Closed
Bug 1099143
Opened 9 years ago
Closed 9 years ago
Crash @ xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0x00000592
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
People
(Reporter: cbook, Assigned: jfkthame)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(7 files)
Found via Bughunter and reproduced on Win7 Trunk Debug Build Steps to reproduce: -> Load http://www.msn.com/en-us/money/stockdetails/fi-126.1.ARCP.NAS --> Firefox Debug exists with a crash 001ed5b8 58a2ee77 001ed644 3f800000 41c00000 xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0x592 001ed5d8 5857f122 001ed644 00000000 3ff00000 xul!mozilla::dom::CanvasRenderingContext2D::FillText+0x2d 001ed6e4 58a1b0b3 081f9250 001ed710 0bd29000 xul!mozilla::dom::CanvasRenderingContext2DBinding::fillText+0x248 001ed734 59dd5f09 081f9250 00000003 001ed714 xul!mozilla::dom::GenericBindingMethod+0x115 001ed75c 59ded843 0820f400 58a1af9e 001ed9bc xul!js::CallJSNative+0x89 001ed9b0 59de926e 081f9250 00000000 041df498 xul!js::Invoke+0x203 001eddf4 59df1bcd 081f9250 001ede3c 081f9250 xul!Interpret+0x3b8e 001ede20 59ded8f9 001ede18 001ede3c 081f9250 xul!js::RunScript+0x19d 001ee070 59b63d67 081f9250 081f9200 001ee32c xul!js::Invoke+0x2b9 001ee378 59dd5f09 081f9250 00000002 001ee688 xul!js_fun_apply+0x3d7 001ee3a0 59ded843 0820f400 59b63990 001ee600 xul!js::CallJSNative+0x89 001ee5f4 59ded598 081f9250 0541b100 001ee698 xul!js::Invoke+0x203 001ee6e4 59f2f1d5 081f9250 001ee73c 001ee768 xul!js::Invoke+0x288 001ee7a8 1df76f82 081f9250 001ee84c 08f939c0 xul!js::jit::DoCallFallback+0x445 WARNING: Frame IP not in any known module. Following frames may be wrong. 001ee848 579d4d58 00000001 00000001 001ee950 0x1df76f82 001ee878 1df70a19 00000143 02f29668 00000000 xul!NS_LogAddRef+0xa 001ee8a8 59f347d5 173c1f00 00000001 001eede0 0x1df70a19 001ee9d4 59f34cf4 081f9250 001ee9f0 001eeb10 xul!EnterBaseline+0x1e5 001eeac8 59df1b61 081f9250 001eeb10 081f9250 xul!js::jit::EnterBaselineMethod+0xe4 001eeaf4 59ded8f9 001eeaec 001eeb10 081f9250 xul!js::RunScript+0x131 001eed44 59ded598 081f9250 001eee00 001eede8 xul!js::Invoke+0x2b9 001eee34 59af8811 081f9250 001eefac 001eee9c xul!js::Invoke+0x288 001eee6c 586855cc 0820f400 001eefac 001eee9c xul!JS::Call+0xa1 001eef7c 58347b2e 081f9250 001eefac 0bd23d1c xul!mozilla::dom::Function::Call+0x1a1 001ef0a4 583660b2 001ef18c 0bd23d1c 001ef144 xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0xfe 001ef1fc 58365e2e 0d9f8ac0 08fb3d90 001ef2dc xul!nsGlobalWindow::RunTimeoutHandler+0x16c 001ef280 5836c656 0d9f8ac0 5836c62a 001ef350 xul!nsGlobalWindow::RunTimeout+0x29a 001ef290 57a12b2b 0bd0bd00 0d9f8ac0 0571f760 xul!nsGlobalWindow::TimerCallback+0x2c 001ef350 57a17720 001ef47b 00807400 001ef47b xul!nsTimerImpl::Fire+0x27d 001ef380 57a157ac 0571f760 00810b38 00810b20 xul!nsTimerEvent::Run+0x7f 001ef45c 57a3d3e1 0571f760 00000000 001ef47b xul!nsThread::ProcessNextEvent+0x3a0 001ef470 57c8a93b 01807430 00000000 008610e0 xul!NS_ProcessNextEvent+0x46 001ef4a0 57c5c53b 008610e0 008610e0 5a715608 xul!mozilla::ipc::MessagePump::Run+0xc0 001ef4c0 57c5c4f3 2e782a5f 041d2e00 008610e0 xul!MessageLoop::RunInternal+0x42 001ef4f4 57c5c270 00807430 00000001 57c4d800 xul!MessageLoop::RunHandler+0x50 001ef514 58f2cc40 04337e00 00000000 001ef534 xul!MessageLoop::Run+0x19 