73A: FTUserFontData::~FTUserFontData() (gfxFT2Fonts.cpp:154)
==5070==    by 0x7DEC14B: FTFontDestroyFunc(void*) (gfxFT2Fonts.cpp:169)
==5070==    by 0x82069A2: _cairo_user_data_array_fini (cairo-array.c:389)
==5070==    by 0x820AC37: _moz_cairo_font_face_destroy (cairo-font-face.c:141)
==5070==    by 0x826278D: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:554)
==5070==    by 0x820AE4B: _cairo_unscaled_font_destroy (cairo-font-face.c:287)
==5070==    by 0x8264BA9: _cairo_ft_scaled_font_fini (cairo-ft-font.c:1668)
==5070==    by 0x82282D7: _cairo_scaled_font_fini_internal (cairo-scaled-font.c:836)
==5070==    by 0x822837E: _cairo_scaled_font_fini (cairo-scaled-font.c:863)
==5070==    by 0x82274B7: _cairo_scaled_font_map_destroy (cairo-scaled-font.c:415)
==5070==    by 0x820A866: _moz_cairo_debug_reset_static_data (cairo-debug.c:64)
==5070==    by 0x7DCBFF2: gfxPlatform::~gfxPlatform() (gfxPlatform.cpp:377)
==5070==    by 0x7DF49AD: gfxPlatformGtk::~gfxPlatformGtk() (gfxPlatformGtk.cpp:160)
==5070==    by 0x7DCBFAE: gfxPlatform::Shutdown() (gfxPlatform.cpp:364)
==5070==    by 0x78E8723: nsThebesGfxModuleDtor() (nsThebesGfxFactory.cpp:136)
==5070==    by 0x7CA310C: nsComponentManagerImpl::KnownModule::~KnownModule() (nsComponentManager.h:204)
==5070==    by 0x7CA6F20: nsAutoPtr<nsComponentManagerImpl::KnownModule>::~nsAutoPtr() (nsAutoPtr.h:104)
==5070==    by 0x7CA6DA0: nsTArrayElementTraits<nsAutoPtr<nsComponentManagerImpl::KnownModule> >::Destruct(nsAutoPtr<nsComponentManagerImpl::KnownModule>*) (nsTArray.h:279)
==5070==    by 0x7CA67A4: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) (nsTArray.h:1106)
==5070==    by 0x7CA57B9: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) (nsTArray.h:834)
==5070==    by 0x7CA4140: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::Clear() (nsTArray.h:845)
==5070==    by 0x7C9FB89: nsComponentManagerImpl::Shutdown() (nsComponentManager.cpp:1018)
==5070==    by 0x7C45DB0: mozilla::ShutdownXPCOM(nsIServiceManager*) (nsXPComInit.cpp:726)
==5070==    by 0x7C457F9: NS_ShutdownXPCOM_P (nsXPComInit.cpp:594)
==5070==    by 0x63FD72F: ScopedXPCOMStartup::~ScopedXPCOMStartup() (nsAppRunner.cpp:1115)
==5070==    by 0x6406664: XRE_main (nsAppRunner.cpp:3811)
==5070==    by 0x401131: main (nsBrowserApp.cpp:155)
==5070==  Address 0x1e8387e0 is 176 bytes inside a block of size 1,384 free'd
==5070==    at 0x4C27D71: free (vg_replace_malloc.c:366)
==5070==    by 0x7CE6F4A: free (nsTraceMalloc.c:1303)
==5070==    by 0xB7AD127: FT_Done_Face (in /usr/lib/libfreetype.so.6.6.0)
==5070==    by 0xB7AFE08: FT_Done_Library (in /usr/lib/libfreetype.so.6.6.0)
==5070==    by 0xB7A819D: FT_Done_FreeType (in /usr/lib/libfreetype.so.6.6.0)
==5070==    by 0x7DF4996: gfxPlatformGtk::~gfxPlatformGtk() (gfxPlatformGtk.cpp:149)
==5070==    by 0x7DCBFAE: gfxPlatform::Shutdown() (gfxPlatform.cpp:364)
==5070==    by 0x78E8723: nsThebesGfxModuleDtor() (nsThebesGfxFactory.cpp:136)
==5070==    by 0x7CA310C: nsComponentManagerImpl::KnownModule::~KnownModule() (nsComponentManager.h:204)
==5070==    by 0x7CA6F20: nsAutoPtr<nsComponentManagerImpl::KnownModule>::~nsAutoPtr() (nsAutoPtr.h:104)
==5070==    by 0x7CA6DA0: nsTArrayElementTraits<nsAutoPtr<nsComponentManagerImpl::KnownModule> >::Destruct(nsAutoPtr<nsComponentManagerImpl::KnownModule>*) (nsTArray.h:279)
==5070==    by 0x7CA67A4: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) (nsTArray.h:1106)
==5070==    by 0x7CA57B9: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) (nsTArray.h:834)
==5070==    by 0x7CA4140: nsTArray<nsAutoPtr<nsComponentManagerImpl::KnownModule>, nsTArrayDefaultAllocator>::Clear() (nsTArray.h:845)
==5070==    by 0x7C9FB89: nsComponentManagerImpl::Shutdown() (nsComponentManager.cpp:1018)
==5070==    by 0x7C45DB0: mozilla::ShutdownXPCOM(nsIServiceManager*) (nsXPComInit.cpp:726)
==5070==    by 0x7C457F9: NS_ShutdownXPCOM_P (nsXPComInit.cpp:594)
==5070==    by 0x63FD72F: ScopedXPCOMStartup::~ScopedXPCOMStartup() (nsAppRunner.cpp:1115)
==5070==    by 0x6406664: XRE_main (nsAppRunner.cpp:3811)
==5070==    by 0x401131: main (nsBrowserApp.cpp:155)
I suspect this might not be the patch we want, because I also see

WARNING: Fonts still alive while shutting down gfxFontCache: 'mFonts.Count() == 0', file /home/cjones/mozilla/mozilla-central/gfx/thebes/gfxFont.h, line 636

in the log.
Assignee: nobody → jones.chris.g
Attachment #514647 - Flags: feedback?(karlt)
At a glance, this looks like it's probably a dup of bug 605009.
Yep.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment on attachment 514647 [details] [diff] [review]
Don't double-free freetype stuff

(Assuming feedback? is obsoleted by bug 605009)
Attachment #514647 - Flags: feedback?(karlt)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: