Crash in gfxUserFontSet::OnLoadComplete

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
7 years ago
2 years ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

(Depends on: 1 bug, {crash})

10 Branch
ARM
Android
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking-basecamp:-)

Details

(Whiteboard: [mobile-crash][native-crash], crash signature)

(Reporter)

Description

7 years ago
It's #8 top crasher in Fennec 10.0.
82% of crashes happen within one minute.

Signature 	arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate More Reports Search
UUID	e81bde41-e0a7-4b39-b8c1-08a582120201
Date Processed	2012-02-01 19:39:57
Process Type	content
Uptime	6
Install Age	9 seconds since version was first installed.
Install Time	2012-02-01 19:39:30
Product	Fennec
Version	10.0
Build ID	20120129020652
Release Channel	release
OS	Linux
OS Version	0.0.0 Linux 2.6.35.10-g9ac6c7a #1 PREEMPT Wed Sep 21 13:48:03 CST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
EGL? EGL+
AdapterVendorID: 75711, AdapterDeviceID: 225a9747.
AdapterDescription: 'Android, Model: 'HTC Desire S', Product: 'htc_saga', Manufacturer: 'HTC', Hardware: 'saga''.
Processor Notes 	WARNING: JSON file missing Add-ons
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	libmozutils.so 	arena_dalloc 	memory/jemalloc/jemalloc.c:4526
1 	libmozutils.so 	__wrap_free 	memory/jemalloc/jemalloc.c:6497
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:97
3 	libxul.so 	std::__node_alloc::deallocate 	mozalloc.h:252
4 	libxul.so 	std::vector<short unsigned int, std::allocator<short unsigned int> >::~vector 	_alloc.h:323
5 	libxul.so 	ots::ots_gdef_parse 	gfx/ots/src/gdef.cc:102
6 	libxul.so 	ProcessGeneric 	gfx/ots/src/ots.cc:443
7 	libxul.so 	ots::Process 	gfx/ots/src/ots.cc:237
8 	libxul.so 	gfxUserFontSet::OnLoadComplete 	gfx/thebes/gfxUserFontSet.cpp:366
9 	libxul.so 	nsFontFaceLoader::OnStreamComplete 	layout/style/nsFontFaceLoader.cpp:245
10 	libxul.so 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
11 	libxul.so 	nsCORSListenerProxy::OnStopRequest 	content/base/src/nsCrossSiteListenerProxy.cpp:622
12 	libxul.so 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
13 	libxul.so 	mozilla::net::HttpChannelChild::OnStopRequest 	netwerk/protocol/http/HttpChannelChild.cpp:484
14 	libxul.so 	mozilla::net::HttpChannelChild::RecvOnStopRequest 	netwerk/protocol/http/HttpChannelChild.cpp:463
15 	libxul.so 	mozilla::net::PHttpChannelChild::OnMessageReceived 	obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:594
16 	libxul.so 	mozilla::dom::PContentChild::OnMessageReceived 	obj-firefox/ipc/ipdl/PContentChild.cpp:1368
17 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	ipc/glue/AsyncChannel.cpp:294
18 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:433
19 	libxul.so 	RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run 	ipc/chromium/src/base/tuple.h:383
20 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:464
21 	libxul.so 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:318
22 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/message_loop.cc:326
23 	libxul.so 	MessageLoop::DoWork 	ipc/chromium/src/base/message_loop.cc:426
24 	libxul.so 	mozilla::ipc::DoWorkRunnable::Run 	ipc/glue/MessagePump.cpp:70
25 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
26 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
27 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
28 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:229
29 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
30 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
31 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
32 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:685
33 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:215
34 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
35 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
36 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:524
37 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:705
38 	libplugin-container.so 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:68
39 	libc.so 	__libc_init 	
40 		@0xffffffc6 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc%20|%20__wrap_free%20|%20moz_free%20|%20std%3A%3A__node_alloc%3A%3Adeallocate
(Reporter)

Comment 1

7 years ago
It's #6 top crasher in 10.0.2.
(Reporter)

Updated

7 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc]
(Reporter)

Updated

7 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0]
Summary: Crash in gfxUserFontSet::OnLoadComplete @ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate → Crash in gfxUserFontSet::OnLoadComplete
(Reporter)

Updated

6 years ago
Depends on: 741315
(Reporter)

Updated

6 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ new]
Whiteboard: [mobile-crash][startupcrash] → [mobile-crash][native-crash][startupcrash]
(Reporter)

Comment 2

6 years ago
The topcrash keyword is for XUL Fennec.

