Closed Bug 1317403 Opened 8 years ago Closed 8 years ago

Crash Annotation GraphicsCriticalError: [GFX1 28]: ImageRenderer::Draw problem 0

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: truber, Assigned: ethlin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

tc.html
446 bytes, text/html
Details
check rect size
1.43 KB, patch
mstange
: review+
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
add crashtest
1.42 KB, patch
mstange
: review+
Details | Diff | Splinter Review
Attached file tc.html 
The attached testcase causes a GraphicsCriticalError crash in m-c version 458c900dd4ef

Crash Annotation GraphicsCriticalError: |[0][GFX1 28]: ImageRenderer::Draw problem 0 (t=3.49522) [GFX1 28]: ImageRenderer::Draw problem 0
ASAN:DEADLYSIGNAL
=================================================================
==32271==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f51b4084ad2 bp 0x7ffc77e280d0 sp 0x7ffc77e280b0 T0)
    #0 0x7f51b4084ad1 in CrashTelemetryEvent src/gfx/thebes/gfxPlatform.cpp:368:69
    #1 0x7f51b4084ad1 in CrashStatsLogForwarder::CrashAction(mozilla::gfx::LogReason) src/gfx/thebes/gfxPlatform.cpp:401
    #2 0x7f51b3a84164 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() src/gfx/2d/Logging.h:278:7
    #3 0x7f51b881f4e6 in ~Log src/obj-firefox/dist/include/mozilla/gfx/Logging.h:270:5
    #4 0x7f51b881f4e6 in nsImageRenderer::Draw(nsPresContext*, nsRenderingContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&) src/layout/base/nsCSSRendering.cpp:5443
    #5 0x7f51b87fda3a in DrawBackground src/layout/base/nsCSSRendering.cpp:5574:10
    #6 0x7f51b87fda3a in nsCSSRendering::PaintBackgroundWithSC(nsCSSRendering::PaintBGParams const&, nsStyleContext*, nsStyleBorder const&) src/layout/base/nsCSSRendering.cpp:3253
    #7 0x7f51b8ea9e90 in PaintMaskSurface(nsSVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, nsStyleContext*, nsTArray<nsSVGMaskFrame*> const&, gfxMatrix const&, nsPoint const&) src/layout/svg/nsSVGIntegrationUtils.cpp:501:9
    #8 0x7f51b8eab572 in CreateAndPaintMaskSurface src/layout/svg/nsSVGIntegrationUtils.cpp:562:23
    #9 0x7f51b8eab572 in nsSVGIntegrationUtils::PaintMaskAndClipPath(nsSVGIntegrationUtils::PaintFramesParams const&) src/layout/svg/nsSVGIntegrationUtils.cpp:814
    #10 0x7f51b88d005c in nsDisplayMask::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) src/layout/base/nsDisplayList.cpp:7234:5
    #11 0x7f51b87220d6 in PaintInactiveLayer src/layout/base/FrameLayerBuilder.cpp:3744:5
    #12 0x7f51b87220d6 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) src/layout/base/FrameLayerBuilder.cpp:5913
    #13 0x7f51b8725151 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/base/FrameLayerBuilder.cpp:6102:5
    #14 0x7f51b3e559b5 in mozilla::layers::ClientPaintedLayer::PaintThebes() src/gfx/layers/client/ClientPaintedLayer.cpp:83:5
    #15 0x7f51b3e564fc in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:137:3
    #16 0x7f51b3e6036b in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:62:7
    #17 0x7f51b3e6036b in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:62:7
    #18 0x7f51b3e50733 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:314:7
    #19 0x7f51b3e50ef7 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:367:3
    #20 0x7f51b8872734 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) src/layout/base/nsDisplayList.cpp:1989:3
    #21 0x7f51b8927739 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3650:7
    #22 0x7f51b89a897f in PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/nsPresShell.cpp:6387:5
    #23 0x7f51b7f5eb67 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:484:7
    #24 0x7f51b7f5e147 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:415:9
    #25 0x7f51b7f616dd in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1118:5
    #26 0x7f51b86a0431 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2012:7
    #27 0x7f51b86ab0c0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:295:7
    #28 0x7f51b86aad48 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5
    #29 0x7f51b86ad33e in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByValue<mozilla::TimeStamp> , 0> src/obj-firefox/dist/include/nsThreadUtils.h:775:12
    #30 0x7f51b86ad33e in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> src/obj-firefox/dist/include/nsThreadUtils.h:781
    #31 0x7f51b86ad33e in mozilla::detail::RunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:810
    #32 0x7f51b1ba03bb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1216:7
Attached patch check rect sizeSplinter Review 
The empty rect will get a invalid drawtarget. Check the rect size before creating drawtarget.
Attachment #8810693 - Flags: review?(mstange)
Comment on attachment 8810693 [details] [diff] [review]
check rect size

Please add a crashtest. (I'm assuming crashtests fail when they hit a gfxDevCrash - do they?)
Attachment #8810693 - Flags: review?(mstange) → review+
Attached patch add crashtestSplinter Review 
Add crashtest for the bug. gfxDevCrash will MOZ_CRASH on nightly and dev edition in non-debug build.
Attachment #8810699 - Flags: review?(mstange)
Comment on attachment 8810699 [details] [diff] [review]
add crashtest

Review of attachment 8810699 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8810699 - Flags: review?(mstange) → review+
Assignee: nobody → ethlin
Keywords: checkin-needed
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2cafc11ef680
Check if draw rect is empty beforing creating drawtarget. r=mstange
https://hg.mozilla.org/integration/mozilla-inbound/rev/2a4bb548ea79
Add crashtest. r=mstange
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/2cafc11ef680
https://hg.mozilla.org/mozilla-central/rev/2a4bb548ea79
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Please request Aurora approval on this when you get a chance.
status-firefox50: --- → unaffected
status-firefox51: --- → unaffected
status-firefox52: --- → affected
status-firefox-esr45: --- → unaffected
Flags: needinfo?(ethlin)
Flags: in-testsuite+
Comment on attachment 8810693 [details] [diff] [review]
check rect size

Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: browser may crash when users visit certain web page.
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: 
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: no
[Why is the change risky/not risky?]: The patch just do some error handling.
[String changes made/needed]: none
Flags: needinfo?(ethlin)
Attachment #8810693 - Flags: approval-mozilla-aurora?
Comment on attachment 8810693 [details] [diff] [review]
check rect size

crash fix, beta52+
Attachment #8810693 - Flags: approval-mozilla-aurora? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: