Closed Bug 1136417 Opened 7 years ago Closed 5 months ago

Self-compiled Firefox, crash when opening about:newtab. Ctrl-T -> ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error)

Categories

(Core :: Graphics, defect)

36 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: felix-mozilla, Unassigned)

Details

(Keywords: crash, Whiteboard: gfx-noted)

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2305.3 Safari/537.36

Steps to reproduce:

Compiled Firefox 36 on x86_64-linux with g++ 4.9.2.
Started Firefox.
Attempted to open a new tab (either with Ctrl-T or by clicking on the + icon).


Actual results:

[17877] ###!!! ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error); 9 requests ago: file /tmp/mozilla-release/toolkit/xre/nsX11ErrorHandler.cpp, line 157
[17877] ###!!! ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error); 9 requests ago: file /tmp/mozilla-release/toolkit/xre/nsX11ErrorHandler.cpp, line 157



Expected results:

I would have loved to open a new tab.

The timing of the X error is right at the finish line of the animation of the tab showing up. I can see this when running firefox in gdb. It looks like this happen as soon as the tab rider is animated in its final position.

What I don't get is that I used Firefox 35 up until 30 minutes ago, compiled on the same box with the same settings and compiler and X libs and it did not crash.  Surely you wouldn't ship a browser that crashed when I attempt to open a new tab!?
I compiled firefox with debug symbols.  The last call before libX11 is:

#10 0x00007ffff2486260 in gfxXlibSurface::Create (screen=0x7ffff6be4100, 
    format=0x7fffe272f0f0, size=..., relatedDrawable=relatedDrawable@entry=0)
    at /tmp/mozilla-release/gfx/thebes/gfxXlibSurface.cpp:219
219	        CreatePixmap(screen, size, format->depth, relatedDrawable);
(gdb) p screen
$1 = (Screen *) 0x7ffff6be4100
(gdb) p size
$2 = (const gfxIntSize &) @0x7fffffff7860: {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 28, height = 28}, <No data fields>}
(gdb) p format->depth
$3 = 32
(gdb) p relatedDrawable 
$4 = 0

Not sure why this triggers an X error, the values do not appear to be overly large.
Same bug here.(gcc version 4.9.3 20150218) 

Opening a bookmark in an new tab works, opening an empty tab fails with:

###!!! ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error); 9 requests ago: file /mnt/md1/sources/firefox36/mozilla-release/toolkit/xre/nsX11ErrorHandler.cpp, line 157
Speicherzugriffsfehler


firefox-35.0.1 works flawless.
I can get rid of the bug if I change the new tab page from about:newtab to about:blank in about:config
Severity: normal → critical
QA Whiteboard: [bugday-20150302]
Component: Untriaged → Graphics
Keywords: crash
Product: Firefox → Core
Summary: Ctrl-T -> ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error) → Self-compiled Firefox, crash when opening about:newtab. Ctrl-T -> ABORT: X_PutImage: BadLength (poly request too large or internal Xlib length error)
(In reply to felix-mozilla from comment #3)


Thanks for the workaround!
Let's see if karlt has any ideas...
Flags: needinfo?(karlt)
Whiteboard: gfx-noted
X requests are async, and so the frame in comment 1 is likely not related to the call that caused the problem.

Can you run with MOZ_X_SYNC=1 in the environment, please, and attach a stack trace of the point where the signal is raised, please?

