Closed Bug 337117 Opened 18 years ago Closed 18 years ago

Browser crashes when opening saunalahti.fi or maps.google.com [@ fbRasterizeEdges8]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: taavi.horila, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, topcrash+)

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060505 Minefield/3.0a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060505 Minefield/3.0a1

Hard to describe much, when I tried to access saunalahti.fi, browser crashed before the page was completely loaded. It loaded some portions of the page. Tried to reopen 3 times, every time same thing.

Reproducible: Always

Steps to Reproduce:
1. just open page http://saunalahti.fi
2.
3.
Works for me.
Try a clean profile and update to the latest-trunk release.

WFM with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060507 Minefield/3.0a1
Could you copy a talkback ID for the crash to this bug?
http://kb.mozillazine.org/Talkback

WFM.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060507 BonEcho/2.0a1 ID:2006050704
Blocks: 337193
No longer blocks: 337193
Tried again with non-administrative account (win xp). Works well. But when I installed the lastest trunk and tried again with administrative account, same thing: browser crashed.

So I think it's somehow related to windows user accounts???

I will post that talkback ID later. 
Talkback ID (most recent crash)

TB18475077W


Incident ID: 18475077
Stack Signature	fbRasterizeEdges8 239d0fd9
Product ID	FirefoxTrunk
Build ID	2006050805
Trigger Time	2006-05-09 05:54:11.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0053cbdb)
URL visited	<a href='http://saunalahti.fi'>http://saunalahti.fi</a>
User Comments	
Since Last Crash	89 sec
Total Uptime	99 sec
Trigger Reason	Access violation
Source File, Line No.	c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\gfx\cairo\libpixman\src\fbedge.c, line 159
Stack Trace 	
fbRasterizeEdges8   fbRasterizeEdges   fbRasterizeTrapezoid   _moz_cairo_pixman_add_trapezoids   _cairo_image_surface_composite_trapezoids   _cairo_surface_composite_trapezoids   _cairo_surface_fallback_composite_trapezoids   _cairo_surface_composite_trapezoids   _cairo_clip_intersect_mask
Keywords: crash
Summary: Browser crashes when opening site saunalahti.fi → Browser crashes when opening site saunalahti.fi [@ fbRasterizeEdges8]
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Version: unspecified → 1.8 Branch
Version: 1.8 Branch → Trunk
I'm seeing this crash regularly on trunk builds.  It seems to happen while the page is in the middle of loading images.  I've seen it on google maps for example.