Will it be fixed by bug 758858?
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ new] → [@ arena_dalloc | __wrap_free | moz_free | std::__node_alloc::deallocate] [@ huge_dalloc] [@ libmozutils.so@0x59a0] [@ libmozglue.so@0x6f29] [@ new]
Whiteboard: [mobile-crash][native-crash][startupcrash] → [mobile-crash][native-crash]
(In reply to Scoobidiver from comment #2)
> The topcrash keyword is for XUL Fennec.
> 
> Will it be fixed by bug 758858?

That's probable.
(Reporter)

Updated

6 years ago
Depends on: 758858
Valgrind reports this and a few others like it, when loading
www.gnome.org on Fennec.

Thread 13:
Mismatched free() / delete / delete []
   at 0x48061F0: __wrap__ZdlPv (vg_replace_malloc.c:494)
   by 0x2C0A3AA3: ots::ots_name_parse(ots::OpenTypeFile*, unsigned char const*, unsigned int) (_new.h:135)
   by 0x2C0A6269: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, ots::OTSStream*, unsigned char const*, unsigned int, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:559)
   by 0x2C0A7125: ots::Process(ots::OTSStream*, unsigned char const*, unsigned int, bool (*)(void*, char const*, ...), void*, bool) (ots.cc:266)
   by 0x2C056FD7: gfxUserFontSet::SanitizeOpenTypeData(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:376)
   by 0x2C057B2B: gfxUserFontSet::LoadFont(gfxProxyFontEntry*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:675)
   by 0x2C05832F: gfxUserFontSet::OnLoadComplete(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int) (gfxUserFontSet.cpp:472)
   by 0x2B8661AB: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned int, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:215)
   by 0x2B69BFA5: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamLoader.cpp:95)
   by 0x2B8F19AF: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsCrossSiteListenerProxy.cpp:604)
   by 0x2B69BD9D: nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamListenerTee.cpp:49)
   by 0x2B6F16E3: nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsHttpChannel.cpp:4483)
 Address 0x151c25a0 is 0 bytes inside a block of size 4,359 alloc'd
   at 0x48071D0: __wrap_malloc (vg_replace_malloc.c:275)
   by 0x2C8E072B: moz_xmalloc (mozalloc.cpp:54)
   by 0x2BE9D4DD: std::string::_M_reserve(unsigned int) (_new.h:134)
   by 0x2BE9D5D3: std::string::append(unsigned int, char) (_string.c:185)
   by 0x2C0A38DB: ots::ots_name_parse(ots::OpenTypeFile*, unsigned char const*, unsigned int) (_string.h:408)
   by 0x2C0A6269: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, ots::OTSStream*, unsigned char const*, unsigned int, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:559)
   by 0x2C0A7125: ots::Process(ots::OTSStream*, unsigned char const*, unsigned int, bool (*)(void*, char const*, ...), void*, bool) (ots.cc:266)
   by 0x2C056FD7: gfxUserFontSet::SanitizeOpenTypeData(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:376)
   by 0x2C057B2B: gfxUserFontSet::LoadFont(gfxProxyFontEntry*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:675)
   by 0x2C05832F: gfxUserFontSet::OnLoadComplete(gfxProxyFontEntry*, unsigned char const*, unsigned int, unsigned int) (gfxUserFontSet.cpp:472)
   by 0x2B8661AB: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned int, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:215)
   by 0x2B69BFA5: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (nsStreamLoader.cpp:95)
(In reply to Julian Seward from comment #4)
> Valgrind reports this and a few others like it, when loading
> www.gnome.org on Fennec.

Also on B2G (all startups), unsurprisingly.
blocking-basecamp: --- → ?
Until this becomes a real problem, we won't block on it.
blocking-basecamp: ? → -
(Reporter)

Comment 8

6 years ago
It's not a top crasher in Firefox for Android.
Keywords: topcrash
I am closing this bug as incomplete since there have been zero reports in the last year with a current Fennec version. All reports seem to be isolated to Fennec 10. Please reopen this bug report if you can reproduce the crash with a current version.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.