Please also post configure arguments from about:buildconfig.
Flags: needinfo?(karlt)
When analyzing the backtrace :
(gdb) frame 13
(gdb) print *dpy
{ext_data = 0x0, free_funcs = 0x7f22c080b1a0, fd = 4, conn_checker = 0, proto_major_version = 11, proto_minor_version = 0, vendor = 0x7f22c0805740 "The X.Org Foundation", resource_base = 44040192, resource_mask = 2097151, resource_id = 0, resource_shift = 0, resource_alloc = 0x7f22c9fe7170 <_XAllocID>, byte_order = 0, bitmap_unit = 32, bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7, pixmap_format = 0x7f22d104bc40, vnumber = 11, release = 11604000, head = 0x0, tail = 0x0, qlen = 0, last_request_read = 18404, request = 18411, last_req = 0x7f22ca2df780 <dummy_request> "", buffer = 0x7f22c0814000 "6 \002", bufptr = 0x7f22c0814000 "6 \002", bufmax = 0x7f22c0818000 "P\021\020\321\"\177", max_request_size = 65535, db = 0x7f22c0819760, synchandler = 0x0, display_name = 0x7f22d10843d8 ":0.0", default_screen = 0, nscreens = 1, screens = 0x7f22d1024a80, motion_buffer = 256, flags = 128, min_keycode = 8, max_keycode = 255, keysyms = 0x0, modifiermap = 0x0, keysyms_per_keycode = 0, xdefaults = 0x7f22d101fc00 "Xft.autohint:\t0\nXft.dpi:\t96\nXft.lcdfilter:\tlcddefault\nXft.hintstyle:\thintnone\nXft.rgba:\tnone\nXcursor.theme:\t\nXcursor.size:\t0\nXcursor.theme_core:\t1\n", scratch_buffer = 0x0, scratch_length = 0, ext_number = 14, ext_procs = 0x7f22a4837680, event_vec = {0x7f22c9fe8bc0 <_XUnknownWireEvent>, 0x7f22c9fe8bc0 <_XUnknownWireEvent>, 0x7f22c9fe8c00 <_XWireToEvent> <repeats 33 times>, 0x7f22ca4f6850, 0x7f22c9fe8bc0 <_XUnknownWireEvent> <repeats 28 times>, 0x7f22ca4f1480, 0x7f22ca4f2340, 0x7f22c3b03b40 <repeats 17 times>, 0x7f22ca4f3a50, 0x7f22ca4f3a50, 0x7f22ca039f20 <wire_to_event>, 0x7f22c9ba0690, 0x7f22c9ba0690, 0x7f22c38f4040, 0x7f22c38f4040, 0x7f22c9da40f0, 0x7f22c9fe8bc0 <_XUnknownWireEvent> <repeats 37 times>}, wire_vec = {0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x0 <repeats 16 times>, 0x7f22c9fc9200 <_XEventToWire>, 0x0 <repeats 14 times>, 0x7f22c9fc9200 <_XEventToWire>, 0x0, 0x7f22ca4f67e0, 0x7f22c9fe8bf0 <_XUnknownNativeEvent> <repeats 28 times>, 0x7f22ca4f13d0, 0x7f22ca4f2410, 0x7f22c3aff740 <repeats 17 times>, 0x7f22ca4f4110, 0x7f22ca4f4110, 0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x7f22c9ba05c0, 0x7f22c9ba05c0, 0x7f22c38f3e50, 0x7f22c38f3e50, 0x7f22c9da4020, 0x7f22c9fe8bf0 <_XUnknownNativeEvent> <repeats 37 times>}, lock_meaning = 0, lock = 0x0, async_handlers = 0x0, bigreq_size = 4194303, lock_fns = 0x0, idlist_alloc = 0x7f22c9fe71c0 <_XAllocIDs>, key_bindings = 0x0, cursor_font = 44040292, atoms = 0x7f22d1086e00, mode_switch = 0, num_lock = 0, context_db = 0x0, error_vec = 0x0, cms = {defaultCCCs = 0x0, clientCmaps = 0x7f22a226c5b0 "", perVisualIntensityMaps = 0x0}, im_filters = 0x0, qfree = 0x7f22b28bf1a0, next_event_serial_num = 742, flushes = 0x0, im_fd_info = 0x0, im_fd_length = 0, conn_watchers = 0x7f22c08059c0, watcher_count = 1, filedes = 0x7f22c0802b50 "\004", savedsynchandler = 0x0, resource_max = 2097146, xcmisc_opcode = 0, xkb_info = 0x7f22d101fca0, trans_conn = 0x0, xcb = 0x7f22d1022550, next_cookie = 0, generic_event_vec = {0x0, 0x0, 0x0, 0x0, 0x7f22c3b04bc0, 0x0 <repeats 123 times>}, generic_event_copy_vec = {0x0, 0x0, 0x0, 0x0, 0x7f22c3b03110, 0x0 <repeats 123 times>}, cookiejar = 0x0}

