Closed Bug 724869 Opened 14 years ago Closed 9 years ago

Crash in gfxUserFontSet::OnLoadComplete

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
10 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE
Project Flags:
blocking-basecamp -

People

(Reporter: scoobidiver, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: crash, Whiteboard: [mobile-crash][native-crash])

Crash Data

It's #8 top crasher in Fennec 10.0. 82% of crashes happen within one minute. Signature arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate More Reports Search UUID e81bde41-e0a7-4b39-b8c1-08a582120201 Date Processed 2012-02-01 19:39:57 Process Type content Uptime 6 Install Age 9 seconds since version was first installed. Install Time 2012-02-01 19:39:30 Product Fennec Version 10.0 Build ID 20120129020652 Release Channel release OS Linux OS Version 0.0.0 Linux 2.6.35.10-g9ac6c7a #1 PREEMPT Wed Sep 21 13:48:03 CST 2011 armv7l Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x0 App Notes EGL? EGL+ AdapterVendorID: 75711, AdapterDeviceID: 225a9747. AdapterDescription: 'Android, Model: 'HTC Desire S', Product: 'htc_saga', Manufacturer: 'HTC', Hardware: 'saga''. Processor Notes WARNING: JSON file missing Add-ons EMCheckCompatibility True Frame Module Signature [Expand] Source 0 libmozutils.so arena_dalloc memory/jemalloc/jemalloc.c:4526 1 libmozutils.so __wrap_free memory/jemalloc/jemalloc.c:6497 2 libmozalloc.so moz_free memory/mozalloc/mozalloc.cpp:97 3 libxul.so std::__node_alloc::deallocate mozalloc.h:252 4 libxul.so std::vector<short unsigned int, std::allocator<short unsigned int> >::~vector _alloc.h:323 5 libxul.so ots::ots_gdef_parse gfx/ots/src/gdef.cc:102 6 libxul.so ProcessGeneric gfx/ots/src/ots.cc:443 7 libxul.so ots::Process gfx/ots/src/ots.cc:237 8 libxul.so gfxUserFontSet::OnLoadComplete gfx/thebes/gfxUserFontSet.cpp:366 9 libxul.so nsFontFaceLoader::OnStreamComplete layout/style/nsFontFaceLoader.cpp:245 10 libxul.so nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:125 11 libxul.so nsCORSListenerProxy::OnStopRequest content/base/src/nsCrossSiteListenerProxy.cpp:622 12 libxul.so nsHTTPCompressConv::OnStopRequest netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127 13 libxul.so mozilla::net::HttpChannelChild::OnStopRequest netwerk/protocol/http/HttpChannelChild.cpp:484 14 libxul.so mozilla::net::HttpChannelChild::RecvOnStopRequest netwerk/protocol/http/HttpChannelChild.cpp:463 15 libxul.so mozilla::net::PHttpChannelChild::OnMessageReceived obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:594 16 libxul.so mozilla::dom::PContentChild::OnMessageReceived obj-firefox/ipc/ipdl/PContentChild.cpp:1368 17 libxul.so mozilla::ipc::AsyncChannel::OnDispatchMessage ipc/glue/AsyncChannel.cpp:294 18 libxul.so mozilla::ipc::RPCChannel::OnMaybeDequeueOne ipc/glue/RPCChannel.cpp:433 19 libxul.so RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run ipc/chromium/src/base/tuple.h:383 20 libxul.so mozilla::ipc::RPCChannel::DequeueTask::Run RPCChannel.h:464 21 libxul.so MessageLoop::RunTask ipc/chromium/src/base/message_loop.cc:318 22 libxul.so MessageLoop::DeferOrRunPendingTask ipc/chromium/src/base/message_loop.cc:326 23 libxul.so MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:426 24 libxul.so mozilla::ipc::DoWorkRunnable::Run ipc/glue/MessagePump.cpp:70 25 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 26 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:245 27 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 28 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:229 29 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:208 30 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:201 31 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 32 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:685 33 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:215 34 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:208 35 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:201 36 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:524 37 libmozutils.so ChildProcessInit other-licenses/android/APKOpen.cpp:705 38 libplugin-container.so main ipc/app/MozillaRuntimeMainAndroid.cpp:68 39 libc.so __libc_init 40 @0xffffffc6 More reports at: https://crash-stats.mozilla.com/report/list?signature=arena_dalloc%20|%20__wrap_free%20|%20moz_free%20|%20std%3A%3A__node_alloc%3A%3Adeallocate
