1003004 - NULL deref in gfxContext::PushGroupAndCopyBackground

Status: RESOLVED DUPLICATE of bug 1247380

(Core :: Graphics, defect)

Description

[Tyson Smith [:tsmith]]

I was able to repro this issue on both Window 7 (32-bit) and Linux.

To repro:
1) open maps.google.com and try the 'new' google maps if it does't start by default.
2) Street view anywhere... https://www.google.com/maps/@50.853798,-112.243689,3a,75y,90.57h,90t/data=!3m4!1e1!3m2!1sY1iMxToMIcfN3lX6r84iUA!2e0
3) On the bottom left double click to the top right of the yellow man (2 o'clock-ish)
4) crash

#0 0x7f2460b6eeb6 in gfxContext::PushGroupAndCopyBackground(gfxContentType) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/thebes/gfxContext.cpp:1666:0
    #1 0x7f2460c3f00b in mozilla::layers::BasicLayerManager::PushGroupForLayer(gfxContext*, mozilla::layers::Layer*, nsIntRegion const&, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/layers/basic/BasicLayerManager.cpp:107:0
    #2 0x7f2460c464ac in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/layers/basic/BasicLayerManager.cpp:958:0
    #3 0x7f2460c48f85 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/layers/basic/BasicLayerManager.cpp:850:0
    #4 0x7f2460c46547 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/layers/basic/BasicLayerManager.cpp:952:0
    #5 0x7f2460c41cad in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/slave/m-in-l64-asan-0000000000000000/build/gfx/layers/basic/BasicLayerManager.cpp:627:0
...

Comment 1

[Tyson Smith [:tsmith]]

Attachment: repro_click.jpg

Comment 2

[Tyson Smith [:tsmith]]

Attachment: asan_stack.txt

Comment 3

[Robert Kaiser]

We had a bug for Windows on this in bug 798274 previously, which was duped to bug 805406.

Bas, does the info in this bug give us more insight to what is going on in this cluster of crashes (which are still pretty high on our topcrash lists)?

It pretty surely looks like the D2D stuff is not to blame or at least not the only reason why we get there, given we have those kinds of crashes all over various OSes, including Linux, Mac, and Android.

Comment 4

[Bas Schouten (:bas.schouten)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #3)
> We had a bug for Windows on this in bug 798274 previously, which was duped
> to bug 805406.
> 
> Bas, does the info in this bug give us more insight to what is going on in
> this cluster of crashes (which are still pretty high on our topcrash lists)?
> 
> It pretty surely looks like the D2D stuff is not to blame or at least not
> the only reason why we get there, given we have those kinds of crashes all
> over various OSes, including Linux, Mac, and Android.

These are just OOM at this point, because we do fallible allocations inside our graphics libraries, and those are likely to be the first to fail as they need large contiguous blocks. We could wallpaper over it and have artifacts, but it'd likely just fall over somewhere else.

Comment 5

[Milan Sreckovic [:milan] (needinfo for best results)]

I believe this to be a duplicate of bug 1247380.