1069341 - Nightly crash in google_breakpad::ExceptionHandler::HandlePureVirtualCall coming from gfxUtils::DrawPixelSnapped

Status: NEW

(Core :: Graphics, defect)

Description

[Robert Kaiser]

This bug was filed from the Socorro interface and is 
report bp-92aaf4b7-8f7d-487a-af46-4b6142140918.
=============================================================

We have two dominant stacks here. One (see crash ID above) has those top frames:
0 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall() 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc
1 	msvcr100.dll 	purecall 	f:\dd\vctools\crt_bld\self_64_amd64\crt\src\purevirt.c:47
2 	xul.dll 	gfxSurfaceDrawable::DrawWithSamplingRect(gfxContext*, gfxRect const&, gfxRect const&, bool, GraphicsFilter const&, double) 	gfx/thebes/gfxDrawable.cpp
3 	xul.dll 	gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, gfxSize const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, GraphicsFilter, unsigned int, double) 	gfx/thebes/gfxUtils.cpp
4 	xul.dll 	mozilla::image::imgFrame::Draw(gfxContext*, mozilla::image::ImageRegion const&, nsIntMargin const&, GraphicsFilter, unsigned int) 	image/src/imgFrame.cpp
5 	xul.dll 	mozilla::image::RasterImage::DrawWithPreDownscaleIfNeeded(mozilla::image::DrawableFrameRef&&, gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, GraphicsFilter, unsigned int) 	image/src/RasterImage.cpp
6 	xul.dll 	mozilla::image::RasterImage::Draw(gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, unsigned int, GraphicsFilter, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int) 	image/src/RasterImage.cpp
7 	xul.dll 	DrawImageInternal 	layout/base/nsLayoutUtils.cpp
[...]


The other see e.g. (bp-87a2639e-f2c5-4341-a14a-302f72140918) has those top frames:
0 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall() 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc
1 	msvcr100.dll 	purecall 	f:\dd\vctools\crt_bld\self_64_amd64\crt\src\purevirt.c:47
2 	mozglue.dll 	arena_bin_malloc_hard 	memory/mozjemalloc/jemalloc.c
3 	mozglue.dll 	arena_malloc_small 	memory/mozjemalloc/jemalloc.c
4 		@0x40776fffffffffff 	
5 	xul.dll 	gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, gfxSize const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, GraphicsFilter, unsigned int, double) 	gfx/thebes/gfxUtils.cpp
6 	xul.dll 	mozilla::image::imgFrame::Draw(gfxContext*, mozilla::image::ImageRegion const&, nsIntMargin const&, GraphicsFilter, unsigned int) 	image/src/imgFrame.cpp
7 	xul.dll 	mozilla::image::RasterImage::DrawWithPreDownscaleIfNeeded(mozilla::image::DrawableFrameRef&&, gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, GraphicsFilter, unsigned int) 	image/src/RasterImage.cpp
8 	xul.dll 	mozilla::image::RasterImage::Draw(gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, unsigned int, GraphicsFilter, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int) 	image/src/RasterImage.cpp
9 	xul.dll 	DrawImageInternal 	layout/base/nsLayoutUtils.cpp
[...]


I'll guess that they basically mean the same. This started spiking with the 9/13 builds and The line in gfxUtils::DrawPixelSnapped calling DrawWithSamplingRect was just added on 9/12 in bug 1044702 so I guess this is to blame on that bug as well.

Comment 1

[Robert Kaiser]

And note that
1) the disturbed stack with the address in frame 4 has frame 5 exactly at the same gfxUtils::DrawPixelSnapped line as frame 2 of the other stack: http://hg.mozilla.org/mozilla-central/annotate/426497473505/gfx/thebes/gfxUtils.cpp#l598 and
2) All those crashes are on 64bit Windows builds.

Comment 2

[Robert Kaiser]

Hah, I just found out that the 32bit Windows builds hit the msvcr100.dll@0x8af06 signature, see bp-a9e740e2-ad90-4f34-b151-8e8292140918 with a stack that has the same gfxUtils::DrawPixelSnapped line as frame 2:
0 	msvcr100.dll 	msvcr100.dll@0x8af06 	
1 	xul.dll 	gfxUtils::DrawPixelSnapped(gfxContext*, gfxDrawable*, gfxSize const&, mozilla::image::ImageRegion const&, mozilla::gfx::SurfaceFormat, GraphicsFilter, unsigned int, double) 	gfx/thebes/gfxUtils.cpp
2 	xul.dll 	mozilla::image::imgFrame::Draw(gfxContext*, mozilla::image::ImageRegion const&, nsIntMargin const&, GraphicsFilter, unsigned int) 	image/src/imgFrame.cpp
3 	xul.dll 	mozilla::image::RasterImage::DrawWithPreDownscaleIfNeeded(mozilla::image::DrawableFrameRef&&, gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, GraphicsFilter, unsigned int) 	image/src/RasterImage.cpp
4 	xul.dll 	mozilla::image::RasterImage::Draw(gfxContext*, nsIntSize const&, mozilla::image::ImageRegion const&, unsigned int, GraphicsFilter, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int) 	image/src/RasterImage.cpp
5 	xul.dll 	DrawImageInternal 	layout/base/nsLayoutUtils.cpp
[...]

Comment 3

[(not currently active) Ted Mielczarek]

I don't know what's going on in that 32-bit report, we have symbols for msvcr100.dll, it's just winding up in the middle of nowhere.

Comment 4

[(Away)]

WinDbg says the top frame of bp-a9e740e2-ad90-4f34-b151-8e8292140918 is msvcr100!_purecall+0x12.

(Actually there's a xul!google_breakpad::ExceptionHandler::HandlePureVirtualCall above that on the stack, but it's not considered part of the 'exception context' for some reason)

Comment 5

[(not currently active) Ted Mielczarek]

(In reply to Ted Mielczarek [:ted.mielczarek] from comment #3)
> I don't know what's going on in that 32-bit report, we have symbols for
> msvcr100.dll, it's just winding up in the middle of nowhere.

Oh, that's bug 889822.

Comment 6

[Timothy Nikkel (:tnikkel)]

Low volume, decreasing severity -> S3.