Crash [@ CGBitmapContextCreateImage] with <xul:listbox>, opacity

VERIFIED FIXED in mozilla1.9beta1

Status

()

--
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: jruderman, Assigned: mats)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
mozilla1.9beta1
x86
macOS
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [dbaron-1.9:Rs], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

12 years ago
Created attachment 282051 [details]
testcase (crashes Firefox 2 seconds after it is loaded)

Steps to reproduce:
1. Load the testcase.
2. Wait 2 seconds.

Result: crash [@ CGBitmapContextCreateImage] dereferencing 0x00000009.

Tested with Mac trunk debug.  I think this is a regression from within the last few days.
(Reporter)

Comment 1

12 years ago
It might have to be the first page loaded in the session in order to trigger the crash.
(Assignee)

Comment 2

12 years ago
Created attachment 282150 [details]
stack

The error is that cairo_quartz_surface_to_quartz() returns a surface
that isn't a quartz surface.  The callers of this function expects
it never fail to create a quartz surface.  The testcase triggers calls
with width/height == 0, which makes _cairo_malloc_ab() fail, which makes
cairo_quartz_surface_create() fail, which causes
cairo_quartz_surface_clone_similar() to fail, which makes
cairo_surface_clone_similar() call cairo_surface_fallback_clone_similar()
instead which succeeds and returns a CAIRO_SURFACE_TYPE_IMAGE which
cairo_quartz_surface_to_quartz() then casts to a cairo_quartz_surface_t.

I suppose we could prune calls with width/height == 0 at a higher level
but we need to handle this type of error anyway (malloc fails due to OOM).
(Assignee)

Comment 3

12 years ago
Created attachment 282152 [details] [diff] [review]
Like so?

* make cairo_quartz_surface_to_quartz() return NULL if it's not
  a valid quartz surface and add null-checks to call sites.
* fix a couple of leaks under OOM
* fix a warning about missing initializers for cairo_quartz_surface_backend
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: review?(vladimir)
(Assignee)

Updated

12 years ago
Flags: blocking1.9?
This is probably related, seeing Mats comment 2: for several days, I see randomly entries in console.log:

> Sep 30 16:14:33 pikun /Applications/Camino.app/Contents/MacOS/Camino: CGBitmapContextCreateImage: invalid context

With both Camino Trunk builds and Minefield builds (opt).

I haven't found a way to trigger it manually. It doesn't seem to cause anything Bad, as far as I can tell.

Updated

12 years ago
Blocks: 328258
(Assignee)

Updated

12 years ago
Assignee: nobody → mats.palmgren
Flags: blocking1.9? → blocking1.9+

Updated

12 years ago
Blocks: 400865
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: superreview+
Attachment #282152 - Flags: review?(vladimir)
Attachment #282152 - Flags: review+
Attachment #282152 - Flags: approvalM9?
(Assignee)

Comment 6

12 years ago
I tried to make a mochitest of the attached testcase but failed.
The crash still occurs (2007102504) although it seems harder to reproduce now,
I had to open Preferences, Reload, Zoom etc to make it crash.
(Assignee)

Comment 7

12 years ago
mozilla/gfx/cairo/cairo/src/cairo-quartz-surface.c 	1.30

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102604 Minefield/3.0a9pre -> no crash on testcase 

-> Verified
Status: RESOLVED → VERIFIED

Updated

12 years ago
Duplicate of this bug: 399469

Updated

11 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ CGBitmapContextCreateImage]
(Assignee)

Comment 10

6 years ago
crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4682b19996d8
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.