Deref of null pointer on cancel of print-to-file [@ _cairo_surface_acquire_dest_image]

VERIFIED FIXED

Status

()

Core
Graphics
P2
critical
VERIFIED FIXED
11 years ago
7 years ago

People

(Reporter: Steve Snyder, Assigned: vlad)

Tracking

({crash})

Trunk
x86
Windows 2000
crash
Points:
---
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

11 years ago
A crash occurs on attempting to dereference a null function pointer in Cairo's _fallback_init().  The fault occurs on this line:

    http://mxr.mozilla.org/seamonkey/source/gfx/cairo/cairo/src/cairo-surface-fallback.c#79

Sequence of actions to reproduce:

1. Install 26 Dec 2007 nightly trunk build.
2. Go to "https://bugzilla.mozilla.org/"
3. Select File>>Print.
4. Select the "Print to file" checkbox, then click Ok.
5. When shown the "Output File Name" dialog, click Cancel.

That's it.  The structure member that provides the  _cairo_surface_acquire_dest_image() call is zero at this point and crashes on attempted use.

Same hehavior on the 24 Dec nightly trunk build.

No crash is seen if you actually provide an output flename and clock Ok.

Updated

11 years ago
Assignee: general → nobody
Component: General → GFX: Thebes
Product: Mozilla Application Suite → Core
QA Contact: general → thebes

Updated

11 years ago
Severity: normal → critical
Keywords: crash

Comment 1

11 years ago
I can also reproduce on Windows XP with a trunk build.