(gdb) frame 14
(gdb) print *this
{<gfxASurface> = {_vptr.gfxASurface = 0x7f22d08716b0 <vtable for gfxXlibSurface+16>, mSurface = 0x7f22b428c900, mOpaqueRect = {mTuple = {<mozilla::detail::PairHelper<gfxRect*, mozilla::DefaultDelete<gfxRect>, (mozilla::detail::StorageType)1, (mozilla::detail::StorageType)0>> = {<mozilla::DefaultDelete<gfxRect>> = {<No data fields>}, mFirstA = 0x0}, <No data fields>}}, mFloatingRefs = 0, mBytesRecorded = 3136, mSurfaceValid = true, mAllowUseAsSource = true}, mPixmapTaken = true, mDisplay = 0x7f22c080c000, mDrawable = 44040701, mGLXPixmap = 0}

(gdb) print *mDisplay
{ext_data = 0x0, free_funcs = 0x7f22c080b1a0, fd = 4, conn_checker = 0, proto_major_version = 11, proto_minor_version = 0, vendor = 0x7f22c0805740 "The X.Org Foundation", resource_base = 44040192, resource_mask = 2097151, resource_id = 0, resource_shift = 0, resource_alloc = 0x7f22c9fe7170 <_XAllocID>, byte_order = 0, bitmap_unit = 32, bitmap_pad = 32, bitmap_bit_order = 0, nformats = 7, pixmap_format = 0x7f22d104bc40, vnumber = 11, release = 11604000, head = 0x0, tail = 0x0, qlen = 0, last_request_read = 18404, request = 18411, last_req = 0x7f22ca2df780 <dummy_request> "", buffer = 0x7f22c0814000 "6 \002", bufptr = 0x7f22c0814000 "6 \002", bufmax = 0x7f22c0818000 "P\021\020\321\"\177", max_request_size = 65535, db = 0x7f22c0819760, synchandler = 0x0, display_name = 0x7f22d10843d8 ":0.0", default_screen = 0, nscreens = 1, screens = 0x7f22d1024a80, motion_buffer = 256, flags = 128, min_keycode = 8, max_keycode = 255, keysyms = 0x0, modifiermap = 0x0, keysyms_per_keycode = 0, xdefaults = 0x7f22d101fc00 "Xft.autohint:\t0\nXft.dpi:\t96\nXft.lcdfilter:\tlcddefault\nXft.hintstyle:\thintnone\nXft.rgba:\tnone\nXcursor.theme:\t\nXcursor.size:\t0\nXcursor.theme_core:\t1\n", scratch_buffer = 0x0, scratch_length = 0, ext_number = 14, ext_procs = 0x7f22a4837680, event_vec = {0x7f22c9fe8bc0 <_XUnknownWireEvent>, 0x7f22c9fe8bc0 <_XUnknownWireEvent>, 0x7f22c9fe8c00 <_XWireToEvent> <repeats 33 times>, 0x7f22ca4f6850, 0x7f22c9fe8bc0 <_XUnknownWireEvent> <repeats 28 times>, 0x7f22ca4f1480, 0x7f22ca4f2340, 0x7f22c3b03b40 <repeats 17 times>, 0x7f22ca4f3a50, 0x7f22ca4f3a50, 0x7f22ca039f20 <wire_to_event>, 0x7f22c9ba0690, 0x7f22c9ba0690, 0x7f22c38f4040, 0x7f22c38f4040, 0x7f22c9da40f0, 0x7f22c9fe8bc0 <_XUnknownWireEvent> <repeats 37 times>}, wire_vec = {0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x0 <repeats 16 times>, 0x7f22c9fc9200 <_XEventToWire>, 0x0 <repeats 14 times>, 0x7f22c9fc9200 <_XEventToWire>, 0x0, 0x7f22ca4f67e0, 0x7f22c9fe8bf0 <_XUnknownNativeEvent> <repeats 28 times>, 0x7f22ca4f13d0, 0x7f22ca4f2410, 0x7f22c3aff740 <repeats 17 times>, 0x7f22ca4f4110, 0x7f22ca4f4110, 0x7f22c9fe8bf0 <_XUnknownNativeEvent>, 0x7f22c9ba05c0, 0x7f22c9ba05c0, 0x7f22c38f3e50, 0x7f22c38f3e50, 0x7f22c9da4020, 0x7f22c9fe8bf0 <_XUnknownNativeEvent> <repeats 37 times>}, lock_meaning = 0, lock = 0x0, async_handlers = 0x0, bigreq_size = 4194303, lock_fns = 0x0, idlist_alloc = 0x7f22c9fe71c0 <_XAllocIDs>, key_bindings = 0x0, cursor_font = 44040292, atoms = 0x7f22d1086e00, mode_switch = 0, num_lock = 0, context_db = 0x0, error_vec = 0x0, cms = {defaultCCCs = 0x0, clientCmaps = 0x7f22a226c5b0 "", perVisualIntensityMaps = 0x0}, im_filters = 0x0, qfree = 0x7f22b28bf1a0, next_event_serial_num = 742, flushes = 0x0, im_fd_info = 0x0, im_fd_length = 0, conn_watchers = 0x7f22c08059c0, watcher_count = 1, filedes = 0x7f22c0802b50 "\004", savedsynchandler = 0x0, resource_max = 2097146, xcmisc_opcode = 0, xkb_info = 0x7f22d101fca0, trans_conn = 0x0, xcb = 0x7f22d1022550, next_cookie = 0, generic_event_vec = {0x0, 0x0, 0x0, 0x0, 0x7f22c3b04bc0, 0x0 <repeats 123 times>}, generic_event_copy_vec = {0x0, 0x0, 0x0, 0x0, 0x7f22c3b03110, 0x0 <repeats 123 times>}, cookiejar = 0x0}



