(In reply to Marcia Knous [:marcia] from comment #0) > Top 10 frames of crashing thread: > > 0 XUL mozilla::gfx::AdjustedPattern::operator mozilla::gfx::Pattern* gfx/2d/DrawTargetWrapAndRecord.cpp:239 > 1 XUL mozilla::gfx::DrawTargetWrapAndRecord::FillRect gfx/2d/DrawTargetWrapAndRecord.cpp:309 > [snip] Things go bad in the [GetSourceSurface](https://searchfox.org/mozilla-central/rev/68b2e0fd4323261a229233ec2ab8606228979141/gfx/2d/DrawTargetWrapAndRecord.cpp#240) call made by `AdjustedPattern::operator Pattern*` above. [GetSourceSurface](https://searchfox.org/mozilla-central/rev/68b2e0fd4323261a229233ec2ab8606228979141/gfx/2d/DrawTargetWrapAndRecord.cpp#130) casts to `SourceSurfaceWrapAndRecord` if the surface type is `SurfaceType::RECORDING`, but multiple C++ types claim to be of type `SurfaceType::RECORDING`. In the case of this crash, the surface is actually a `SourceSurfaceRecording` (another type claiming to be `SurfaceType::RECORDING` is `DataSourceSurfaceRecording`). The invalid pointer returned by `GetSourceSurface` is then addref'ed in the SurfacePattern constructor when it is assigned to the RefPtr mSurface, and we crash.
Bug 1604800 Comment 22 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Marcia Knous [:marcia] from comment #0) > Top 10 frames of crashing thread: > > 0 XUL mozilla::gfx::AdjustedPattern::operator mozilla::gfx::Pattern* gfx/2d/DrawTargetWrapAndRecord.cpp:239 > 1 XUL mozilla::gfx::DrawTargetWrapAndRecord::FillRect gfx/2d/DrawTargetWrapAndRecord.cpp:309 > [snip] Things go bad in the [GetSourceSurface](https://searchfox.org/mozilla-central/rev/68b2e0fd4323261a229233ec2ab8606228979141/gfx/2d/DrawTargetWrapAndRecord.cpp#240) call made by `AdjustedPattern::operator Pattern*()` above. [GetSourceSurface](https://searchfox.org/mozilla-central/rev/68b2e0fd4323261a229233ec2ab8606228979141/gfx/2d/DrawTargetWrapAndRecord.cpp#130) casts to `SourceSurfaceWrapAndRecord` if the surface type is `SurfaceType::RECORDING`, but multiple C++ types claim to be of type `SurfaceType::RECORDING`. In the case of this crash, the surface is actually a `SourceSurfaceRecording` (another type claiming to be `SurfaceType::RECORDING` is `DataSourceSurfaceRecording`). The invalid pointer returned by `GetSourceSurface` is then addref'ed in the SurfacePattern constructor when it is assigned to the RefPtr mSurface, and we crash.