Stacktrace:
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f114 015cbfa2 0x0
0012f134 015e5769 thebes!_cairo_surface_acquire_dest_image(struct _cairo_surface * surface = <Memory access error>, struct _cairo_rectangle_int32 * interest_rect = <Memory access error>, struct _cairo_image_surface ** image_out = <Memory access error>, struct _cairo_rectangle_int32 * image_rect = <Memory access error>, void ** image_extra = <Memory access error>)+0x22 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 1013]
0012f188 015cc231 thebes!_cairo_surface_fallback_composite(_cairo_operator op = <Memory access error>, struct _cairo_pattern * src = <Memory access error>, struct _cairo_pattern * mask = <Memory access error>, struct _cairo_surface * dst = <Memory access error>, int src_x = <Memory access error>, int src_y = <Memory access error>, int mask_x = <Memory access error>, int mask_y = <Memory access error>, int dst_x = <Memory access error>, int dst_y = <Memory access error>, unsigned int width = <Memory access error>, unsigned int height = <Memory access error>)+0x49 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface-fallback.c @ 1104]
0012f1cc 015d62f7 thebes!_cairo_surface_composite(_cairo_operator op = <Memory access error>, struct _cairo_pattern * src = <Memory access error>, struct _cairo_pattern * mask = <Memory access error>, struct _cairo_surface * dst = <Memory access error>, int src_x = <Memory access error>, int src_y = <Memory access error>, int mask_x = <Memory access error>, int mask_y = <Memory access error>, int dst_x = <Memory access error>, int dst_y = <Memory access error>, unsigned int width = <Memory access error>, unsigned int height = <Memory access error>)+0xc1 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 1223]
0012f288 015d8714 thebes!_cairo_win32_scaled_font_show_glyphs(void * abstract_font = <Memory access error>, _cairo_operator op = <Memory access error>, struct _cairo_pattern * pattern = <Memory access error>, struct _cairo_surface * generic_surface = <Memory access error>, int source_x = <Memory access error>, int source_y = <Memory access error>, int dest_x = <Memory access error>, int dest_y = <Memory access error>, unsigned int width = <Memory access error>, unsigned int height = <Memory access error>, struct cairo_glyph_t * glyphs = <Memory access error>, int num_glyphs = <Memory access error>)+0x1c7 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-win32-font.c @ 1282]
0012f3e0 015e54e7 thebes!_cairo_scaled_font_show_glyphs(struct _cairo_scaled_font * scaled_font = 0x0418e1f0, _cairo_operator op = CAIRO_OPERATOR_OVER (2), struct _cairo_pattern * pattern = 0x0012f704, struct _cairo_surface * surface = 0x04629d18, int source_x = 1897, int source_y = 237, int dest_x = 1897, int dest_y = 237, unsigned int width = 0x14, unsigned int height = 0x1f, struct cairo_glyph_t * glyphs = 0x0182be58, int num_glyphs = 1)+0x74 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-scaled-font.c @ 1194]
0012f50c 015e48d6 thebes!_cairo_surface_old_show_glyphs_draw_func(void * closure = 0x0012f64c, _cairo_operator op = CAIRO_OPERATOR_OVER (2), struct _cairo_pattern * src = 0x0012f704, struct _cairo_surface * dst = 0x04629d18, int dst_x = 0, int dst_y = 0, struct _cairo_rectangle_int32 * extents = 0x0012f668)+0xf7 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface-fallback.c @ 975]
0012f61c 015e55e3 thebes!_clip_and_composite(struct _cairo_clip * clip = 0x0000000c, _cairo_operator op = 1241444 (No matching enumerant), struct _cairo_pattern * src = 0x0012f174, <function> * draw_func = 0x00003000, void * draw_closure = 0x00000001, struct _cairo_surface * dst = 0x00000000, struct _cairo_rectangle_int32 * extents = 0x00000000)+0x86 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface-fallback.c @ 398]
0012f674 015cd34d thebes!_cairo_surface_fallback_show_glyphs(struct _cairo_surface * surface = 0x0012e1ac, _cairo_operator op = CAIRO_OPERATOR_CLEAR (0), struct _cairo_pattern * source = 0x409d9200, struct cairo_glyph_t * glyphs = 0x9999999a, int num_glyphs = 1081132441, struct _cairo_scaled_font * scaled_font = 0x00040005)+0xd3 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface-fallback.c @ 1030]
0012f7e0 015ec127 thebes!_cairo_surface_show_glyphs(struct _cairo_surface * surface = 0x0000000c, _cairo_operator op = 12288 (No matching enumerant), struct _cairo_pattern * source = 0x00000001, struct cairo_glyph_t * glyphs = 0x00000000, int num_glyphs = 0, struct _cairo_scaled_font * scaled_font = 0x00000000)+0x14d [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 2093]
0012fb9c 015ec2b4 thebes!_cairo_meta_surface_replay_internal(struct _cairo_surface * surface = 0x0012f174, struct _cairo_surface * target = 0x0012f164, cairo_meta_replay_type_t type = CAIRO_META_REPLAY (0), cairo_meta_region_type_t region = CAIRO_META_REGION_NATIVE (1))+0x517 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-meta-surface.c @ 820]
0012fba8 015ec817 thebes!_cairo_meta_surface_replay_region(struct _cairo_surface * surface = <Memory access error>, struct _cairo_surface * target = <Memory access error>, cairo_meta_region_type_t region = <Memory access error>)+0x14 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-meta-surface.c @ 914]
0012fbe0 015eca01 thebes!_paint_page(struct _cairo_paginated_surface * surface = 0x00000000)+0x147 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-paginated-surface.c @ 343]
0012fbe8 015cc48c thebes!_cairo_paginated_surface_show_page(void * abstract_surface = 0x01c0afa8)+0x41 [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-paginated-surface.c @ 446]
0012fbf4 015ca644 thebes!_moz_cairo_surface_show_page(struct _cairo_surface * surface = 0x01c0afa8)+0x3c [f:\mozilla\tree-cvsmo\mozilla\gfx\cairo\cairo\src\cairo-surface.c @ 1703]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite\dist\bin\components\gkgfxthebes.dll
0012fc00 0219316b thebes!gfxWindowsSurface::EndPage(void)+0x11 [f:\mozilla\tree-cvsmo\mozilla\gfx\thebes\src\gfxwindowssurface.cpp @ 234]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-cvsmo\mozilla\objsuite\dist\bin\components\gklayout.dll
0012fc08 01a73b91 gkgfxthebes!nsThebesDeviceContext::EndPage(void)+0xd [f:\mozilla\tree-cvsmo\mozilla\gfx\src\thebes\nsthebesdevicecontext.cpp @ 593]
Summary: Deref of null pointer on cancel of print-to-file → Deref of null pointer on cancel of print-to-file [@ _cairo_surface_acquire_dest_image]
(Reporter)

Comment 2

11 years ago
Copied from the call stack in the VS2005 debugger, on Win2K.  Code is the 31 Dec trunk, built as SeaMonkey.  (Sorry if this is too much info.)