001ef524 58f62ec5 041d2e00 04337e00 001ef548 xul!nsBaseAppShell::Run+0x47 001ef534 595904c9 041d2e00 001ef650 001ef745 xul!nsAppShell::Run+0x16 001ef548 595d4f73 04337e00 73521719 001ef650 xul!nsAppStartup::Run+0x4b 001ef61c 595d3735 00000001 001ef77c 00000000 xul!XREMain::XRE_mainRun+0xaa2 001ef638 595d5c8f 00000001 003955c0 001ef77c xul!XREMain::XRE_main+0x167 001ef74c 00ae203f 00000001 003955c0 001ef77c xul!XRE_main+0x34 001ef8ec 00ae1a04 00000001 003955c0 00842100 firefox!do_main+0x352 001ef97c 00ae2395 00000001 003955c0 00000000 firefox!NS_internal_main+0x143 001ef9b0 00ae4480 00000001 00000190 00395818 firefox!wmain+0x11d 001ef9f8 7557ed6c 7ffd4000 001efa44 7710377b firefox!__tmainCRTStartup+0xf2 001efa04 7710377b 7ffd4000 769f32e4 00000000 kernel32!BaseThreadInitThunk+0xe 001efa44 7710374e 00ae4543 7ffd4000 00000000 ntdll!__RtlUserThreadStart+0x70 001efa5c 00000000 00ae4543 7ffd4000 00000000 ntdll!_RtlUserThreadStart+0x1b
|
||
Updated•9 years ago
|
Keywords: regressionwindow-wanted
|
|
||
Comment 1•9 years ago
|
||
Can you get line numbers for the crash?
|
Reporter | |
Comment 2•9 years ago
|
||
|
Assignee | |
Comment 3•9 years ago
|
||
Oops, I'm pretty sure this is a regression from bug 1090168. Fix coming shortly...
Blocks: 1090168
Keywords: regressionwindow-wanted
|
|
Assignee | |
Comment 4•9 years ago
|
||
Attachment #8523004 -
Flags: review?(jdaggett)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•9 years ago
|
||
:Tomcat, I'm pretty sure the patch above will fix this, but if you have reliable STR for the crash and can test a patched build to confirm this, it'd be great - thanks.
Flags: needinfo?(cbook)
|
|
Assignee | |
Comment 6•9 years ago
|
||
Ah, never mind -- I was able to reproduce and confirm the fix locally on OS X, too.
Flags: needinfo?(cbook)
Are these crash reports related to this bug? https://crash-stats.mozilla.com/report/index/bp-3b041f87-64f9-4ba4-a4c6-aedf12141114 https://crash-stats.mozilla.com/report/index/bp-9c1220d8-bb57-424b-8e2e-0cbb72141114 https://crash-stats.mozilla.com/report/index/bp-4bd60cbd-7416-41ac-8d5d-289552141114 I encountered a similar situation a month ago with bug 1079746.
|
|
Assignee | |
Comment 8•9 years ago
|
||
(In reply to Fanolian from comment #7) > Are these crash reports related to this bug? > https://crash-stats.mozilla.com/report/index/bp-3b041f87-64f9-4ba4-a4c6- > aedf12141114 > https://crash-stats.mozilla.com/report/index/bp-9c1220d8-bb57-424b-8e2e- > 0cbb72141114 > https://crash-stats.mozilla.com/report/index/bp-4bd60cbd-7416-41ac-8d5d- > 289552141114 > > I encountered a similar situation a month ago with bug 1079746. Yes, those crashes are the same thing. BTW, if you have a simple testcase (rather than a complex website) that reliably produces this crash, it would be helpful to have one that we could include as a crashtest, to protect against regressing this similarly sometime in the future.
|
||
Updated•9 years ago
|
Crash Signature: [@ mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsAString_internal const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, float*) ]
|
||
Comment 9•9 years ago
|
||
I crashed on google docs, on the dine-about signup page for Portland.
|
||
Comment 10•9 years ago
|
||
Just crashed on a Google Spreadsheet as well (with e10s enabled).