Talkback IDs: 18589852, 18584674

Build tested: 20060511 windows trunk firefox
Status: UNCONFIRMED → NEW
Ever confirmed: true
I have seen this as well, but have never been able to reproduce it -- and talkback is still worthless with VC8 builds.  The given URL here doesn't crash for me on any computer.  I guess I'll start running my own debug build on the laptop so that I can jump into a debugger if I happen to see it again.  If anyone else can get into this in the debugger, please post a full backtrace and pull out as much info as you can -- in particular the arguments of any calls to _cairo_win32_surface_* including the contents of the src,mask,dst params.
er, I meant calls to _cairo_image_surface_* (composite_trapezoids in most cases)
This topcrash accounts for over 6% of trunk crashes.  It first appeared in May 3 builds.  Many incidents have comments mentioning Google Maps.
Flags: blocking1.9a1?
Keywords: regression, topcrash
I can only give stacktrace with the arguments (saw this bug after quitting the debugger, so did not save the contents of src, mask, etc.):
ChildEBP RetAddr 
0012f100 01c1825a thebes!fbRasterizeEdges8(unsigned int * buf = 0x19a8af50, int width = 702, int stride = 176, struct RenderEdge * l = 0x0012f180, struct RenderEdge * r = 0x0012f1a8, int t = 1, int b = 2147481462)+0xa3 [h:\mozilla\tree-main\mozilla\gfx\cairo\libpixman\src\fbedge.c @ 159]
0012f11c 01c17933 thebes!fbRasterizeEdges(unsigned int * buf = 0x19a2e510, int bpp = 8, int width = 702, int stride = 176, struct RenderEdge * l = 0x0012f180, struct RenderEdge * r = 0x0012f1a8, int t = 4065416, int b = 2147481462)+0x2f [h:\mozilla\tree-main\mozilla\gfx\cairo\libpixman\src\fbedge.c @ 297]
0012f1dc 01c0e510 thebes!fbRasterizeTrapezoid(struct pixman_image * pPicture = 0x00000008, struct pixman_trapezoid * trap = 0x003e0888, int x_off = 0, int y_off = 0)+0xbd [h:\mozilla\tree-main\mozilla\gfx\cairo\libpixman\src\fbtrap.c @ 137]
0012f1f8 01bfcc79 thebes!_moz_cairo_pixman_add_trapezoids(struct pixman_image * dst = 0x197965a8, int x_off = 0, int y_off = 0, struct pixman_trapezoid * traps = 0x05b508a8, int ntraps = 2)+0x35 [h:\mozilla\tree-main\mozilla\gfx\cairo\libpixman\src\ictrap.c @ 208]
0012f27c 01bf8d05 thebes!_cairo_image_surface_composite_trapezoids(_cairo_operator op = CAIRO_OPERATOR_IN (3), struct _cairo_pattern * pattern = 0x0012f3b4, void * abstract_dst = 0x18f4f790, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), int src_x = 0, int src_y = 0, int dst_x = 0, int dst_y = 0, unsigned int width = 0x2be, unsigned int height = 0x217, struct _cairo_trapezoid * traps = 0x05b508a8, int num_traps = 3)+0x14e [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-image-surface.c @ 844]
0012f2b8 01c01c12 thebes!_cairo_surface_composite_trapezoids(_cairo_operator op = CAIRO_OPERATOR_IN (3), struct _cairo_pattern * pattern = 0x0012f3b4, struct _cairo_surface * dst = 0x18f4f790, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), int src_x = 0, int src_y = 0, int dst_x = 0, int dst_y = 0, unsigned int width = 0x2be, unsigned int height = 0x217, struct _cairo_trapezoid * traps = 0x05b508a8, int num_traps = 3)+0x45 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 1224]
0012f320 01bf8d36 thebes!_cairo_surface_fallback_composite_trapezoids(_cairo_operator op = CAIRO_OPERATOR_IN (3), struct _cairo_pattern * pattern = 0x0012f3b4, struct _cairo_surface * dst = 0x05172970, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), int src_x = 0, int src_y = 0, int dst_x = 0, int dst_y = 0, unsigned int width = 0x2be, unsigned int height = 0x217, struct _cairo_trapezoid * traps = 0x05b508a8, int num_traps = 3)+0xd8 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-surface-fallback.c @ 1159]
0012f35c 01c03b69 thebes!_cairo_surface_composite_trapezoids(_cairo_operator op = CAIRO_OPERATOR_IN (3), struct _cairo_pattern * pattern = 0x0012f3b4, struct _cairo_surface * dst = 0x05172970, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), int src_x = 0, int src_y = 0, int dst_x = 0, int dst_y = 0, unsigned int width = 0x2be, unsigned int height = 0x217, struct _cairo_trapezoid * traps = 0x05b508a8, int num_traps = 3)+0x76 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 1234]
0012f448 01c03ce2 thebes!_cairo_clip_intersect_mask(struct _cairo_clip * clip = 0x000001dd, struct _cairo_traps * traps = 0x00000001, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), struct _cairo_surface * target = 0x05576868)+0xda [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-clip.c @ 382]
0012f4a4 01c030e3 thebes!_cairo_clip_clip(struct _cairo_clip * clip = 0x052c7ee8, struct _cairo_path_fixed * path = 0x0012f464, _cairo_fill_rule fill_rule = CAIRO_FILL_RULE_WINDING (0), double tolerance = 0.10000000000000001, _cairo_antialias antialias = CAIRO_ANTIALIAS_DEFAULT (0), struct _cairo_surface * target = 0x05576868)+0xd6 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-clip.c @ 468]
0012f4c4 01bfbb15 thebes!_cairo_gstate_clip(struct _cairo_gstate * gstate = 0x01df6d29, struct _cairo_path_fixed * path = 0x190f1458)+0x27 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo-gstate.c @ 1221]
0012f4d4 01bf4481 thebes!_moz_cairo_clip_preserve(struct _cairo * cr = 0x01df6d29)+0x17 [h:\mozilla\tree-main\mozilla\gfx\cairo\cairo\src\cairo.c @ 1853]
0012f4dc 01df4277 thebes!gfxContext::Clip(void)+0x8 [h:\mozilla\tree-main\mozilla\gfx\thebes\src\gfxcontext.cpp @ 489]
0012f568 01df6d29 gkgfxthebes!nsThebesImage::Draw(class nsIRenderingContext * aContext = 0x190ab4ec, class nsIDrawingSurface * aSurface = 0x00000000, int aSX = 120, int aSY = 13, int aSWidth = 0, int aSHeight = 50, int aDX = 700, int aDY = 622, int aDWidth = 0, int aDHeight = 50)+0xc0 [h:\mozilla\tree-main\mozilla\gfx\src\thebes\nsthebesimage.cpp @ 291]
0012f5e0 01810535 gkgfxthebes!nsThebesRenderingContext::DrawImage(class imgIContainer * aImage = 0x42480000, struct nsRect * twSrcRect = 0x0012f618, struct nsRect * twDestRect = 0x0012f638)+0x22a [h:\mozilla\tree-main\mozilla\gfx\src\thebes\nsthebesrenderingcontext.cpp @ 1009]
0012f64c 018108b1 gklayout!nsImageFrame::PaintImage(class nsIRenderingContext * aRenderingContext = 0x190ab4ec, struct nsPoint aPt = struct nsPoint, struct nsRect * aDirtyRect = 0x0012f69c, class imgIContainer * aImage = 0x190b75a8)+0x103 [h:\mozilla\tree-main\mozilla\layout\generic\nsimageframe.cpp @ 1345]
0012f668 018007ea gklayout!nsDisplayImage::Paint(class nsDisplayListBuilder * aBuilder = 0x018007ea, class nsIRenderingContext * aCtx = 0x0012f798, struct nsRect * aDirtyRect = 0x190ab4ec)+0x29 [h:\mozilla\tree-main\mozilla\layout\generic\nsimageframe.cpp @ 1283]
0012f67c 01800c0e gklayout!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x018007ea, class nsIRenderingContext * aCtx = 0x0012f798, struct nsRect * aDirtyRect = 0x190ab4ec)+0x18 [h:\mozilla\tree-main\mozilla\layout\base\nsdisplaylist.cpp @ 304]
0012f6ac 018007ea gklayout!nsDisplayClip::Paint(class nsDisplayListBuilder * aBuilder = 0x0012f798, class nsIRenderingContext * aCtx = 0x190ab4ec, struct nsRect * aDirtyRect = 0x0012f6e0)+0x4d [h:\mozilla\tree-main\mozilla\layout\base\nsdisplaylist.cpp @ 903]
0012f6c0 01800c0e gklayout!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x018007ea, class nsIRenderingContext * aCtx = 0x0012f798, struct nsRect * aDirtyRect = 0x190ab4ec)+0x18 [h:\mozilla\tree-main\mozilla\layout\base\nsdisplaylist.cpp @ 304]

Ok, the next time i use a attachment for the stacktrace :/.
*** Bug 338300 has been marked as a duplicate of this bug. ***
Summary: Browser crashes when opening site saunalahti.fi [@ fbRasterizeEdges8] → Browser crashes when opening saunalahti.fi or maps.google.com [@ fbRasterizeEdges8]
now up to 19.1% of all trunk crashes.  I
Keywords: topcrashtopcrash+
I crash 100% of the time just trying to load http://local.google.com
*** Bug 338212 has been marked as a duplicate of this bug. ***
but I don't see the crash on http://saunalahti.fi/ or http://www.half-life2.com
pav or vlad, can you reproduce by loading http://local.google.com ?
Flags: blocking1.9a1? → blocking1.9a1+
http://talkback-public.mozilla.org/search/start.jsp?search=1&searchby=stacksig&match=contains&searchfor=fbRasterizeEdges8&vendor=MozillaOrg&product=FirefoxTrunk&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid  shows this starting MozillaOrgFirefoxTrunkWin32 2006 05 03 05 and has some other test URLs.  These would be good to test against if there are still problems reproducing.

http://www.suicidegirls.com
http://www.vmware.com
http://www.ebaumsworld.com/fmovies2.shtml
http://www.gmx.de
http://www.merlefest.org/
http://www.islamicfinder.org
http://macslow.thepimp.net/?page_id=18
http://www.mindfactory.de
http://www.vbexperto.com
http://www.1up.com  - Just enter in the wii@e3 content zone
http://www.firefoxflicks.com/
http://www.pcmag.com
http://www.rangersloyal.co.uk/home.html
http://www.winamp.com
http://e3.ign.com
http://www.worldofwarcraft.com - looking through the screenshot gallery, there was a large-ish 1/2 loaded JPG at the time of the crash.
http://www.reallifecomics.com
http://www.pitbikeclub.co.uk
http://toolinux.org
http://buildandfight.com
http://www.kabiloo.fr
http://www.casino770.com
http://casino-club.com/DE/?camp=0605bn010101
http://www.java.com
http://www.hi5.com/friend/displayMyProfile.do
http://www.finnkino.fi
http://www.festival-cannes.fr/journal/index.php?langue=6002
http://www.alcon.com
http://www.runscape.com
http://www.cadence.com - -->click on Products
http://slurl.com/secondlife/Green/148/24
http://www.ctrlaltdel-online.com/
http://www.skipourfee.com/

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060528 Minefield/3.0a1 ID:2006052804 [cairo]

CRASH : http://www.vmware.com/
TB19214049Z
Blah.  I've been running my debug build for two weeks now, and haven't crashed yet.  I'll check in the fix for bug 337424 tomorrow, which should at least get rid of the crashes.  There's still some kind of logic error lurking under there when clipping is involved, though, that we'll need to track down.
just hit the crash again at http://www.mobileangler.com -  nearly a full size window covering 1280x800 resolution on my laptop
Just checked in the patch from 337424; this should hopefully go away now.

Tested Minefield/3.0a1 ID:2006060105 [cairo] with my usual maps.google.com crash and it is now working correctly, so it looks like the 337424 patch fixed it.
Also looks good for me running though all the test urls listed above running
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060601 Minefield/3.0a1
Marking fixed by 337424.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Crash Signature: [@ fbRasterizeEdges8]
Due to spam on this restricting comments
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.