 00000000()	
>seamonkey.exe!_fallback_init(fallback_state_t * state=0x00000000, _cairo_surface * dst=0x00000000, int x=0, int y=637, int width=991, int height=113)  Line 81 + 0x1a bytes	C
 seamonkey.exe!_cairo_surface_fallback_composite(_cairo_operator op=CAIRO_OPERATOR_OVER, _cairo_pattern * src=0x0012f640, _cairo_pattern * mask=0x0012f188, _cairo_surface * dst=0x00000000, int src_x=483, int src_y=637, int mask_x=0, int mask_y=0, int dst_x=483, int dst_y=0, unsigned int width=991, unsigned int height=113)  Line 1104 + 0x14 bytes	C
 seamonkey.exe!_cairo_surface_composite(_cairo_operator op=CAIRO_OPERATOR_OVER, _cairo_pattern * src=0x0012f640, _cairo_pattern * mask=0x0012f188, _cairo_surface * dst=0x034e4400, int src_x=483, int src_y=637, int mask_x=0, int mask_y=0, int dst_x=483, int dst_y=637, unsigned int width=991, unsigned int height=113)  Line 1223 + 0x33 bytes	C
 seamonkey.exe!_cairo_win32_scaled_font_show_glyphs(void * abstract_font=, _cairo_operator op=, _cairo_pattern * pattern=, _cairo_surface * generic_surface=, int source_x=, int source_y=, int dest_x=, int dest_y=, unsigned int width=, unsigned int height=, cairo_glyph_t * glyphs=, int num_glyphs=)  Line 1282 + 0x2f bytes	C
 NTDLL.DLL!77fb083a() 	
 [Frames below may be incorrect and/or missing, no symbols loaded for NTDLL.DLL]	
 seamonkey.exe!_cairo_scaled_font_show_glyphs(_cairo_scaled_font * scaled_font=0x035331a0, _cairo_operator op=CAIRO_OPERATOR_OVER, _cairo_pattern * pattern=0x0012f640, _cairo_surface * surface=0x034e4400, int source_x=483, int source_y=637, int dest_x=483, int dest_y=637, unsigned int width=991, unsigned int height=113, cairo_glyph_t * glyphs=0x03546538, int num_glyphs=14)  Line 1194 + 0x56 bytes	C
 seamonkey.exe!_cairo_surface_old_show_glyphs_draw_func(void * closure=, _cairo_operator op=, _cairo_pattern * src=, _cairo_surface * dst=, int dst_x=, int dst_y=, const _cairo_rectangle_int32 * extents=)  Line 977	C
 nspr4.dll!PR_DetachSharedMemory(PRSharedMemory * shm=0x00000000, void * addr=0x00000000)  Line 129 + 0xd bytes	C
 00000001()	
 GDI32.DLL!77f4427d() 	
 GDI32.DLL!77f44293() 	
 seamonkey.exe!_cairo_surface_set_clip_path_recursive(_cairo_surface * surface=0x0012fb28, _cairo_clip_path * clip_path=0x00a5f5a7)  Line 1862 + 0x21 bytes	C
 seamonkey.exe!_cairo_surface_set_clip_path(_cairo_surface * surface=0x00000000, _cairo_clip_path * clip_path=0x00130000, unsigned int serial=1342177633)  Line 1897 + 0xb bytes	C
 NTDLL.DLL!77f9bd5a() 	
 msvcr80.dll!free(void * pBlock=0x00000000)  Line 115 + 0x5 bytes	C
 NTDLL.DLL!77f9cc27() 	
 NTDLL.DLL!77f9ce3f() 	
 NTDLL.DLL!77f9cefc() 	
 NTDLL.DLL!77fb2593() 	
 NTDLL.DLL!77fcb63e() 	
 NTDLL.DLL!77fcb63e() 	
 NTDLL.DLL!77f9cc27() 	
 seamonkey.exe!nsPageFrame::PaintHeaderFooter(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...})  Line 528 + 0x34 bytes	C++
 NTDLL.DLL!77fcb74f() 	
 plds4.dll!FreeArenaList(PLArenaPool * pool=0x00000000, PLArena * head=0x00000000, int reallyFree=0)  Line 297	C
 seamonkey.exe!nsDisplayListBuilder::~nsDisplayListBuilder()  Line 141 + 0x35 bytes	C++
 seamonkey.exe!nsDisplayListBuilder::~nsDisplayListBuilder()  Line 141 + 0x42 bytes	C++
 msvcr80.dll!malloc(unsigned int size=1244084)  Line 163 + 0x63 bytes	C
 seamonkey.exe!_paint_page(_cairo_paginated_surface * surface=)  Line 299 + 0x11 bytes	C
 seamonkey.exe!_cairo_paginated_surface_show_page(void * abstract_surface=0x034e3e98)  Line 445 + 0x6 bytes	C
 seamonkey.exe!gfxWindowsSurface::EndPage()  Line 234 + 0xc bytes	C++
 seamonkey.exe!nsThebesDeviceContext::EndPage()  Line 593	C++
 seamonkey.exe!nsSimplePageSequenceFrame::DoPageEnd()  Line 652	C++
 seamonkey.exe!nsPrintEngine::PrintPage(nsPrintObject * aPO=0x034dec20, int & aInRange=1)  Line 2346	C++
 seamonkey.exe!nsPagePrintTimer::Notify(nsITimer * timer=0x034ef2e8)  Line 91	C++
 xpcom_core.dll!nsTimerImpl::Fire()  Line 415	C++
 xpcom_core.dll!nsTimerEvent::Run()  Line 489	C++
 xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc90)  Line 511	C++
 xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00000001, int mayWait=1)  Line 227 + 0x12 bytes	C++
 seamonkey.exe!nsBaseAppShell::Run()  Line 154 + 0x5 bytes	C++
 seamonkey.exe!nsAppStartup::Run()  Line 182	C++
 seamonkey.exe!XRE_main(int argc=, char * * argv=, const nsXREAppData * aAppData=)  Line 3174	C++
 seamonkey.exe!main(int argc=1, char * * argv=0x00000000)  Line 99 + 0x10 bytes	C++
 seamonkey.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * __formal=0x00400000, char * args=0x00134193, HINSTANCE__ * __formal=0x00400000)  Line 110 + 0x15 bytes	C++
 seamonkey.exe!__tmainCRTStartup()  Line 589 + 0x1d bytes	C
 KERNEL32.DLL!7c5989d5() 	

