801624 - crash in gfxShapedWord::DetailedGlyphStore::Get

Status: RESOLVED WORKSFORME

(Core :: Graphics: Text, defect)

Description

[Scoobidiver (away)]

There's a spike in crashes starting from 19.0a1/20121014. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=90857937b601&tochange=57304bbf9c0e

Signature 	gfxShapedWord::DetailedGlyphStore::Get(unsigned int) More Reports Search
UUID	b8740093-2590-400a-8115-a11d92121015
Date Processed	2012-10-15 09:04:01
Uptime	219
Last Crash	1.7 weeks before submission
Install Age	2.6 hours since version was first installed.
Install Time	2012-10-15 06:28:44
Product	Firefox
Version	19.0a1
Build ID	20121014030627
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 15 model 107 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9610, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.970.100.3000
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9610
Total Virtual Memory	4294836224
Available Virtual Memory	3804536832
System Memory Use Percentage	31
Available Page File	5988827136
Available Physical Memory	2570620928

Frame 	Module 	Signature 	Source
0 	xul.dll 	gfxShapedWord::DetailedGlyphStore::Get 	obj-firefox/dist/include/gfxFont.h:2223
1 	xul.dll 	gfxTextRun::GetDetailedGlyphs 	obj-firefox/dist/include/gfxFont.h:2847
2 	xul.dll 	gfxTextRun::GetAdvanceWidth 	gfx/thebes/gfxFont.cpp:5253
3 	xul.dll 	nsFontMetrics::GetWidth 	gfx/src/nsFontMetrics.cpp:288
4 	xul.dll 	nsLayoutUtils::GetStringWidth 	layout/base/nsLayoutUtils.cpp:3241
5 	xul.dll 	nsTextBoxFrame::GetTextSize 	layout/xul/base/src/nsTextBoxFrame.cpp:963
6 	xul.dll 	nsTextBoxFrame::GetPrefSize 	layout/xul/base/src/nsTextBoxFrame.cpp:1027
7 	xul.dll 	nsSprocketLayout::GetPrefSize 	layout/xul/base/src/nsSprocketLayout.cpp:1331
8 	xul.dll 	nsBoxFrame::GetPrefSize 	layout/xul/base/src/nsBoxFrame.cpp:757
9 	xul.dll 	nsSprocketLayout::GetPrefSize 	layout/xul/base/src/nsSprocketLayout.cpp:1331
...
19 	xul.dll 	nsBoxFrame::GetPrefSize 	layout/xul/base/src/nsBoxFrame.cpp:757
20 	xul.dll 	nsSprocketLayout::PopulateBoxSizes 	layout/xul/base/src/nsSprocketLayout.cpp:748
21 	xul.dll 	nsSprocketLayout::Layout 	layout/xul/base/src/nsSprocketLayout.cpp:214
22 	xul.dll 	nsBoxFrame::DoLayout 	layout/xul/base/src/nsBoxFrame.cpp:900
23 	xul.dll 	nsStackLayout::Layout 	layout/xul/base/src/nsStackLayout.cpp:340
24 	xul.dll 	nsBoxFrame::DoLayout 	layout/xul/base/src/nsBoxFrame.cpp:900
25 	xul.dll 	nsIFrame::Layout 	layout/xul/base/src/nsBox.cpp:510
26 	xul.dll 	nsBoxFrame::Reflow 	layout/xul/base/src/nsBoxFrame.cpp:695
27 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:942
28 	xul.dll 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:210
29 	xul.dll 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7424
30 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7570
31 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3872
32 	xul.dll 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:403
33 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:475
34 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:555
35 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:612
36 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
37 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:208
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=gfxShapedWord%3A%3ADetailedGlyphStore%3A%3AGet%28unsigned+int%29

Comment 1

[Scoobidiver (away)]

It's #5 top crasher in today's build.
It's probably a regression from bug 505385.

One comment says: "during downloads podcast"

Comment 2

[Josh Matthews [:jdm]]

Nope, this isn't the work of 505385.

Comment 3

[Jet Villegas (inactive)]

I see ViewportFrame::Reflow on the stack. More likely due to 800668. +cc: jkew

Comment 4

[Scoobidiver (away)]

(In reply to Jet Villegas (:jet) from comment #3)
> IMore likely due to 800668.
I don't think so because first bug 800668 is Mac specific then it was uplifted in 18.0a2/20121017 while there are no crashes in Aurora.

Comment 5

[Jonathan Kew [:jfkthame]]

Definitely not 800668; that's a Mac-only fix, and this is showing up on Windows. 

(When looking at the pushlog range from comment 0, don't overlook the 120-plus "hidden" changesets in the merges.)

At a guess, this might be caused by a gfxTextRun use-after-free bug; we've seen a few of those lately, mostly found by fuzzing with ASAN, but they could manifest as actual crashes in the right (wrong?) circumstances.

Comment 6

[Alex Keybl [:akeybl]]

(In reply to Jonathan Kew (:jfkthame) from comment #5)
> Definitely not 800668; that's a Mac-only fix, and this is showing up on
> Windows. 
> 
> (When looking at the pushlog range from comment 0, don't overlook the
> 120-plus "hidden" changesets in the merges.)
> 
> At a guess, this might be caused by a gfxTextRun use-after-free bug; we've
> seen a few of those lately, mostly found by fuzzing with ASAN, but they
> could manifest as actual crashes in the right (wrong?) circumstances.

Are there any speculative or exploratory fixes that we could make, given a lack of STR?

Comment 7

[Scoobidiver (away)]

Crashes stopped after 19.0a1/20121022. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1c3e4cb1f754&tochange=48502b61a63e

Sorry for the red herring, but crashes on the trunk are sometimes noisy and fixed before even getting investigated.

Comment 8

[Paul Silaghi, QA [:pauly]]

There 22 crashes on 19b4. Should reopened?

Comment 9

[Jonathan Kew [:jfkthame]]

Looking at crash-stats for the last 4 weeks, I don't see any reports from any Firefox versions later than 19.0.2.

So I suspect we've fixed whatever was triggering this, even if we're not sure exactly which bug it was.

-> Resolved:WFM