|
||
Comment 11•9 years ago
|
||
Firefox nightly is keep crashing particularly on this google docs https://docs.google.com/spreadsheets/d/1scvHkFWPKwKitwPPKsUV8_l7KCPBRwBzTUANLIHPOLE/edit#gid=0 feel free to request access and i will provide it! Application Basics ------------------ Name: Firefox Version: 36.0a1 User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0 Multiprocess Windows: 0/1 Crash Reports for the Last 3 Days --------------------------------- Report ID: bp-dcce9f85-b49e-44fa-9ff3-9636b2141115 Submitted: 5 minutes ago Report ID: bp-1ad05768-ab44-4b88-a9df-f041a2141115 Submitted: 6 minutes ago Report ID: bp-f203b7d1-0a8e-492b-91c0-2cdd32141114 Submitted: 1 day ago Report ID: bp-c72009f7-e26d-4601-8c94-ed5832141114 Submitted: 1 day ago All Crash Reports (including 4 pending crashes in the given time range) Extensions ---------- Name: ADB Helper Version: 0.7.1 Enabled: true ID: adbhelper@mozilla.org Name: Adblock Plus Version: 2.6.6 Enabled: true ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Name: ChatZilla Version: 0.9.91 Enabled: true ID: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} Graphics -------- Device ID: 0x 126 GPU Accelerated Windows: 1/1 OpenGL (OMTC) Vendor ID: 0x8086 WebGL Renderer: ATI Technologies Inc. -- AMD Radeon HD 6770M OpenGL Engine windowLayerManagerRemote: true AzureCanvasBackend: quartz AzureContentBackend: quartz AzureFallbackCanvasBackend: none AzureSkiaAccelerated: 0 Important Modified Preferences ------------------------------ accessibility.typeaheadfind.flashBar: 0 browser.cache.disk.capacity: 358400 browser.cache.disk.smart_size_cached_value: 358400 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size.use_old_max: false browser.cache.frecency_experiment: 4 browser.places.smartBookmarksVersion: 7 browser.sessionstore.restore_on_demand: false browser.sessionstore.upgradeBackup.latestBuildID: 20141115030205 browser.startup.homepage: http://google.co.in/ browser.startup.homepage_override.buildID: 20141115030205 browser.startup.homepage_override.mstone: 36.0a1 browser.tabs.remote.autostart.1: false browser.urlbar.trimURLs: false dom.mozApps.used: true dom.w3c_touch_events.expose: false extensions.lastAppVersion: 36.0a1 font.internaluseonly.changed: true font.language.group: x-western font.name.serif.x-western: Siyam Rupali keyword.URL: http://search.yahoo.com/search?fr=spigot-adr-ffmac&ei=utf-8&ilc=12&type=997063&p= media.gmp-gmpopenh264.lastUpdate: 1412184977 media.gmp-gmpopenh264.path: /Users/mozilla/Library/Application Support/Firefox/Profiles/rug860q3.default/gmp-gmpopenh264 media.gmp-gmpopenh264.version: 1.1 media.gmp-manager.lastCheck: 1416062381 network.cookie.prefsMigrated: true places.database.lastMaintenance: 1415988990 places.history.expiration.transient_current_max_pages: 104858 plugin.disable_full_page_plugin_for_types: application/pdf plugin.importedState: true print.print_bgcolor: false print.print_bgimages: false print.print_colorspace: print.print_command: print.print_downloadfonts: false print.print_duplex: 0 print.print_evenpages: true print.print_in_color: true print.print_margin_bottom: 0.5 print.print_margin_left: 0.5 print.print_margin_right: 0.5 print.print_margin_top: 0.5 print.print_oddpages: true print.print_orientation: 0 print.print_page_delay: 50 print.print_paper_data: 0 print.print_paper_height: 11.00 print.print_paper_name: print.print_paper_size_type: 1 print.print_paper_size_unit: 0 print.print_paper_width: 8.50 print.print_plex_name: print.print_resolution: 0 print.print_resolution_name: print.print_reversed: false print.print_scaling: 1.00 print.print_shrink_to_fit: true print.print_to_file: false print.print_unwriteable_margin_bottom: 57 print.print_unwriteable_margin_left: 25 print.print_unwriteable_margin_right: 25 print.print_unwriteable_margin_top: 25 privacy.cpd.formdata: false privacy.cpd.offlineApps: true privacy.cpd.siteSettings: true privacy.sanitize.migrateFx3Prefs: true privacy.sanitize.timeSpan: 0 security.ssl.errorReporting.automatic: true security.warn_viewing_mixed: false storage.vacuum.last.index: 1 storage.vacuum.last.places.sqlite: 1415019013 Important Locked Preferences ---------------------------- JavaScript ---------- Incremental GC: true Accessibility ------------- Activated: false Prevent Accessibility: 0 Library Versions ---------------- NSPR Expected minimum version: 4.10.7 Version in use: 4.10.7 NSS Expected minimum version: 3.18 Basic ECC Beta Version in use: 3.18 Basic ECC Beta NSSSMIME Expected minimum version: 3.18 Basic ECC Beta Version in use: 3.18 Basic ECC Beta NSSSSL Expected minimum version: 3.18 Basic ECC Beta Version in use: 3.18 Basic ECC Beta NSSUTIL Expected minimum version: 3.18 Beta Version in use: 3.18 Beta Experimental Features --------------------- Name: Invisible test of the experiment branching system. ID: experiment-branch-test-nightly@experiments.mozilla.org Description: An experiment using branches just to test whether branches get saved correctly. Active: false End Date: 1409678461376 Homepage:
|
||
Comment 12•9 years ago
|
||
Still keeps crashing with Nightly 2014-11-15; Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:36.0) Gecko/20100101 Firefox/36.0; clean profile, no extensions. World readable Google Spreadsheet which causes the crash: https://docs.google.com/spreadsheets/d/146pYXq62mFvmF2c09SaD6F6Z6rlXOPFsDfcy6cNik2o/edit#gid=1919920973
|
|
Assignee | |
Comment 13•9 years ago
|
||
No need to keep adding reports here; the issue is understood and there's already a patch awaiting review. If you want to test a patched build to confirm that it fixes the issue, you can get one from http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jkew@mozilla.com-3c8dc27b2823/. What would still be helpful here, if anyone has one, is a *simple* testcase -- not a pointer to a Google spreadsheet or suchlike complex site, but a standalone page (probably involving a webfont, I suspect) that reliably reproduces the crash.
|
||
Comment 14•9 years ago
|
||
I can reproduce the crash with a saved version of the msn page. I'll start reducing it now.
|
|
Assignee | |
Comment 15•9 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #14) > I can reproduce the crash with a saved version of the msn page. I'll start > reducing it now. Thanks, that's great. Ideally, I'd like to end up with something we can land as a crashtest, given that clearly none of our existing unit tests run into this issue.
|
|
||
Comment 16•9 years ago
|
||
This is making Nightly unusable for me and others. How about backing out bug 1090168?
|
|
||
Updated•9 years ago
|
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 17•9 years ago
|
||
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #16) > This is making Nightly unusable for me and others. How about backing out bug > 1090168? Sure, if it's that much of a pain then go ahead.
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 18•9 years ago
|
||
I pushed a backout to m-c that should fix this: https://hg.mozilla.org/mozilla-central/rev/a52bf59965a0
| Comment hidden (me-too) |
|
||
Updated•9 years ago
|
Attachment #8523004 -
Flags: review?(jdaggett) → review+
|
|
Assignee | |
Comment 20•9 years ago
|
||
Fixed by backing out bug 1090168. (FTR, I have now re-landed bug 1090168 on inbound -- i.e. backed out the backout -- with the crash-fix here folded in; see bug 1090168 comment 18.)
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
||
Comment 21•9 years ago
|
||
not quite signature. bp-f7152bfa-ede0-4dfe-a999-a67f02141118 [@ gfxShapedText::IsVertical() ]
|
|
Assignee | |
Comment 22•9 years ago
|
||
Thanks for the testcase, Bob! Looking at what that script does, I was able to further reduce it, as attached; this should still reproduce the crash with an affected build.
|
|
Assignee | |
Comment 24•9 years ago
|
||
Attachment #8524812 -
Flags: review?(dbaron)
|
|
||
Comment 25•9 years ago
|
||
Comment on attachment 8524812 [details] [diff] [review] Add the minimized testcase as a crashtest. r=dbaron. Did you test that it crashes in the test harness without the patch? Probably worth doing.
Attachment #8524812 -
Flags: review?(dbaron) → review+
|
|
Assignee | |
Comment 26•9 years ago
|
||
(In reply to David Baron [:dbaron] (UTC-8) (needinfo? for questions) from comment #25) > Did you test that it crashes in the test harness without the patch? Yes, it crashes consistently (after an assertion, in debug builds) when running ./mach crashtest. https://hg.mozilla.org/integration/mozilla-inbound/rev/48966e85eec4
|
|
Reporter | |
Comment 27•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/48966e85eec4
You need to log in
before you can comment on or make changes to this bug.
Description
•