Still happening in current trunk build.
Flags: blocking1.9?
+'ing w/P2.  Vlad, can you take a look?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Created attachment 311693 [details] [diff] [review]
error check the win32 functions and pass results back

The problem was that we kept going down the print path even though we should have aborted a while ago; StartDoc() was returning an error and we were just ignoring it.  This caused us to try to print to (what I think is) an invalid DC, which caused printing operations to fail, which caused an unfortunate CAIRO_INT_STATUS_UNSUPPORTED to get returned somewhere that really wasn't expecting it... and that led to this abort().  The latter issue is separate, but we really should be checking errors from all the print functions.

This patch might also fix some of the other random error-case win32 printing crashes.
Assignee: nobody → vladimir
Status: NEW → ASSIGNED
Attachment #311693 - Flags: review?(pavlov)

Updated

10 years ago
Attachment #311693 - Flags: review?(pavlov) → review+
Created attachment 311915 [details] [diff] [review]
updated

Some DeviceContextSpec impls had a bad habit of returning NS_ERROR_NOT_IMPLEMENTED when they really meant NS_OK (i.e. "I have nothing that needs to be done for this call", not "the functionality to implement this is missing").  This was causing non-crashing printing to fail, because we are in a new world where we check errors now.
Attachment #311693 - Attachment is obsolete: true

Updated

10 years ago
Attachment #311915 - Flags: review?(pavlov) → review+
Fix checked in.  This might even fix some of the other win32 printing crashers...
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Thanks for fixing. I sometimes got crashes after cancelling a print (cancelling while printing) to XPS file. I'll see if this fixes it.
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008032705 Minefield/3.0pre

But I get a "Printing failed when starting the document." error dialog on branch, while I get an "An unknown error occurred while printing." error dialog on trunk.
Maybe worth filing a new bug for, if it matters at all?
Status: RESOLVED → VERIFIED

Updated

10 years ago
Depends on: 425593
Crash Signature: [@ _cairo_surface_acquire_dest_image]
You need to log in before you can comment on or make changes to this bug.