Closed Bug 320430 Opened 19 years ago Closed 3 years ago

Blue Screen triggered under [@ nsNativeThemeWin::DrawWidgetBackground]

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

Details

(Keywords: crash, Whiteboard: tpi:-)

Crash Data

Attachments

(1 file)

summary:"That's a \"unusual\" issue"
36 bytes, patch
Details | Diff | Splinter Review
yes, i know this is an os problem. i'm posting it here to enable me to track it. internal vendor build id: 1744. gecko branch: 1.8 kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fe87c790, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 804e70d5, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: fe87c790 FAULTING_IP: nt!MiLocateAndReserveWsle+52 804e70d5 8b0490 mov eax,[eax+edx*4] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 LAST_CONTROL_TRANSFER: from bf83a167 to 804d9da8 TRAP_FRAME: b3b1d100 -- (.trap ffffffffb3b1d100) ErrCode = 00000002 eax=e28514c8 ebx=bceb61b8 ecx=00000013 edx=00000000 esi=e285147c edi=bceb61b8 eip=804d9da8 esp=b3b1d174 ebp=b3b1d17c iopl=0 nv up ei pl nz ac pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!memmove+0x33: 804d9da8 f3a5 rep movsd ds:e285147c=00eeede5 es:bceb61b8=00000000 Resetting default scope STACK_TEXT: b3b1d17c bf83a167 bceb61b8 e285147c 0000004c nt!memmove+0x33 b3b1d1a0 bf839e20 0000003a b3b1d73c b3b1d430 win32k!vSrcCopyS32D32Identity+0x5b b3b1d3b4 bf81768b e283a018 00000000 00000000 win32k!EngCopyBits+0x51a b3b1d3f4 bf817bd2 e2688010 e2843010 00000000 win32k!SURFREFAPI::SURFREFAPI+0x149 b3b1d480 bf81797a e283a018 e2688010 00000000 win32k!SURFREFAPI::SURFREFAPI+0x37a b3b1d4e0 bf817ea6 e283a018 e2688010 00000000 win32k!EngNineGrid+0x6e b3b1d53c bf818300 e283a018 e2688010 00000000 win32k!EngDrawStream+0xc5 b3b1d5a0 bf8186e7 b3b1d6c4 00000000 e2688000 win32k!NtGdiDrawStreamInternal+0x1ff b3b1d6c8 bf817f8b 090113c6 00000000 00000000 win32k!GreDrawStream+0x4ff b3b1d810 804de7ec 090113c6 00000060 0012d578 win32k!NtGdiDrawStream+0x9f b3b1d810 7c90eb94 090113c6 00000060 0012d578 nt!KiFastCallEntry+0xf8 0012d3ec 77f16c25 77f16c0f 090113c6 00000060 ntdll!KiFastSystemCallRet 0012d4f4 5ad72b54 090113c6 00000060 0012d578 GDI32!NtGdiDrawStream+0xc 0012d770 5ad728d4 009ba2bc 009b6c6c 00000001 uxtheme!CImageFile::DrawBackgroundDS+0x3ac 0012d7e8 5ad7278c 009ba2bc 00289200 090113c6 uxtheme!CImageFile::DrawImageInfo+0x1be 0012d838 5ad72cd8 00289200 090113c6 00000001 uxtheme!CImageFile::DrawBackground+0x45 0012d894 00d53ac2 00289200 090113c6 00000006 uxtheme!DrawThemeBackground+0x102 0012d910 00d95dab 01db1408 0a657590 0af9c5b4 gkgfxwin!nsNativeThemeWin::DrawWidgetBackground+0x132 [c:\build\chs3\build\mozilla\gfx\src\windows\nsnativethemewin.cpp @ 716] 0012d9e4 00d96349 0b00d7a8 0a657590 0af9c5b4 gklayout!nsCSSRendering::PaintBackgroundWithSC+0x86 [c:\build\chs3\build\mozilla\layout\base\nscssrendering.cpp @ 2825] 0012da38 00da2fef 0b00d7a8 0a657590 0af9c5b4 gklayout!nsCSSRendering::PaintBackground+0x82 [c:\build\chs3\build\mozilla\layout\base\nscssrendering.cpp @ 2748] 0012da8c 00e33a8b 0b00d7a8 0a657590 0012db28 gklayout!nsFrame::PaintSelf+0x97 [c:\build\chs3\build\mozilla\layout\generic\nsframe.cpp @ 947] 0012dab4 00d865c5 0af9c5b4 0b00d7a8 0a657590 gklayout!nsBoxFrame::Paint+0x41 [c:\build\chs3\build\mozilla\layout\xul\base\src\nsboxframe.cpp @ 1415] 0012dae4 00ebdd39 00000000 08142730 0a657590 gklayout!PresShell::Paint+0x4d [c:\build\chs3\build\mozilla\layout\base\nspresshell.cpp @ 5806] 0012db00 00eb8da2 0b014a28 0a657590 0012db28 gklayout!nsView::Paint+0x3e [c:\build\chs3\build\mozilla\view\src\nsview.cpp @ 316] 0012db48 00ebc0ec 0b476c58 0a657590 0b00dfe0 gklayout!nsViewManager::RenderDisplayListElement+0x78 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 1460] 0012dbf0 00ebc922 09d36b70 0a657590 0012dc74 gklayout!nsViewManager::RenderViews+0x156 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 1375] 0012dcfc 00ebcc65 0b00e060 0a657590 09bb24c0 gklayout!nsViewManager::Refresh+0x328 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 930] 0012dd68 00ebdc0e 00000000 0b00e060 09bb24c0 gklayout!nsViewManager::DispatchEvent+0x203 [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 2047] 0012dd84 0100518b 0012de18 00000000 0012de54 gklayout!HandleEvent+0x27 [c:\build\chs3\build\mozilla\view\src\nsview.cpp @ 174] 0012dd98 01001e48 0b00e0dc 0012de18 0012de54 gkwidget!nsWindow::DispatchEvent+0x35 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1253] 0012ddac 0100764a 0012de18 0012de54 00000001 gkwidget!nsWindow::DispatchWindowEvent+0x16 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1279] 0012de74 010088f9 00000000 00000000 0b00e0d8 gkwidget!nsWindow::OnPaint+0x139 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 5748] 0012e0ec 010085cb 0000000f 00000000 00000000 gkwidget!nsWindow::ProcessMessage+0x230 [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 4365] 0012e120 77d48734 008306cc 0000000f 00000000 gkwidget!nsWindow::WindowProc+0x9c [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1435] 0012e14c 77d48816 0100852f 008306cc 0000000f USER32!InternalCallWinProc+0x28 0012e1b4 77d4b4c0 00000000 0100852f 008306cc USER32!UserCallWinProcCheckWow+0x150 0012e208 77d4b50c 0058a3b8 0000000f 00000000 USER32!DispatchClientMessage+0xa3 0012e230 7c90eae3 0012e240 00000018 0058a3b8 USER32!__fnDWORD+0x24 0012e230 804e2b1c 0012e240 00000018 0058a3b8 ntdll!KiUserCallbackDispatcher+0x13 b3b1dad8 80565cec b3b1db94 b3b1db98 b3b1db68 nt!KiCallUserMode+0x4 b3b1db34 bf813e47 00000002 b3b1db78 00000018 nt!KeUserModeCallback+0x87 b3b1dbb8 bf813fdd bbe8a3b8 0000000f 00000000 win32k!SfnDWORD+0xa8 b3b1dc00 bf8141cf 42e8a3b8 0000000f 00000000 win32k!xxxSendMessageToClient+0x176 b3b1dc4c bf80f5b8 bbe8a3b8 0000000f 00000000 win32k!xxxSendMessageTimeout+0x1a6 b3b1dc70 bf827001 bbe8a3b8 0000000f 00000000 win32k!xxxSendMessage+0x1b b3b1dc9c bf826f6c bbe8a3b8 00000005 00000000 win32k!xxxUpdateWindow2+0x79 b3b1dcc0 bf826f6c bbe5ab88 00000005 00000000 win32k!xxxUpdateWindow2+0xfa b3b1dce4 bf826f6c bbe5aa60 00000005 b3b1dd64 win32k!xxxUpdateWindow2+0xfa b3b1dd08 bf826ed1 bbe7ec30 00000001 0012e268 win32k!xxxUpdateWindow2+0xfa b3b1dd28 bf8370dd bbe7ec30 00000001 b3b1dd54 win32k!xxxInternalUpdateWindow+0x6f FOLLOWUP_IP: win32k!vSrcCopyS32D32Identity+5b bf83a167 83c40c add esp,0xc SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: win32k!vSrcCopyS32D32Identity+5b MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 43446a58 STACK_COMMAND: .trap ffffffffb3b1d100 ; kb FAILURE_BUCKET_ID: 0x50_win32k!vSrcCopyS32D32Identity+5b BUCKET_ID: 0x50_win32k!vSrcCopyS32D32Identity+5b Followup: MachineOwner ---------
140 #define NS_THEME_SCROLLBAR_TRACK_VERTICAL 87 looks like it's SP_TRACKSTARTVERT aka SBP_THUMBBTNVERT kd> dv -t class nsNativeThemeWin * this = 0x01db1408 class nsIRenderingContext * aContext = 0x0a657590 class nsIFrame * aFrame = 0x0af9c5b4 unsigned char aWidgetType = 0x57 'W' struct nsRect * aRect = 0x0012da70 struct nsRect * aClipRect = 0x0012db28 int state = 1 struct tagRECT clipRect = struct tagRECT void * theme = 0x00010002 int part = 6 struct tagRECT widgetRect = struct tagRECT struct nsRect tr = struct nsRect struct nsRect cr = struct nsRect class nsTransform2D * transformMatrix = 0x0b48f0cc kd> dt -b gkgfxwin!nsRenderingContextWin 0x0a657590 +0x000 __VFN_table : 0x00d579d0 +0x004 mTranMatrix : 0x0b48f0cc +0x008 mLineStyle : 1 ( nsLineStyle_kSolid ) +0x00c mAct : 0 +0x010 mActive : (null) +0x014 mPenMode : 0 ( nsPenMode_kNone ) =00d5fcd4 nsRenderingContextImpl::gBackbuffer : 0x0af72288 =00d5fce0 nsRenderingContextImpl::gBackbufferBounds : nsRect +0x000 x : 0 +0x004 y : 0 +0x008 width : 896 +0x00c height : 625 =00d5fcd8 nsRenderingContextImpl::gLargestRequestedSize : nsSize +0x000 width : 0 +0x004 height : 0 +0x018 __VFN_table : 0x00d579c0 +0x01c mRefCnt : +0x000 mValue : 5 +0x020 mCurrentColor : 0 +0x024 mFontMetrics : (null) +0x028 mDC : 0x090113c6 +0x02c mMainDC : 0x05011e63 +0x030 mSurface : 0x0af72288 +0x034 mMainSurface : 0x0a82afc8 +0x038 mColor : 0 +0x03c mDCOwner : (null) +0x040 mContext : 0x0aff3768 +0x044 mP2T : 15 +0x048 mClipRegion : (null) +0x04c mOrigSolidBrush : 0x01900010 +0x050 mOrigFont : 0x018a0021 +0x054 mOrigSolidPen : 0x01b00017 +0x058 mOrigPalette : (null) +0x05c mStates : 0x0b48f0c8 +0x060 mStateCache : 0x09ffafa8 +0x064 mCurrBrushColor : 0xffd8e9ec +0x068 mCurrBrush : 0x441029cf +0x06c mCurrFontWin : (null) +0x070 mCurrFont : (null) +0x074 mCurrPenColor : 0 +0x078 mCurrPen : (null) +0x07c mNullPen : (null) +0x080 mGammaTable : (null) +0x084 mCurrTextColor : 0 +0x088 mCurrLineStyle : 1 ( nsLineStyle_kSolid ) +0x08c mRightToLeftText : 0 '' clipRect: kd> dt nsRect 0x0012d8c0 +0x000 x : 876 +0x004 y : 0 +0x008 width : 895 +0x00c height : 605 widgetRect: kd> dt nsRect 0x0012d8f0 +0x000 x : 876 +0x004 y : 0 +0x008 width : 895 +0x00c height : 605
*** Bug 317379 has been marked as a duplicate of this bug. ***
Product: Core → Core Graveyard
Crash Signature: [@ nsNativeThemeWin::DrawWidgetBackground]
Assignee: win32 → nobody
Component: GFX: Win32 → Widget: Win32
Product: Core Graveyard → Core
QA Contact: ian
Crashes with this function still happen, see https://crash-stats.mozilla.com/report/list?signature=nsNativeThemeWin%3A%3ADrawWidgetBackground%28nsRenderingContext%2A%2C+nsIFrame%2A%2C+unsigned+char%2C+nsRect+const%26%2C+nsRect+const%26%29
Crash Signature: [@ nsNativeThemeWin::DrawWidgetBackground] → [@ nsNativeThemeWin::DrawWidgetBackground] [@ nsNativeThemeWin::DrawWidgetBackground(nsRenderingContext*, nsIFrame*, unsigned char, nsRect const&, nsRect const&) ]
Approval Request Comment [Feature/regressing bug #]: [User impact if declined]: [Describe test coverage new/current, TreeHerder]: [Risks and why]: [String/UUID change made/needed]:
Whiteboard: tpi:-
QA Whiteboard: qa-not-actionable

No crashes since Firefox version 94.0.2.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: