Closed Bug 643307 Opened 9 years ago Closed 9 years ago

Crash [@ nsThebesFontMetrics::GetMetrics ]

Categories

(Core :: Graphics, defect, critical)

ARM
Android
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
fennec 4.0.1+ ---

People

(Reporter: scoobidiver, Assigned: dougt)

Details

(Keywords: crash, topcrash, Whiteboard: fixed-mozilla-2.1)

Crash Data

Attachments

(2 files, 1 obsolete file)

It is #6 top crasher in Fennec 4.0b6pre over the last 3 days.

Signature	nsThebesFontMetrics::GetMetrics
UUID	65738150-a62c-4fc4-930d-5da262110317
Time 	2011-03-17 21:02:32.926430
Uptime	24
Install Age	53808 seconds (14.9 hours) since version was first installed.
Product	Fennec
Version	4.0b6pre
Build ID	20110317040030
Branch	2.0
OS	Linux
OS Version	0.0.0 Linux 2.6.29 #1 PREEMPT Mon Nov 29 16:43:00 2010 armv7l
CPU	arm
Crash Reason	SIGSEGV
Crash Address	0xffffffff

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsThebesFontMetrics::GetMetrics 	gfx/src/thebes/nsThebesFontMetrics.cpp:112
1 	libxul.so 	nsThebesFontMetrics::GetExternalLeading 	gfx/src/thebes/nsThebesFontMetrics.cpp:190
2 	libxul.so 	nsHTMLReflowState::CalcLineHeight 	layout/generic/nsHTMLReflowState.cpp:2100
3 	libxul.so 	nsHTMLReflowState::CalcLineHeight 	layout/generic/nsHTMLReflowState.cpp:2160
4 	libxul.so 	nsBlockReflowState::nsBlockReflowState 	layout/generic/nsBlockReflowState.cpp:147
5 	libxul.so 	nsBlockFrame::Reflow 	layout/generic/nsIFrame.h:1282
6 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:744
7 	libxul.so 	nsCanvasFrame::Reflow 	layout/generic/nsCanvasFrame.cpp:498
8 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:744
9 	libxul.so 	nsHTMLScrollFrame::ReflowScrolledFrame 	layout/generic/nsGfxScrollFrame.cpp:547
10 	libxul.so 	nsHTMLScrollFrame::ReflowContents 	layout/generic/nsGfxScrollFrame.cpp:638
11 	libxul.so 	nsHTMLScrollFrame::Reflow 	layout/generic/nsGfxScrollFrame.cpp:879
12 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:744
13 	libxul.so 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:294
14 	libxul.so 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7880
15 	libxul.so 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7984
16 	libxul.so 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4913
17 	libxul.so 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:327
18 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:429
19 	libxul.so 	nsTimerEvent::Run 	nsAutoPtr.h:969
20 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
21 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
22 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
23 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
24 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
25 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
26 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
27 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:678
28 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
29 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
30 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
31 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
32 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:797
33 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
34 	libc.so 	libc.so@0xc23a 	

More reports at:
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=nsThebesFontMetrics%3A%3AGetMetrics
Attached patch patch (obsolete) — Splinter Review
Stuart, I'm asking for your review because you objected to this null check in bug 462908. I'm of the mind that its better to get bogus metrics and move on than to crash.
Assignee: nobody → blassey.bugs
Attachment #521317 - Flags: review?(pavlov)
tracking-fennec: --- → ?
I still don't understand how we end up with 0 fonts in the list
(In reply to comment #2)
> I still don't understand how we end up with 0 fonts in the list

no one does. There are no steps to reproduce, but I'd like to stop the crashing. I can add a NS_ABORT_IF_FALSE(f, "there are no fonts") in there so we can catch the condition in the future.
sorry, if this is a distraction...  are we absolutely sure that the ipc serialization of the font list happens before the use of any font in the child?
Given the distribution of uptimes (between 7 and >1000) I don't think that's the issue here.
are those in ms? or seconds?
Seconds, I believe.
Whiteboard: [4.0.1?]
Comment on attachment 521317 [details] [diff] [review]
patch

I don't want to patch over something that alerts us when something is really wrong here.  We need to get to the root of the problem
Attachment #521317 - Flags: review?(pavlov) → review-
tracking-fennec: ? → 4.0.1+
It is #2 top crasher in 4.0.
Keywords: topcrash
I landed http://hg.mozilla.org/mozilla-central/rev/7ccb164032a0 which might be related.
Mozilla/5.0 (Android; Linux armv71; rv:2.1) Gecko20110318 Firefox/4.0b13pre Fennec/4.0
Device: Droid 2
OS: Android 2.2

Steps to Reproduce :
1. set Fennec to Japanese
2. go to about:start
3. pan down and click on the Spark link

Expected: Spark Page in Japanese
Actual: Content Crash with this crash signature.
(In reply to comment #11)
> Mozilla/5.0 (Android; Linux armv71; rv:2.1) Gecko20110318 Firefox/4.0b13pre
> Fennec/4.0
> Device: Droid 2
> OS: Android 2.2

Also reproduced with Firefox 4.0 final on Nexus One and Galaxy Tab but not on Sharp 003SH. 
This is not reproduced when I tested with Firefox 4.0 final (rc build3) on Nexus One last week (spark.allizom.org).
Attached patch patch v.1Splinter Review
Assignee: blassey.bugs → doug.turner
Attachment #521317 - Attachment is obsolete: true
Attachment #522750 - Flags: review?(blassey.bugs)
simple testcase with @font-face rule
Attachment #522750 - Flags: review?(blassey.bugs) → review+
http://hg.mozilla.org/releases/mozilla-2.1/rev/b984f48a5c07


dynamis, thanks for the test case!  would you be interested in adding it to the test suite?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [4.0.1?] → fixed-mozilla-2.1
Verified with Nexus One:
Mozilla/5.0 (Android; Linux armv7l; rv:2.2a1pre) Gecko/20110330 Firefox/4.2a1pre Fennec/4.1a1pre ID:20110330050403

(In reply to comment #16)
> dynamis, thanks for the test case!  would you be interested in adding it to the
> test suite?

Fennec will crash with this testcase only if the locale is ja. I don't know how to switch locale in the test suite.
# AFAIK we run test suite only with en-US
If you think that it's better than nothing even if we test only with en-US, we should add it to the test suite.
Status: RESOLVED → VERIFIED
thanks for the info and the test case.  It was very helpful.  I only wish we found it like, oh, 72 hours before we shipped 4.0. :D  It will be in the 4.0.1 release.

Tony, can you add something like this to litmus?
Flags: in-testsuite?
Sure, will get it into queue.  Feel free to flag any bugs for litmus tests if you ever see any that needs one.  (in-litmus?)
Flags: in-litmus?(nhirata.bugzilla)
Verified

Mozilla/5.0 (Android; Linux armv7l; rv:6.0a1) Gecko/20110419 Firefox/6.0a1
Fennec/6.0a1 ID:20110419042214

Mozilla/5.0 (Android; Linux armv7l; rv:2.1.1) Gecko/20110415 Firefox/4.0.2pre
Fennec/4.0.1 ID:20110415172201
Crash Signature: [@ nsThebesFontMetrics::GetMetrics ]
spark is over ; can't test this out anymore : spark.mozilla.org/en-US/home shows up horribly though.  need to dissect the webpage to figure out what's going on.
Flags: in-litmus?(nhirata.bugzilla) → in-litmus-
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.