Closed Bug 1255653 Opened 8 years ago Closed 2 years ago

Intermittent open-url-base-inserted-after-open.htm | application crashed [@ 0x0][@ general_composite_rect][@ _moz_pixman_image_composite32]

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox48 --- wontfix

People

(Reporter: RyanVM, Unassigned)

Details

(Keywords: crash, intermittent-failure, Whiteboard: gfx-noted) 

https://treeherder.mozilla.org/logviewer.html#?job_id=23476870&repo=mozilla-inbound

23:31:46     INFO - PROCESS-CRASH | /XMLHttpRequest/open-url-base-inserted-after-open.htm | application crashed [@ 0x0]
23:31:46     INFO - Crash dump filename: /tmp/tmp8KUHRK.mozrunner/minidumps/0e324086-5b62-5473-1fdf4083-1617d342.dmp
23:31:46     INFO - Operating system: Linux
23:31:46     INFO -                   0.0.0 Linux 3.13.0-79-generic #123-Ubuntu SMP Fri Feb 19 14:27:58 UTC 2016 x86_64
23:31:46     INFO - CPU: amd64
23:31:46     INFO -      family 6 model 62 stepping 4
23:31:46     INFO -      4 CPUs
23:31:46     INFO - 
23:31:46     INFO - Crash reason:  SIGSEGV
23:31:46     INFO - Crash address: 0x0
23:31:46     INFO - 
23:31:46     INFO - Thread 31 (crashed)
23:31:46     INFO -  0  0x0
23:31:46     INFO -     rbx = 0x0000000000000001   r12 = 0x00007f5f1493662e
23:31:46     INFO -     r13 = 0x00007f5ef0ef19b0   r14 = 0x00007f5ef0ef1960
23:31:46     INFO -     r15 = 0x00007f5ef0ef1910   rip = 0x0000000000000000
23:31:46     INFO -     rsp = 0x00007f5ef0ef1858   rbp = 0x00007f5ef0ef79e0
23:31:46     INFO -     Found by: given as instruction pointer in context
23:31:46     INFO -  1  libxul.so!general_composite_rect [pixman-general.c:1586849fc1b6 : 210 + 0x5]
23:31:46     INFO -     rip = 0x00007f5f1493133b   rsp = 0x00007f5ef0ef1860
23:31:46     INFO -     rbp = 0x00007f5ef0ef79e0
23:31:46     INFO -     Found by: stack scanning
23:31:46     INFO -  2  libxul.so!_moz_pixman_image_composite32 [pixman.c:1586849fc1b6 : 707 + 0x5]
23:31:46     INFO -     rbx = 0x00007f5ef0ef7a58   r12 = 0x00007f5eee321240
23:31:46     INFO -     r13 = 0x00007f5eee320cf0   r14 = 0x0000000020028888
23:31:46     INFO -     r15 = 0x0000000000040000   rip = 0x00007f5f14956b72
23:31:46     INFO -     rsp = 0x00007f5ef0ef79f0   rbp = 0x00007f5ef0ef7ae0
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  3  libxul.so!_composite_mask [cairo-image-surface.c:1586849fc1b6 : 3374 + 0x70]
23:31:46     INFO -     rbx = 0x00007f5eee321240   r12 = 0x00007f5eeafecab0
23:31:46     INFO -     r13 = 0x0000000000000235   r14 = 0x0000000000000027
23:31:46     INFO -     r15 = 0x0000000000000235   rip = 0x00007f5f148cd9f7
23:31:46     INFO -     rsp = 0x00007f5ef0ef7af0   rbp = 0x00007f5ef0ef7b90
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  4  libxul.so!_clip_and_composite [cairo-image-surface.c:1586849fc1b6 : 2346 + 0x29]
23:31:46     INFO -     rbx = 0x00007f5ef0ef7cdc   r12 = 0x00007f5ee04cdef0
23:31:46     INFO -     r13 = 0x0000000000000002   r14 = 0x00007f5ef0ef7df0
23:31:46     INFO -     r15 = 0x0000000000000000   rip = 0x00007f5f148cbe6b
23:31:46     INFO -     rsp = 0x00007f5ef0ef7ba0   rbp = 0x00007f5ef0ef7c80
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  5  libxul.so!_cairo_image_surface_mask [cairo-image-surface.c:1586849fc1b6 : 3425 + 0x24]
23:31:46     INFO -     rbx = 0x00007f5ef0ef7cb8   r12 = 0x00007f5ee04cdef0
23:31:46     INFO -     r13 = 0x0000000000000002   r14 = 0x00007f5ef0ef7df0
23:31:46     INFO -     r15 = 0x00007f5ef0ef7ee8   rip = 0x00007f5f148cc39a
23:31:46     INFO -     rsp = 0x00007f5ef0ef7c90   rbp = 0x00007f5ef0ef7d50
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  6  libxul.so!_cairo_surface_mask [cairo-surface.c:1586849fc1b6 : 2168 + 0x10]
23:31:46     INFO -     rbx = 0x00007f5ee04cdef0   r12 = 0x0000000000000002
23:31:46     INFO -     r13 = 0x00007f5ef0ef7df0   r14 = 0x00007f5ef0ef7ee8
23:31:46     INFO -     r15 = 0x00007f5ef0ef7db8   rip = 0x00007f5f148e9ccb
23:31:46     INFO -     rsp = 0x00007f5ef0ef7d60   rbp = 0x00007f5ef0ef7d90
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  7  libxul.so!_cairo_gstate_mask [cairo-gstate.c:1586849fc1b6 : 1124 + 0x2e]
23:31:46     INFO -     rbx = 0x00007f5ee0328120   r12 = 0x00007f5ef0ef7df0
