Closed Bug 320430 Opened 19 years ago Closed 2 years ago

Blue Screen triggered under [@ nsNativeThemeWin::DrawWidgetBackground]

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

Details

(Keywords: crash, Whiteboard: tpi:-)

Crash Data

Attachments

(1 file)

summary:"That's a \"unusual\" issue"
36 bytes, patch
Details | Diff | Splinter Review 
yes, i know this is an os problem. i'm posting it here to enable me to track it.

internal vendor build id: 1744. gecko branch: 1.8

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fe87c790, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804e70d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  fe87c790 

FAULTING_IP: 
nt!MiLocateAndReserveWsle+52
804e70d5 8b0490           mov     eax,[eax+edx*4]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from bf83a167 to 804d9da8

TRAP_FRAME:  b3b1d100 -- (.trap ffffffffb3b1d100)
ErrCode = 00000002
eax=e28514c8 ebx=bceb61b8 ecx=00000013 edx=00000000 esi=e285147c edi=bceb61b8
eip=804d9da8 esp=b3b1d174 ebp=b3b1d17c iopl=0         nv up ei pl nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memmove+0x33:
804d9da8 f3a5            rep  movsd ds:e285147c=00eeede5 es:bceb61b8=00000000
Resetting default scope

STACK_TEXT:  
b3b1d17c bf83a167 bceb61b8 e285147c 0000004c nt!memmove+0x33
b3b1d1a0 bf839e20 0000003a b3b1d73c b3b1d430 win32k!vSrcCopyS32D32Identity+0x5b
b3b1d3b4 bf81768b e283a018 00000000 00000000 win32k!EngCopyBits+0x51a
b3b1d3f4 bf817bd2 e2688010 e2843010 00000000 win32k!SURFREFAPI::SURFREFAPI+0x149
b3b1d480 bf81797a e283a018 e2688010 00000000 win32k!SURFREFAPI::SURFREFAPI+0x37a
b3b1d4e0 bf817ea6 e283a018 e2688010 00000000 win32k!EngNineGrid+0x6e
b3b1d53c bf818300 e283a018 e2688010 00000000 win32k!EngDrawStream+0xc5
b3b1d5a0 bf8186e7 b3b1d6c4 00000000 e2688000 win32k!NtGdiDrawStreamInternal+0x1ff
b3b1d6c8 bf817f8b 090113c6 00000000 00000000 win32k!GreDrawStream+0x4ff
b3b1d810 804de7ec 090113c6 00000060 0012d578 win32k!NtGdiDrawStream+0x9f
b3b1d810 7c90eb94 090113c6 00000060 0012d578 nt!KiFastCallEntry+0xf8
0012d3ec 77f16c25 77f16c0f 090113c6 00000060 ntdll!KiFastSystemCallRet
0012d4f4 5ad72b54 090113c6 00000060 0012d578 GDI32!NtGdiDrawStream+0xc
0012d770 5ad728d4 009ba2bc 009b6c6c 00000001 uxtheme!CImageFile::DrawBackgroundDS+0x3ac
0012d7e8 5ad7278c 009ba2bc 00289200 090113c6 uxtheme!CImageFile::DrawImageInfo+0x1be
0012d838 5ad72cd8 00289200 090113c6 00000001 uxtheme!CImageFile::DrawBackground+0x45
0012d894 00d53ac2 00289200 090113c6 00000006 uxtheme!DrawThemeBackground+0x102
0012d910 00d95dab 01db1408 0a657590 0af9c5b4 gkgfxwin!nsNativeThemeWin::DrawWidgetBackground+0x132 [c:\build\chs3\build\mozilla\gfx\src\windows\nsnativethemewin.cpp @ 716]
0012d9e4 00d96349 0b00d7a8 0a657590 0af9c5b4 gklayout!nsCSSRendering::PaintBackgroundWithSC+0x86 [c:\build\chs3\build\mozilla\layout\base\nscssrendering.cpp @ 2825]
0012da38 00da2fef 0b00d7a8 0a657590 0af9c5b4 gklayout!nsCSSRendering::PaintBackground+0x82 [c:\build\chs3\build\mozilla\layout\base\nscssrendering.cpp @ 2748]
0012da8c 00e33a8b 0b00d7a8 0a657590 0012db28 gklayout!nsFrame::PaintSelf+0x97 [c:\build\chs3\build\mozilla\layout\generic\nsframe.cpp @ 947]
0012dab4 00d865c5 0af9c5b4 0b00d7a8 0a657590 gklayout!nsBoxFrame::Paint+0x41 [c:\build\chs3\build\mozilla\layout\xul\base\src\nsboxframe.cpp @ 1415]
0012dae4 00ebdd39 00000000 08142730 0a657590 gklayout!PresShell::Paint+0x4d [c:\build\chs3\build\mozilla\layout\base\nspresshell.cpp @ 5806]
0012db00 00eb8da2 0b014a28 0a657590 0012db28 gklayout!nsView::Paint+0x3e [c:\build\chs3\build\mozilla\view\src\nsview.cpp @ 316]
0012db48 00ebc0ec 0b476c58 0a657590 0b00dfe0 gklayout!nsViewManager::RenderDisplayListElement+0x78 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 1460]
0012dbf0 00ebc922 09d36b70 0a657590 0012dc74 gklayout!nsViewManager::RenderViews+0x156 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 1375]
0012dcfc 00ebcc65 0b00e060 0a657590 09bb24c0 gklayout!nsViewManager::Refresh+0x328 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 930]
0012dd68 00ebdc0e 00000000 0b00e060 09bb24c0 gklayout!nsViewManager::DispatchEvent+0x203 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 2047]
0012dd84 0100518b 0012de18 00000000 0012de54 gklayout!HandleEvent+0x27 [c:\build\chs3\build\mozilla\view\src\nsview.cpp @ 174]
0012dd98 01001e48 0b00e0dc 0012de18 0012de54 gkwidget!nsWindow::DispatchEvent+0x35 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1253]
0012ddac 0100764a 0012de18 0012de54 00000001 gkwidget!nsWindow::DispatchWindowEvent+0x16 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1279]
0012de74 010088f9 00000000 00000000 0b00e0d8 gkwidget!nsWindow::OnPaint+0x139 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 5748]
0012e0ec 010085cb 0000000f 00000000 00000000 gkwidget!nsWindow::ProcessMessage+0x230 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 4365]
0012e120 77d48734 008306cc 0000000f 00000000 gkwidget!nsWindow::WindowProc+0x9c [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1435]
0012e14c 77d48816 0100852f 008306cc 0000000f USER32!InternalCallWinProc+0x28
0012e1b4 77d4b4c0 00000000 0100852f 008306cc USER32!UserCallWinProcCheckWow+0x150
0012e208 77d4b50c 0058a3b8 0000000f 00000000 USER32!DispatchClientMessage+0xa3
0012e230 7c90eae3 0012e240 00000018 0058a3b8 USER32!__fnDWORD+0x24
0012e230 804e2b1c 0012e240 00000018 0058a3b8 ntdll!KiUserCallbackDispatcher+0x13
b3b1dad8 80565cec b3b1db94 b3b1db98 b3b1db68 nt!KiCallUserMode+0x4
b3b1db34 bf813e47 00000002 b3b1db78 00000018 nt!KeUserModeCallback+0x87
b3b1dbb8 bf813fdd bbe8a3b8 0000000f 00000000 win32k!SfnDWORD+0xa8
b3b1dc00 bf8141cf 42e8a3b8 0000000f 00000000 win32k!xxxSendMessageToClient+0x176
b3b1dc4c bf80f5b8 bbe8a3b8 0000000f 00000000 win32k!xxxSendMessageTimeout+0x1a6
b3b1dc70 bf827001 bbe8a3b8 0000000f 00000000 win32k!xxxSendMessage+0x1b
b3b1dc9c bf826f6c bbe8a3b8 00000005 00000000 win32k!xxxUpdateWindow2+0x79
b3b1dcc0 bf826f6c bbe5ab88 00000005 00000000 win32k!xxxUpdateWindow2+0xfa
b3b1dce4 bf826f6c bbe5aa60 00000005 b3b1dd64 win32k!xxxUpdateWindow2+0xfa
b3b1dd08 bf826ed1 bbe7ec30 00000001 0012e268 win32k!xxxUpdateWindow2+0xfa
b3b1dd28 bf8370dd bbe7ec30 00000001 b3b1dd54 win32k!xxxInternalUpdateWindow+0x6f


FOLLOWUP_IP: 
win32k!vSrcCopyS32D32Identity+5b
bf83a167 83c40c           add     esp,0xc

