B2G crash during opening marketplace in gfxFT2LockedFace::XScale




7 years ago
a year ago


(Reporter: gwagner, Assigned: jfkthame)


Firefox Tracking Flags

(Not tracked)



(1 attachment)



7 years ago
Debug-gecko build of github-mc (https://github.com/mozilla-b2g/mozilla-central/commit/d6b79007ddbf1f9a6c5b1de4197947da343f9981) on SGS2 after opening the marketplace. 
The screen shows Communicating with server.
Maybe some memory corruption? aString=0xbeb4f1a8 "Emai\220\266"

Full BT: http://pastebin.mozilla.org/1699718
Joe can you help triage this?
Assignee: nobody → joe
Trying jfkthame :)
Assignee: joe → jfkthame

Comment 4

7 years ago
I don't have a B2G environment set up to try and debug this... Seems like the first thing to figure out is how the string "Email" got corrupted, as seen in frame #7 etc:

#7  0x40a4921a in MakeTextRun<unsigned char> (aText=0xbeb4f1a8 "Emai\220\266", aLength=5, aFontGroup=0x1a61a58, aParams=0xbeb4f054, aFlags=17826080) at /Volumes/2mac/sgs/B2G/gecko/layout/generic/nsTextFrameThebes.cpp:534

Whatever stomped on the "l" of "Email" may well have done other damage as well.

A question (perhaps answerable by inspecting stuff in the debugger): was it just the string in the buffer being collected by BuildTextRunsScanner::BuildTextRunForFrames that got corrupted, or had the content already been damaged within the content node's text fragment?
If this is a problem with FreeType could it be reproduced in Firefox for Android? But then we don't have the same marketplace there. If this is random memory corruption it might have nothing to do with this code. We really need a reliable testcase.
Keywords: testcase-wanted
Gregor, can you reproduce in a desktop b2g build, or even FF?

Comment 7

7 years ago
It seems to be fixed. I can't reproduce it on the device any more.
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME


3 years ago
Group: core-security → core-security-release
Keywords: testcase-wanted
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.