Crash [@ imgFrame::Draw(gfxContext*, GraphicsFilter, gfxMatrix const&, gfxRect const&, nsIntMargin const&, nsIntRect const&, unsigned int) ] with mask drawing and mSinglePixel imgFrame

VERIFIED FIXED in Firefox 32

Status

()

defect
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: mstange, Assigned: jwatt)

Tracking

({regression})

Trunk
mozilla33
All
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox30 unaffected, firefox31 unaffected, firefox32+ verified, firefox33 verified, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

This page currently crashes for me during loading: https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg

Looks like it has a mask that contains a raster image that's a solid color, so we crash with a null DrawTarget here in imgFrame.cpp:

>  RefPtr<DrawTarget> dt = aContext->GetDrawTarget();
>
>  if (mSinglePixel && !doPadding && !doPartialDecode) {
>    if (mSinglePixelColor.a == 0.0) {
>      return true;
>    }
>
>    Rect target(aFill.x, aFill.y, aFill.width, aFill.height);
>    dt->FillRect(target, ColorPattern(mSinglePixelColor),
>                 DrawOptions(1.0f, CompositionOpForOp(aContext->CurrentOperator())));
>    return true;
>  }

We should probably stop this from crashing before bug 987194 is fixed.
The crash is happening under the stack:

  imgFrame::Draw
  mozilla::image::RasterImage::DrawWithPreDownscaleIfNeeded
  mozilla::image::RasterImage::Draw
  DrawImageInternal
  nsLayoutUtils::DrawSingleUnscaledImage
  nsSVGImageFrame::PaintSVG
  nsSVGUtils::PaintFrameWithEffects
  nsSVGDisplayContainerFrame::PaintSVG
  SVGPaintCallback::Paint
  nsFilterInstance::BuildSourceImage
  nsFilterInstance::Render
  nsFilterInstance::PaintFilteredFrame
  nsSVGUtils::PaintFrameWithEffects
  nsSVGMaskFrame::ComputeMaskAlpha
  nsSVGIntegrationUtils::PaintFramesWithEffects
  nsDisplaySVGEffects::PaintAsLayer
  mozilla::PaintInactiveLayer

The reason the GetDrawTarget() call in comment 0 fails is because nsSVGMaskFrame::ComputeMaskAlpha creates a Thebes backed gfxContext.
Assignee: nobody → jwatt
Blocks: 994081
Posted patch patch (obsolete) — Splinter Review
Attachment #8437300 - Flags: review?(mwu)
Posted patch patchSplinter Review
Oops, need the gfx2DGlue.h change too.
Attachment #8437300 - Attachment is obsolete: true
Attachment #8437300 - Flags: review?(mwu)
Attachment #8437308 - Flags: review?(mwu)
Comment on attachment 8437308 [details] [diff] [review]
patch

r=me if you can make the code use a DrawTarget if it's available. This will at least make sure the FillRect path won't rot.
Attachment #8437308 - Flags: review?(mwu) → review+
That was fast, thanks!
https://hg.mozilla.org/mozilla-central/rev/066ed94a5868
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
DOMi and DOMi+ are broken and it appears to be this patch based on regression testing.

Good: https://hg.mozilla.org/integration/mozilla-inbound/rev/100a14518e5b

Bad : https://hg.mozilla.org/integration/mozilla-inbound/rev/066ed94a5868


Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
(In reply to Gary [:streetwolf] from comment #8)
> DOMi and DOMi+ are broken and it appears to be this patch based on
> regression testing.
> 
> Good: https://hg.mozilla.org/integration/mozilla-inbound/rev/100a14518e5b
> 
> Bad : https://hg.mozilla.org/integration/mozilla-inbound/rev/066ed94a5868
> 
> 
> Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0


Bug is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1023938
This crash is showing up in Aurora crash reports. Is the patch safe to uplift?
Blocks: 1027933
Comment on attachment 8437308 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 994081
User impact if declined: crashes
Testing completed (on m-c, etc.): been on m-c a while
Risk to taking this patch (and alternatives if risky): low risk
String or IDL/UUID changes made by this patch: none
Attachment #8437308 - Flags: approval-mozilla-aurora?
Comment on attachment 8437308 [details] [diff] [review]
patch

Aurora uplift approved.
Attachment #8437308 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Used old Nightly build (2014-06-09) to crash Firefox using https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg. Verified that Firefox 32 beta 8 and latest Aurora does not crash after loading the .svg image. Testing was done on Windows 7 64bit, Mac OS X 10.9.4 and Ubuntu 14.04 32bit.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.