SYMBOL_STACK_INDEX:  1

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!vSrcCopyS32D32Identity+5b

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  43446a58

STACK_COMMAND:  .trap ffffffffb3b1d100 ; kb

FAILURE_BUCKET_ID:  0x50_win32k!vSrcCopyS32D32Identity+5b

BUCKET_ID:  0x50_win32k!vSrcCopyS32D32Identity+5b

Followup: MachineOwner
---------
140 #define NS_THEME_SCROLLBAR_TRACK_VERTICAL                  87
looks like it's SP_TRACKSTARTVERT aka SBP_THUMBBTNVERT

kd> dv -t
class nsNativeThemeWin * this = 0x01db1408
class nsIRenderingContext * aContext = 0x0a657590
class nsIFrame * aFrame = 0x0af9c5b4
unsigned char aWidgetType = 0x57 'W'
struct nsRect * aRect = 0x0012da70
struct nsRect * aClipRect = 0x0012db28
int state = 1
struct tagRECT clipRect = struct tagRECT
void * theme = 0x00010002
int part = 6
struct tagRECT widgetRect = struct tagRECT
struct nsRect tr = struct nsRect
struct nsRect cr = struct nsRect
class nsTransform2D * transformMatrix = 0x0b48f0cc
kd> dt -b gkgfxwin!nsRenderingContextWin 0x0a657590
   +0x000 __VFN_table : 0x00d579d0 
   +0x004 mTranMatrix      : 0x0b48f0cc 
   +0x008 mLineStyle       : 1 ( nsLineStyle_kSolid )
   +0x00c mAct             : 0
   +0x010 mActive          : (null) 
   +0x014 mPenMode         : 0 ( nsPenMode_kNone )
   =00d5fcd4 nsRenderingContextImpl::gBackbuffer : 0x0af72288 
   =00d5fce0 nsRenderingContextImpl::gBackbufferBounds : nsRect
      +0x000 x                : 0
      +0x004 y                : 0
      +0x008 width            : 896
      +0x00c height           : 625
   =00d5fcd8 nsRenderingContextImpl::gLargestRequestedSize : nsSize
      +0x000 width            : 0
      +0x004 height           : 0
   +0x018 __VFN_table : 0x00d579c0 
   +0x01c mRefCnt          : 
      +0x000 mValue           : 5
   +0x020 mCurrentColor    : 0
   +0x024 mFontMetrics     : (null) 
   +0x028 mDC              : 0x090113c6 
   +0x02c mMainDC          : 0x05011e63 
   +0x030 mSurface         : 0x0af72288 
   +0x034 mMainSurface     : 0x0a82afc8 
   +0x038 mColor           : 0
   +0x03c mDCOwner         : (null) 
   +0x040 mContext         : 0x0aff3768 
   +0x044 mP2T             : 15 
   +0x048 mClipRegion      : (null) 
   +0x04c mOrigSolidBrush  : 0x01900010 
   +0x050 mOrigFont        : 0x018a0021 
   +0x054 mOrigSolidPen    : 0x01b00017 
   +0x058 mOrigPalette     : (null) 
   +0x05c mStates          : 0x0b48f0c8 
   +0x060 mStateCache      : 0x09ffafa8 
   +0x064 mCurrBrushColor  : 0xffd8e9ec
   +0x068 mCurrBrush       : 0x441029cf 
   +0x06c mCurrFontWin     : (null) 
   +0x070 mCurrFont        : (null) 
   +0x074 mCurrPenColor    : 0
   +0x078 mCurrPen         : (null) 
   +0x07c mNullPen         : (null) 
   +0x080 mGammaTable      : (null) 
   +0x084 mCurrTextColor   : 0
   +0x088 mCurrLineStyle   : 1 ( nsLineStyle_kSolid )
   +0x08c mRightToLeftText : 0 ''

clipRect:
kd> dt nsRect 0x0012d8c0
   +0x000 x                : 876
   +0x004 y                : 0
   +0x008 width            : 895
   +0x00c height           : 605
widgetRect:
kd> dt nsRect 0x0012d8f0
   +0x000 x                : 876
   +0x004 y                : 0
   +0x008 width            : 895
   +0x00c height           : 605

*** Bug 317379 has been marked as a duplicate of this bug. ***
Product: Core → Core Graveyard
Crash Signature: [@ nsNativeThemeWin::DrawWidgetBackground]
Assignee: win32 → nobody
Component: GFX: Win32 → Widget: Win32
Product: Core Graveyard → Core
QA Contact: ian
Crashes with this function still happen, see https://crash-stats.mozilla.com/report/list?signature=nsNativeThemeWin%3A%3ADrawWidgetBackground%28nsRenderingContext%2A%2C+nsIFrame%2A%2C+unsigned+char%2C+nsRect+const%26%2C+nsRect+const%26%29
Crash Signature: [@ nsNativeThemeWin::DrawWidgetBackground] → [@ nsNativeThemeWin::DrawWidgetBackground] [@ nsNativeThemeWin::DrawWidgetBackground(nsRenderingContext*, nsIFrame*, unsigned char, nsRect const&, nsRect const&) ]
Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]:
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: 
[String/UUID change made/needed]:
Whiteboard: tpi:-
QA Whiteboard: qa-not-actionable

No crashes since Firefox version 94.0.2.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: