If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ CGBitmapContextCreateImage] with <xul:listbox>, opacity

VERIFIED FIXED in mozilla1.9beta1

Status

()

Core
XUL
--
critical
VERIFIED FIXED
10 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: mats)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
mozilla1.9beta1
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [dbaron-1.9:Rs], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
Created attachment 282051 [details]
testcase (crashes Firefox 2 seconds after it is loaded)

Steps to reproduce:
1. Load the testcase.
2. Wait 2 seconds.

Result: crash [@ CGBitmapContextCreateImage] dereferencing 0x00000009.

Tested with Mac trunk debug.  I think this is a regression from within the last few days.
(Reporter)

Comment 1

10 years ago
It might have to be the first page loaded in the session in order to trigger the crash.
(Assignee)

Comment 2

10 years ago
Created attachment 282150 [details]
stack

The error is that cairo_quartz_surface_to_quartz() returns a surface
that isn't a quartz surface.  The callers of this function expects
it never fail to create a quartz surface.  The testcase triggers calls
with width/height == 0, which makes _cairo_malloc_ab() fail, which makes
cairo_quartz_surface_create() fail, which causes
cairo_quartz_surface_clone_similar() to fail, which makes
cairo_surface_clone_similar() call cairo_surface_fallback_clone_similar()
instead which succeeds and returns a CAIRO_SURFACE_TYPE_IMAGE which
cairo_quartz_surface_to_quartz() then casts to a cairo_quartz_surface_t.

I suppose we could prune calls with width/height == 0 at a higher level
but we need to handle this type of error anyway (malloc fails due to OOM).
(Assignee)

Comment 3

10 years ago
Created attachment 282152 [details] [diff] [review]
Like so?

* make cairo_quartz_surface_to_quartz() return NULL if it's not
  a valid quartz surface and add null-checks to call sites.
* fix a couple of leaks under OOM
* fix a warning about missing initializers for cairo_quartz_surface_backend
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: review?(vladimir)
(Assignee)

Updated

10 years ago
Flags: blocking1.9?

Comment 4

10 years ago
This is probably related, seeing Mats comment 2: for several days, I see randomly entries in console.log:

> Sep 30 16:14:33 pikun /Applications/Camino.app/Contents/MacOS/Camino: CGBitmapContextCreateImage: invalid context

With both Camino Trunk builds and Minefield builds (opt).

I haven't found a way to trigger it manually. It doesn't seem to cause anything Bad, as far as I can tell.

Updated

10 years ago
Blocks: 328258
(Assignee)

Updated

10 years ago
Assignee: nobody → mats.palmgren
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:Rs]

Comment 5

10 years ago
Guessing bug 400865 is a duplicate of this one, stack trace looks very close.

Crash stats page associated with that bug:

http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&platform=mac&signature=CoreGraphics%400xa1d71&range_value=1


Updated

10 years ago
Blocks: 400865
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: superreview+
Attachment #282152 - Flags: review?(vladimir)
Attachment #282152 - Flags: review+
Attachment #282152 - Flags: approvalM9?
Attachment #282152 - Flags: approvalM9?
Attachment #282152 - Flags: approvalM9+
Attachment #282152 - Flags: approval1.9+
(Assignee)

Comment 6

10 years ago
I tried to make a mochitest of the attached testcase but failed.
The crash still occurs (2007102504) although it seems harder to reproduce now,
I had to open Preferences, Reload, Zoom etc to make it crash.
(Assignee)

Comment 7

10 years ago
mozilla/gfx/cairo/cairo/src/cairo-quartz-surface.c 	1.30

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102604 Minefield/3.0a9pre -> no crash on testcase 

-> Verified
Status: RESOLVED → VERIFIED

Updated

10 years ago
Duplicate of this bug: 399469

Updated

9 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ CGBitmapContextCreateImage]
(Assignee)

Comment 10

4 years ago
crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4682b19996d8
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/4682b19996d8
You need to log in before you can comment on or make changes to this bug.