Closed Bug 397293 Opened 15 years ago Closed 15 years ago

Crash [@ CGBitmapContextCreateImage] with <xul:listbox>, opacity

Categories

(Core :: XUL, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9beta1

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [dbaron-1.9:Rs])

Crash Data

Attachments

(3 files)

Steps to reproduce:
1. Load the testcase.
2. Wait 2 seconds.

Result: crash [@ CGBitmapContextCreateImage] dereferencing 0x00000009.

Tested with Mac trunk debug.  I think this is a regression from within the last few days.
It might have to be the first page loaded in the session in order to trigger the crash.
Attached file stack
The error is that cairo_quartz_surface_to_quartz() returns a surface
that isn't a quartz surface.  The callers of this function expects
it never fail to create a quartz surface.  The testcase triggers calls
with width/height == 0, which makes _cairo_malloc_ab() fail, which makes
cairo_quartz_surface_create() fail, which causes
cairo_quartz_surface_clone_similar() to fail, which makes
cairo_surface_clone_similar() call cairo_surface_fallback_clone_similar()
instead which succeeds and returns a CAIRO_SURFACE_TYPE_IMAGE which
cairo_quartz_surface_to_quartz() then casts to a cairo_quartz_surface_t.

I suppose we could prune calls with width/height == 0 at a higher level
but we need to handle this type of error anyway (malloc fails due to OOM).
Attached patch Like so?Splinter Review
* make cairo_quartz_surface_to_quartz() return NULL if it's not
  a valid quartz surface and add null-checks to call sites.
* fix a couple of leaks under OOM
* fix a warning about missing initializers for cairo_quartz_surface_backend
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: review?(vladimir)
Flags: blocking1.9?
This is probably related, seeing Mats comment 2: for several days, I see randomly entries in console.log:

> Sep 30 16:14:33 pikun /Applications/Camino.app/Contents/MacOS/Camino: CGBitmapContextCreateImage: invalid context

With both Camino Trunk builds and Minefield builds (opt).

I haven't found a way to trigger it manually. It doesn't seem to cause anything Bad, as far as I can tell.
Blocks: 328258
Assignee: nobody → mats.palmgren
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:Rs]
Blocks: 400865
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: superreview+
Attachment #282152 - Flags: review?(vladimir)
Attachment #282152 - Flags: review+
Attachment #282152 - Flags: approvalM9?
I tried to make a mochitest of the attached testcase but failed.
The crash still occurs (2007102504) although it seems harder to reproduce now,
I had to open Preferences, Reload, Zoom etc to make it crash.
mozilla/gfx/cairo/cairo/src/cairo-quartz-surface.c 	1.30

-> FIXED
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102604 Minefield/3.0a9pre -> no crash on testcase 

-> Verified
Status: RESOLVED → VERIFIED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ CGBitmapContextCreateImage]
crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4682b19996d8
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.