Closed Bug 380611 Opened 18 years ago Closed 18 years ago

crash trying to zoom in cacti [@ _moz_cairo_surface_get_type()]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: aguertin+bugzilla, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Assertions before the crash
87.06 KB, text/plain
Details
Patch rev. 1
5.98 KB, patch
vlad
: review+
vlad
: superreview+
Details | Diff | Splinter Review
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a5pre) Gecko/20070513 Minefield/3.0a5pre ID:2007051304 [cairo] Playing around with cacti's zoom ability, I crash. Talkbacks TB32114642 TB32114880 Steps to reproduce: Go to the url in the url field Clicking and dragging on the image gives you a red rectangle that's supposed to allow zooming. Play around with that until you crash. It seems like if you try clicking and dragging a lot, fast, it crashes more.
It crashes if you click and drag, and then do so again before the page unloads.
Incident ID: 32114880 Stack Signature _moz_cairo_surface_get_type() e8c81de4 Product ID FirefoxTrunk Build ID 2007051304 Trigger Time 2007-05-14 00:03:01.0 Platform LinuxIntel Operating System Linux 2.6.19.7 Module firefox-bin + (007758e8) URL visited http://wolfox.ath.cx/cacti/graph_view.php?action=tree&tree_id=1 User Comments Zoom on the second graph, click and drag a bunch (on the zoomable part that gives you a red rectangle) Since Last Crash 0 sec Total Uptime 4 sec Trigger Reason SIGSEGV: Segmentation Fault: (signal 11) Source File, Line No. N/A Stack Trace _moz_cairo_surface_get_type() nsImageToPixbuf::SurfaceToPixbuf() [mozilla/widget/src/gtk2/nsImageToPixbuf.cpp, line 94] nsDragService::InvokeDragSession() [mozilla/widget/src/gtk2/nsDragService.cpp, line 1055] nsBaseDragService::InvokeDragSessionWithSelection() [mozilla/widget/src/xpwidgets/nsBaseDragService.cpp, line 840] nsContentAreaDragDrop::DragGesture() [mozilla/content/base/src/nsContentAreaDragDrop.cpp, line 846] DispatchToInterface(nsIDOMEvent*, nsIDOMEventListener*, unsigned (nsIDOMEventListener::*)() [mozilla/content/events/src/nsEventListenerManager.cpp, line 182] nsEventListenerManager::HandleEvent() [mozilla/content/events/src/nsEventListenerManager.cpp, line 1055] nsEventTargetChainItem::HandleEvent() [mozilla/content/events/src/nsEventDispatcher.cpp, line 1038] nsEventTargetChainItem::HandleEventTargetChain() [mozilla/content/events/src/nsEventDispatcher.cpp, line 288] nsEventDispatcher::Dispatch() [mozilla/content/events/src/nsEventDispatcher.cpp, line 477] nsEventStateManager::GenerateDragGesture() [mozilla/content/events/src/nsEventStateManager.cpp, line 840] nsEventStateManager::PreHandleEvent() [mozilla/content/events/src/nsEventStateManager.cpp, line 2074] PresShell::HandleEventInternal() [mozilla/layout/base/nsPresShell.cpp, line 5685] PresShell::HandlePositionedEvent() [mozilla/layout/base/nsPresShell.cpp, line 5581] PresShell::HandleEvent() [mozilla/layout/base/nsPresShell.cpp, line 5424] nsViewManager::HandleEvent() [mozilla/view/src/nsViewManager.cpp, line 846] nsViewManager::DispatchEvent() [mozilla/view/src/nsViewManager.cpp, line 48] HandleEvent() [mozilla/view/src/nsView.cpp, line 168] nsCommonWidget::DispatchEvent() [mozilla/widget/src/gtk2/nsCommonWidget.cpp, line 220] nsWindow::OnMotionNotifyEvent() [mozilla/widget/src/gtk2/nsWindow.cpp, line 1890] motion_notify_event_cb() [mozilla/widget/src/gtk2/nsWindow.cpp, line 955] libgtk-x11-2.0.so.0 + 0x12488e (0xb7b8d88e)
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED
We crash when trying to create a gfxContext with an invalid surface. The surface is invalid because PresShell::PaintRangePaintInfo was called with an 'aArea' that has zero width and height. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsPresShell.cpp&rev=3.1016&root=/cvsroot&mark=5016,5022#4960
Attached patch Patch rev. 1Splinter Review
I think we should just do an early return in PaintRangePaintInfo if the rect is empty, I think that can happen. I also added some assertions to see this a bit earlier and some error handling in other places. I intentionally did not assert or warn on the last test in CheckSurfaceSize because that's unlikely to be a programming error.
Attachment #264826 - Flags: superreview?(vladimir)
Attachment #264826 - Flags: review?(vladimir)
Comment on attachment 264826 [details] [diff] [review] Patch rev. 1 r+ on all but the gfxASurface changes -- those are in bug 380494, which I think by itself should fix this. But I agree, we should bail out early in 0 width/height situations much more than we do.
Attachment #264826 - Flags: superreview?(vladimir)
Attachment #264826 - Flags: superreview+
Attachment #264826 - Flags: review?(vladimir)
Attachment #264826 - Flags: review+
Checked into trunk, without the gfxASurface changes (which will be fixed by bug 380494), at 2007-05-17 03:14 PDT. -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Crash Signature: [@ _moz_cairo_surface_get_type()]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: