1100448 - crash in DCFromDrawTarget::DCFromDrawTarget(mozilla::gfx::DrawTarget&)

Status: VERIFIED FIXED

(Core :: Graphics: Text, defect)

Description

[juan becerra [:juanb]]

[Tracking Requested - why for this release]: new topcrash in Fx36

This bug was filed from the Socorro interface and is 
report bp-dedcd65c-0436-4932-8a13-153832141112.
=============================================================

This is a recent signature from around 11/12, but it had a spike last week and it is now at #5 in the top crashers list, it's also showing up in the list of explosive reports. This is mostly being reported on Windows 7, but all Windows flavors are affected. There are several comments in the reports, and a few mention going to YouTube and experiencing a crash all of the sudden.

You can see more reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=DCFromDrawTarget%3A%3ADCFromDrawTarget%28mozilla%3A%3Agfx%3A%3ADrawTarget%26%29

Frame 	Module 	Signature 	Source
0 	xul.dll 	DCFromDrawTarget::DCFromDrawTarget(mozilla::gfx::DrawTarget&) 	gfx/thebes/gfxWindowsPlatform.cpp
1 	xul.dll 	gfxGDIFont::GetGlyphWidth(mozilla::gfx::DrawTarget&, unsigned short) 	gfx/thebes/gfxGDIFont.cpp
2 	xul.dll 	gfxHarfBuzzShaper::HBGetGlyphHAdvance(hb_font_t*, void*, unsigned int, void*) 	gfx/thebes/gfxHarfBuzzShaper.cpp
3 	xul.dll 	hb_ot_shape_internal 	gfx/harfbuzz/src/hb-ot-shape.cc
4 	xul.dll 	hb_shape_plan_execute 	gfx/harfbuzz/src/hb-shaper-list.hh
5 	xul.dll 	hb_shape 	gfx/harfbuzz/src/hb-shape.cc
6 	xul.dll 	gfxHarfBuzzShaper::ShapeText(gfxContext*, wchar_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*) 	gfx/thebes/gfxHarfBuzzShaper.cpp
7 	xul.dll 	gfxGDIFont::ShapeText(gfxContext*, wchar_t const*, unsigned int, unsigned int, int, bool, gfxShapedText*) 	gfx/thebes/gfxGDIFont.cpp
8 	xul.dll 	gfxFont::GetShapedWord<wchar_t>(gfxContext*, wchar_t const*, unsigned int, unsigned int, int, bool, int, unsigned int, gfxTextPerfMetrics*) 	gfx/thebes/gfxFont.cpp
9 	xul.dll 	gfxFont::SplitAndInitTextRun<wchar_t>(gfxContext*, gfxTextRun*, wchar_t const*, unsigned int, unsigned int, int, bool) 	gfx/thebes/gfxFont.cpp
10 	xul.dll 	gfxFontGroup::InitScriptRun<wchar_t>(gfxContext*, gfxTextRun*, wchar_t const*, unsigned int, unsigned int, int) 	gfx/thebes/gfxTextRun.cpp
11 	xul.dll 	gfxFontGroup::InitTextRun<wchar_t>(gfxContext*, gfxTextRun*, wchar_t const*, unsigned int) 	gfx/thebes/gfxTextRun.cpp
12 	xul.dll 	gfxFontGroup::MakeTextRun(wchar_t const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) 	gfx/thebes/gfxTextRun.cpp
13 	xul.dll 	nsFontMetrics::GetWidth(wchar_t const*, unsigned int, nsRenderingContext*) 	gfx/src/nsFontMetrics.cpp
14 	xul.dll 	nsLayoutUtils::AppUnitWidthOfString(wchar_t const*, unsigned int, nsFontMetrics&, nsRenderingContext&) 	layout/base/nsLayoutUtils.cpp
15 	xul.dll 	nsLayoutUtils::AppUnitWidthOfStringBidi(wchar_t const*, unsigned int, nsIFrame const*, nsFontMetrics&, nsRenderingContext&) 	layout/base/nsLayoutUtils.cpp
16 	xul.dll 	nsImageFrame::MeasureString(wchar_t const*, int, int, unsigned int&, nsRenderingContext&, nsFontMetrics&) 	layout/generic/nsImageFrame.cpp
17 	xul.dll 	nsImageFrame::DisplayAltText(nsPresContext*, nsRenderingContext&, nsString const&, nsRect const&) 	layout/generic/nsImageFrame.cpp
18 	xul.dll 	nsImageFrame::DisplayAltFeedback(nsRenderingContext&, nsRect const&, imgIRequest*, nsPoint) 	layout/generic/nsImageFrame.cpp
19 	xul.dll 	nsDisplayAltFeedback::Paint(nsDisplayListBuilder*, nsRenderingContext*) 	layout/generic/nsImageFrame.cpp
20 	xul.dll 	mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) 	layout/base/FrameLayerBuilder.cpp
21 	xul.dll 	mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) 	layout/base/FrameLayerBuilder.cpp
22 	xul.dll 	mozilla::layers::ClientPaintedLayer::PaintThebes() 	gfx/layers/client/ClientPaintedLayer.cpp
23 	xul.dll 	mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) 	gfx/layers/client/ClientPaintedLayer.cpp
24 	xul.dll 	mozilla::layers::ClientContainerLayer::RenderLayer() 	gfx/layers/client/ClientContainerLayer.h
25 	xul.dll 	mozilla::layers::ClientContainerLayer::RenderLayer() 	gfx/layers/client/ClientContainerLayer.h
26 	xul.dll 	mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/client/ClientLayerManager.cpp
27 	xul.dll 	mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/client/ClientLayerManager.cpp
28 	xul.dll 	nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) 	layout/base/nsDisplayList.cpp
29 	xul.dll 	nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) 	layout/base/nsLayoutUtils.cpp
30 	xul.dll 	PresShell::Paint(nsView*, nsRegion const&, unsigned int) 	layout/base/nsPresShell.cpp
31 	xul.dll 	nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) 	view/nsViewManager.cpp
32 	xul.dll 	nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) 	view/nsViewManager.cpp
33 	xul.dll 	nsViewManager::ProcessPendingUpdates() 	view/nsViewManager.cpp
34 	xul.dll 	nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
35 	xul.dll 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp
36 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
37 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
38 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
39 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
40 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
41 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
42 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
43 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
44 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
45 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
46 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
47 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
48 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
49 	firefox.exe 	NS_internal_main(int, char**) 	browser/app/nsBrowserApp.cpp
50 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
51 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt/crtw32/startup/crt0.c:255
52 	kernel32.dll 	BaseThreadInitThunk 	
Ø 53 	ntdll.dll 	ntdll.dll@0x54408 	
54 	kernel32.dll 	SetFileAttributesW 	
55 		@0x17fffffff 	
Ø 56 	KERNELBASE.dll 	KERNELBASE.dll@0x9cd47

Comment 1

[(Away)]

Null surf in DCFromDrawTarget.

Initial build of 20141112030202 points to:
Bug 1093806 - Convert DCFromContext to DCFromDrawTarget. r=Bas 

I see very few crashes in DCFromContext before the conversion, so I assume this is a new crash rather than a changed signature.

Comment 2

[Sylvestre Ledru [:Sylvestre]]

Top crash, tracking.

Comment 3

[Jonathan Watt [:jwatt]]

Attachment: patch

I've not managed to reproduce this, even with D2D disabled. It seems though that the GetNativeSurface(NativeSurfaceType::CAIRO_SURFACE) call must be returning null for some reason. This patch changes the code to check for that just as gfxContext::CurrentSurface (the function we used to call) does.

Comment 4

[Jonathan Watt [:jwatt]]

Attachment: patch

Comment 5

[Jonathan Watt [:jwatt]]

Comment on attachment 8526726 [details] [diff] [review]
patch

https://hg.mozilla.org/integration/mozilla-inbound/rev/e5326d6771d3

Comment 6

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/e5326d6771d3

Comment 7

[[SV Manager] Florin Mezei, QA (:FlorinMezei)]

Socorro [1] shows zero crashes in Firefox 36 (builds after November 20th) or other versions.

[1] - https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=DCFromDrawTarget%3A%3ADCFromDrawTarget%28mozilla%3A%3Agfx%3A%3ADrawTarget%26%29#tab-reports.