Compiled on Gentoo, through Gentoo's firefox-36.0.1.ebuild .

USE flags used during the compilation :
[ebuild   R   ~] www-client/firefox-36.0.1  USE="dbus gmp-autoupdate gstreamer jit minimal startup-notification system-cairo system-icu system-jpeg system-sqlite -bindist -custom-cflags -custom-optimization -debug -hardened -pgo -pulseaudio (-selinux) -system-libvpx {-test} -wifi" LINGUAS="fr ja -af -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -vi -xh -zh_CN -zh_TW" 0 KiB

Output of about:buildconfig :
Build Machine
tachibana

Build platform 
target
x86_64-pc-linux-gnu

Build tools
Compiler 	Version 	Compiler flags
x86_64-pc-linux-gnu-gcc 	4.8.3 	-Wall -Wdeclaration-after-statement -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -march=corei7-avx -ggdb3 -pipe -mno-avx -std=gnu99 -fgnu89-inline -fno-strict-aliasing -fno-math-errno -pthread -pipe
x86_64-pc-linux-gnu-g++ 	4.8.3 	-Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -march=corei7-avx -ggdb3 -pipe -mno-avx -fno-exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -freorder-blocks -Os -fomit-frame-pointer

Configure arguments
--enable-application=browser --enable-optimize --disable-pedantic --disable-updater --disable-strip --disable-install-strip --disable-installer --disable-strip-libs --disable-profilelocking --enable-single-profile --disable-profilesharing --with-system-zlib --enable-pango --enable-svg --with-system-bz2 --enable-default-toolkit=cairo-gtk2 --enable-official-branding --disable-debug --disable-tests --disable-debug-symbols --enable-startup-notification --disable-necko-wifi --enable-dbus --enable-ogg --enable-wave --enable-ion --enable-yarr-jit --with-system-nspr --with-nspr-prefix=/usr --with-system-nss --with-nss-prefix=/usr --x-includes=/usr/include --x-libraries=/usr/lib64 --with-system-libevent=/usr --prefix=/usr --libdir=/usr/lib64 --enable-system-hunspell --disable-gnomevfs --disable-gnomeui --enable-gio --disable-crashreporter --with-system-png --enable-system-ffi --disable-gold --disable-gconf --enable-jemalloc --enable-replace-malloc --target=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --enable-gstreamer=1.0 --disable-pulseaudio --enable-system-cairo --enable-system-sqlite --with-system-jpeg --with-system-icu --enable-intl-api --without-system-libvpx --with-google-api-keyfile=/home/portage/portage/www-client/firefox-36.0.1/work/mozilla-release/google-api-key --disable-mailnews --with-default-mozilla-five-home=/usr/lib64/firefox --enable-extensions=default



Output of 'gcc -v' :
Using built-in specs.
COLLECT_GCC=/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3/gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.3/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /home/portage/portage/sys-devel/gcc-4.8.3/work/gcc-4.8.3/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/include/g++-v4 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/python --enable-objc-gc --enable-languages=c,c++,java,go,objc,obj-c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo 4.8.3 p1.1, pie-0.5.9' --enable-libstdcxx-time --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-altivec --disable-fixed-point --enable-targets=all --enable-libgomp --enable-libmudflap --disable-libssp --enable-lto --with-cloog --disable-isl-version-check --enable-libsanitizer