23:31:46     INFO -     r13 = 0x00007f5ef0ef8048   r14 = 0x0000000000000002
23:31:46     INFO -     r15 = 0x00007f5efe62d000   rip = 0x00007f5f148cefb1
23:31:46     INFO -     rsp = 0x00007f5ef0ef7da0   rbp = 0x00007f5ef0ef8000
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  8  libxul.so!_moz_cairo_paint_with_alpha [cairo.c:1586849fc1b6 : 2292 + 0xf]
23:31:46     INFO -     rbx = 0x00007f5ee1dd4000   r12 = 0x00007f5eeb1f6c00
23:31:46     INFO -     r13 = 0x00007f5ef0ef8b28   r14 = 0x00007f5ef0ef8580
23:31:46     INFO -     r15 = 0x00007f5efe62d000   rip = 0x00007f5f148ebfe4
23:31:46     INFO -     rsp = 0x00007f5ef0ef8010   rbp = 0x00007f5ef0ef80f0
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO -  9  libxul.so!mozilla::gfx::DrawTargetCairo::DrawPattern(mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::DrawTargetCairo::DrawPatternType, bool) [DrawTargetCairo.cpp:1586849fc1b6 : 994 + 0xb]
23:31:46     INFO -     rbx = 0x00007f5eea57a240   r12 = 0x00007f5eeb1f6c00
23:31:46     INFO -     r13 = 0x00007f5ef0ef8b28   r14 = 0x00007f5ef0ef8580
23:31:46     INFO -     r15 = 0x00007f5efe62d000   rip = 0x00007f5f12cc8d0a
23:31:46     INFO -     rsp = 0x00007f5ef0ef8100   rbp = 0x00007f5ef0ef82e0
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO - 10  libxul.so!mozilla::gfx::DrawTargetCairo::FillRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) [DrawTargetCairo.cpp:1586849fc1b6 : 1059 + 0x4]
23:31:46     INFO -     rbx = 0x00007f5eea57a240   r12 = 0x0000000000000000
23:31:46     INFO -     r13 = 0x00007f5ef0ef8580   r14 = 0x00007f5ef0ef8b28
23:31:46     INFO -     r15 = 0x00007f5efe62d060   rip = 0x00007f5f12cdf26a
23:31:46     INFO -     rsp = 0x00007f5ef0ef82f0   rbp = 0x00007f5ef0ef84e0
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO - 11  libxul.so!mozilla::layers::FillRectWithMask(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::Filter, mozilla::gfx::DrawOptions const&, mozilla::gfx::ExtendMode, mozilla::gfx::SourceSurface*, mozilla::gfx::Matrix const*, mozilla::gfx::Matrix const*) [BasicLayersImpl.cpp:1586849fc1b6 : 149 + 0x12]
23:31:46     INFO -     rbx = 0x00007f5eea57a240   r12 = 0x00007f5ef0ef9d68
23:31:46     INFO -     r13 = 0x00007f5ee0870e01   r14 = 0x0000000000000000
23:31:46     INFO -     r15 = 0x00007f5efe62d060   rip = 0x00007f5f12d8c779
23:31:46     INFO -     rsp = 0x00007f5ef0ef84f0   rbp = 0x00007f5ef0ef85f0
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO - 12  libxul.so!mozilla::layers::DrawSurfaceWithTextureCoords [BasicCompositor.cpp:1586849fc1b6 : 254 + 0x27]
23:31:46     INFO -     rbx = 0x00007f5efe62d060   r12 = 0x00007f5ef0ef9d68
23:31:46     INFO -     r13 = 0x00007f5ee0870edc   r14 = 0x0000000000000001
23:31:46     INFO -     r15 = 0x00007f5ef0ef8b28   rip = 0x00007f5f12d7c643
23:31:46     INFO -     rsp = 0x00007f5ef0ef8600   rbp = 0x00007f5ef0ef8860
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO - 13  libxul.so!mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) [BasicCompositor.cpp:1586849fc1b6 : 496 + 0x37]
23:31:46     INFO -     rbx = 0x00007f5ef0ef9d68   r12 = 0x00007f5eea53dd58
23:31:46     INFO -     r13 = 0x00007f5ee0870ec0   r14 = 0x0000000000000000
23:31:46     INFO -     r15 = 0x0000000000000000   rip = 0x00007f5f12d85870
23:31:46     INFO -     rsp = 0x00007f5ef0ef8870   rbp = 0x00007f5ef0ef9c70
23:31:46     INFO -     Found by: call frame info
23:31:46     INFO - 14  libxul.so!NS_LogRelease [nsTraceRefcnt.cpp:1586849fc1b6 : 1141 + 0x4]
23:31:46     INFO -     rip = 0x00007f5f12485dfa   rsp = 0x00007f5ef0ef8890
23:31:46     INFO -     rbp = 0x00007f5ef0ef9c70
23:31:46     INFO -     Found by: stack scanning
23:31:46     INFO - 15  libxul.so!mozilla::gfx::DrawTargetCairo::SetTransform(mozilla::gfx::Matrix const&) [DrawTargetCairo.cpp:1586849fc1b6 : 1913 + 0xd]
23:31:46     INFO -     rip = 0x00007f5f12cbb130   rsp = 0x00007f5ef0ef88b0
23:31:46     INFO -     rbp = 0x00007f5ef0ef9c70
23:31:46     INFO -     Found by: stack scanning
Eep. More XRender sadness?
Flags: needinfo?(lsalzman)
Whiteboard: gfx-noted
It looks like mask_iter.get_scanline here is null: https://dxr.mozilla.org/mozilla-central/source/gfx/cairo/libpixman/src/pixman-general.c#210

The only reason that should occur is if general_src_iter_init hit the _pixman_log_error lines here: https://dxr.mozilla.org/mozilla-central/source/gfx/cairo/libpixman/src/pixman-general.c#41

But I don't see those errors showing up in the logs anywhere, which could either mean those errors are not being generated, or they are but just not getting to the log for some reason or another...

So, if we assume the latter, then I am not sure why we'd have ended up handed Cairo a mask type that is not one of those, and SOLID should be handled up by noop_src_iter_init here as stated in general_src_iter_init: https://dxr.mozilla.org/mozilla-central/source/gfx/cairo/libpixman/src/pixman-noop.c#79

But in those cases, get_scanline will not get set. Upstream pixman does not seem to set get_scanline in that case either. So to patch that would require an invasive fix that would not work if people used system pixman.

So it seems more likely we're handed pixman a garbage mask somehow. The stack trace is cut off too short to tell me more about how that could occur or why. It would be better if we could know why the garbage mask is getting in there so we could avoid doing it, so regardless of whether tree or system pixman is used it would end up fixed.

I'm not having any luck reproducing this one locally, so let's wait for a few more reports to roll in and see if the situation clarifies somehow. Worst case scenario if we don't get any better info we can make a patch to fill in get_scanline with get_scanline_null to silence the crash, but it wouldn't really address the cause.
Flags: needinfo?(lsalzman)
Bulk assigning P3 to all open intermittent bugs without a priority set in Firefox components per bug 1298978.
Priority: -- → P3
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox48: affectedwontfix
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.