425 bytes, application/xhtml+xml
16.06 KB, text/plain
5.52 KB, patch
|Details | Diff | Splinter Review|
Created attachment 282051 [details] testcase (crashes Firefox 2 seconds after it is loaded) Steps to reproduce: 1. Load the testcase. 2. Wait 2 seconds. Result: crash [@ CGBitmapContextCreateImage] dereferencing 0x00000009. Tested with Mac trunk debug. I think this is a regression from within the last few days.
It might have to be the first page loaded in the session in order to trigger the crash.
Created attachment 282150 [details] stack The error is that cairo_quartz_surface_to_quartz() returns a surface that isn't a quartz surface. The callers of this function expects it never fail to create a quartz surface. The testcase triggers calls with width/height == 0, which makes _cairo_malloc_ab() fail, which makes cairo_quartz_surface_create() fail, which causes cairo_quartz_surface_clone_similar() to fail, which makes cairo_surface_clone_similar() call cairo_surface_fallback_clone_similar() instead which succeeds and returns a CAIRO_SURFACE_TYPE_IMAGE which cairo_quartz_surface_to_quartz() then casts to a cairo_quartz_surface_t. I suppose we could prune calls with width/height == 0 at a higher level but we need to handle this type of error anyway (malloc fails due to OOM).
Created attachment 282152 [details] [diff] [review] Like so? * make cairo_quartz_surface_to_quartz() return NULL if it's not a valid quartz surface and add null-checks to call sites. * fix a couple of leaks under OOM * fix a warning about missing initializers for cairo_quartz_surface_backend
This is probably related, seeing Mats comment 2: for several days, I see randomly entries in console.log: > Sep 30 16:14:33 pikun /Applications/Camino.app/Contents/MacOS/Camino: CGBitmapContextCreateImage: invalid context With both Camino Trunk builds and Minefield builds (opt). I haven't found a way to trigger it manually. It doesn't seem to cause anything Bad, as far as I can tell.
Guessing bug 400865 is a duplicate of this one, stack trace looks very close. Crash stats page associated with that bug: http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&platform=mac&signature=CoreGraphics%400xa1d71&range_value=1
I tried to make a mochitest of the attached testcase but failed. The crash still occurs (2007102504) although it seems harder to reproduce now, I had to open Preferences, Reload, Zoom etc to make it crash.
mozilla/gfx/cairo/cairo/src/cairo-quartz-surface.c 1.30 -> FIXED
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102604 Minefield/3.0a9pre -> no crash on testcase -> Verified