Thread model: posix
gcc version 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9) 

Same output for g++, except for the second line :
COLLECT_GCC=/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3/g++
Hmm.  XFreePixmap would not generate this error, which is from PutImage, so it seems that MOZ_X_SYNC hasn't done its job of making all communication synchronous.

Was cairo compiled with xlib-xcb?
I assume prefs are not modified to enable e10s or omtc?

I suspect removing system-cairo would avoid the problem, which would point to a cairo bug.
you're right Karl, without system-cairo does not crashm with it crashes

I'm on gentoo with cairo-1.12.18-r1 compiled with xcb and xlib-xcb

can try new unstable cairo-1.14.0-r2
the same problem still exists with cairo-1.14.0-r2
Indeed, just recompiling cairo-1.12.18-r1 without xlib-xcb removed the crash when opening about:newtab.
I didn't even have to recompile firefox.

So, as far as I'm concerned, this issue is resolved.

Thanks for the support.
Yes, I confirm, cairo-1.12.18-r1 without xlib-xcb removes the problem.
https://bugs.gentoo.org/show_bug.cgi?id=555600 seems to be a duplicate. The bug is currently also triggered on the URL https://www.swedbank.ee/private/credit?language=EST .
(In reply to Jaak Ristioja from comment #13)
> https://bugs.gentoo.org/show_bug.cgi?id=555600 seems to be a duplicate. The
> bug is currently also triggered on the URL
> https://www.swedbank.ee/private/credit?language=EST .

Confirmed, my self compiled firefox also crashes on that URL.
I'm using cairo 1.14.2 now btw, so it's not an "old cairo version" bug.
I was researching this bug to find the issue, and I noticed that my window manager of choice seemed to affect whether this occurred in Firefox 42.  As a quick poll, what window manager where you using when you noticed this?  And if the window manager allowed it, was compositing enabled, and using what rendering technology (XRender or OpenGL)?
It was on KDE, compositing enabled, not sure if XRender or OpenGL, I'll check...
So it crashes opening new tab with XRender and also with OpenGL 1.2, 2.0 and 3.0

The same firefox works well from another machine using X11 over ssh. The other machine has Gnome, if it matters.
I was using xfwm4-4.12.3 (xfce) without explicit --enable-render --enable-randr.
Does this still reproduce?
The problem is gone, cairo 1.14.6 compiled with xlib-xcb and firefox 47.0.1 do not crash on ctrl+t.

Btw. libreoffice insists on cairo without xlib-xcb.

Hi! I am closing this issue with Resolved-Worksforme base on Comment 20. If the issue is still available please feel free to reopen it.
Thanks!

Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.