It's #6 top crasher in 10.0.2.
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc]
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0]
Summary: Crash in gfxUserFontSet::OnLoadComplete @ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate → Crash in gfxUserFontSet::OnLoadComplete
Depends on: 741315
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ new]
Whiteboard: [mobile-crash][startupcrash] → [mobile-crash][native-crash][startupcrash]
The topcrash keyword is for XUL Fennec. Will it be fixed by bug 758858?
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ new] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ libmozglue.so@0x6f29] [@ new]
Whiteboard: [mobile-crash][native-crash][startupcrash] → [mobile-crash][native-crash]
(In reply to Scoobidiver from comment #2) > The topcrash keyword is for XUL Fennec. > > Will it be fixed by bug 758858? That's probable.
Depends on: 758858
Valgrind reports this and a few others like it, when loading www.gnome.org on Fennec. Thread 13: Mismatched free() / delete / delete [] at 0x48061F0: __wrap__ZdlPv (vg_replace_malloc.c:494) by 0x2C0A3AA3: ots::ots_name_parse(ots::OpenTypeFile*, unsigned char const*, unsigned int) (_new.h:135) by 0x2C0A6269: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, ots::OTSStream*, unsigned char const*, unsigned int, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:559) by 0x2C0A7125: ots::Process(ots::OTSStream*, unsigned char const*, unsigned int, bool (*)(void*, char const*, ...), void*, bool) (ots.cc:266) by 0x2C056FD7: gfxUserFontSet::SanitizeOpenTypeData(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:376) by 0x2C057B2B: gfxUserFontSet::LoadFont(gfxProxyFontEntry*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:675) by 0x2C05832F: gfxUserFontSet::OnLoadComplete(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int) (gfxUserFontSet.cpp:472) by 0x2B8661AB: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned int, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:215) by 0x2B69BFA5: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamLoader.cpp:95) by 0x2B8F19AF: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsCrossSiteListenerProxy.cpp:604) by 0x2B69BD9D: nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamListenerTee.cpp:49) by 0x2B6F16E3: nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsHttpChannel.cpp:4483) Address 0x151c25a0 is 0 bytes inside a block of size 4,359 alloc'd at 0x48071D0: __wrap_malloc (vg_replace_malloc.c:275) by 0x2C8E072B: moz_xmalloc (mozalloc.cpp:54) by 0x2BE9D4DD: std::string::_M_reserve(unsigned int) (_new.h:134) by 0x2BE9D5D3: std::string::append(unsigned int, char) (_string.c:185) by 0x2C0A38DB: ots::ots_name_parse(ots::OpenTypeFile*, unsigned char const*, unsigned int) (_string.h:408) by 0x2C0A6269: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, ots::OTSStream*, unsigned char const*, unsigned int, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:559) by 0x2C0A7125: ots::Process(ots::OTSStream*, unsigned char const*, unsigned int, bool (*)(void*, char const*, ...), void*, bool) (ots.cc:266) by 0x2C056FD7: gfxUserFontSet::SanitizeOpenTypeData(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:376) by 0x2C057B2B: gfxUserFontSet::LoadFont(gfxProxyFontEntry*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:675) by 0x2C05832F: gfxUserFontSet::OnLoadComplete(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int) (gfxUserFontSet.cpp:472) by 0x2B8661AB: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned int, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:215) by 0x2B69BFA5: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamLoader.cpp:95)
(In reply to Julian Seward from comment #4) > Valgrind reports this and a few others like it, when loading > www.gnome.org on Fennec. Also on B2G (all startups), unsurprisingly.
blocking-basecamp: --- → ?
Until this becomes a real problem, we won't block on it.
blocking-basecamp: ? → -
It's not a top crasher in Firefox for Android.
Keywords: topcrash
I am closing this bug as incomplete since there have been zero reports in the last year with a current Fennec version. All reports seem to be isolated to Fennec 10. Please reopen this bug report if you can reproduce the crash with a current version.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.