418882 - Crash on www.rhein-zeitung.de [@ _moz_cairo_surface_mark_dirty_rectangle]

Status: VERIFIED FIXED

(Core :: Graphics, defect, P2)

Description

[Carsten Book [:Tomcat]]

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b4pre) Gecko/2008022005 Minefield/3.0b4pre

Steps to reproduce:

Load www.rhein-zeitung.de
Crash during loading this site

Might be related to a ad on this site or to a plugin.

Stack:
(fd0.ed4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=05891f14 ecx=008d0000 edx=00000000 esi=00000000 edi=05891f54
eip=60a43a55 esp=0012edfc ebp=0012eea8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
xul!_moz_cairo_surface_mark_dirty_rectangle+0x5:
60a43a55 837e1000        cmp     dword ptr [esi+10h],0 ds:002b:00000010=????????
0:000> kp
ChildEBP RetAddr  
0012edfc 60a447a2 xul!_moz_cairo_surface_mark_dirty_rectangle+0x5
0012ee14 607e7b86 xul!_moz_cairo_surface_mark_dirty+0x12
0012eea8 607e7542 xul!nsObjectFrame::PaintPlugin(class nsIRenderingContext * aRenderingContext = 0x05899510)+0x253 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1415]
0012eecc 60711f34 xul!PaintPlugin(class nsIFrame * aFrame = 0x05891f14, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012ef2c, struct nsPoint aPt = struct nsPoint)+0x27 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1039]
0012eef4 6072d20e xul!nsDisplayGeneric::Paint(class nsDisplayListBuilder * aBuilder = 0x0012efc8, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012ef2c)+0x27 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.h @ 837]
0012ef0c 6072e06d xul!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x6072d20e, class nsIRenderingContext * aCtx = 0x0012efc8, struct nsRect * aDirtyRect = 0x05899510)+0x1b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 294]
0012ef3c 6072d20e xul!nsDisplayClip::Paint(class nsDisplayListBuilder * aBuilder = 0x0012efc8, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012f26c)+0x4c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 884]
0012ef54 60675c0c xul!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x605f9f21, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0xffffffff)+0x1b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 294]
0012f210 605f9f21 xul!nsLayoutUtils::PaintFrame(class nsIRenderingContext * aRenderingContext = 0x05899510, class nsIFrame * aFrame = 0x05891f14, class nsRegion * aDirtyRegion = 0x008d0000, unsigned int aBackground = 0xffffffff)+0x14f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nslayoututils.cpp @ 874]
0012f228 605f0e17 xul!PresShell::Paint(class nsIView * aView = 0x00000000, class nsIRenderingContext * aRenderingContext = 0x05899510, class nsRegion * aDirtyRegion = 0x0012f24c)+0x82 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nspresshell.cpp @ 5357]
0012f288 605f0c65 xul!nsViewManager::RenderViews(class nsView * aView = 0x00000000, class nsIRenderingContext * aRC = 0x00000000, class nsRegion * aRegion = 0x0012f2d0)+0x6d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 603]
0012f334 605f17ce xul!nsViewManager::Refresh(class nsView * aView = 0x05775940, class nsIRenderingContext * aContext = 0x058b1a60, class nsIRegion * aRegion = 0x0000003c, unsigned int aUpdateFlags = 0x12f390)+0x163 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 493]
0012f390 60685e6c xul!nsViewManager::DispatchEvent(class nsGUIEvent * aEvent = 0x0012f40c, nsEventStatus * aStatus = 0x0012f3a8)+0x23c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 1134]
0012f3ac 60952d40 xul!HandleEvent(class nsGUIEvent * aEvent = 0x0012f40c)+0x26 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsview.cpp @ 171]
0012f3c0 60952da9 xul!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, nsEventStatus * aStatus = 0xeb2bdad7)+0x35 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1052]
0012f3d4 6095744b xul!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x6095595a, nsEventStatus * aStatus = 0x00000000)+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1078]
0012f4c0 6095595a xul!nsWindow::OnPaint(struct HDC__ * aDC = 0x00000000)+0x382 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 5672]
0012f680 60953157 xul!nsWindow::ProcessMessage(unsigned int msg = 0xf, unsigned int wParam = 0, long lParam = 0, long * aRetValue = 0x0012f6a8)+0x2bd [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 4159]
0012f6bc 7d9472d8 xul!nsWindow::WindowProc(struct HWND__ * hWnd = 0x00190626, unsigned int msg = 0xf, unsigned int wParam = 0, long lParam = 62026948)+0xc7 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1267]
0012f6e8 7d947568 USER32!InternalCallWinProc+0x28

Comment 1

[Marcia Knous [:marcia]]

I see this on Vista as well using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b4pre) Gecko/2008022104 Minefield/3.0b4pre. Unfortunately breakpad does not fire on this crash, I only get the Windows error that there is a problem with the program.

Comment 2

[Mike Beltzner [:beltzner, not reading bugmail]]

Crashes that evade Breakpad seem bad. Vlad/Pav should feel free to minus if they think Damon and I are being aggro, here.

Comment 3

[Worcester12345]

No crash: Build identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9b4pre) Gecko/2008022108 SeaMonkey/2.0a1pre

Comment 4

[Henrik Skupin [:whimboo][⌚️UTC+1]]

I even cannot reproduce this issue under WinXP. Having a look at the page info dialog shows me that there are two flash ads which are included into the page. But because we don't have frames within the stack which points to a plugin issue it could be a broken image or something else? Alfred, do you have an idea?

Comment 5

[Worcester12345]

I have Adblocker, so maybe that is why mine didn't crash. Hope that helps.

Comment 6

[Henrik Skupin [:whimboo][⌚️UTC+1]]

But even with deactivated extensions it doesn't crash. Like I already talked with Tomcat it could a specific advertisement.

Comment 7

[Hermann Schwab]

(In reply to comment #6)
> But even with deactivated extensions it doesn't crash. Like I already talked
> with Tomcat it could a specific advertisement.

Flash 9.0 r115 is crashing on some flash files, whereas 9.0 r47 is working (with security issues)

Did you test using the latest flash? If this bug can't be reproduced older flash versions I asume it would be caused by the plugin. There are lots of bugs about this marked invalid (because it is up to Macromedia to fix the plugin).

Bug 419256 – Adobe Flash Player 9,0,115,0 crashes Firefox 2 and 3 version
Bug 408090 – Firefox & Seamonkey stop

Most of the bugs I read with mentioning (or not) but dependend on plugins don't specify the version. Did all people not having crashes use Flash 9.0 r115?
Does anyone crashing on this not use Flash 9.0 r115?

Comment 8

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Tomcat, if you can still reproduce this, can you try to get a full stacktrace, including argument values for the cairo methods?  It doesn't look like you have symbols for the topmost things in that stack.

Comment 9

[Carsten Book [:Tomcat]]

Attachment: stack

Hi Vlad,

this is all i got with windbg, hope that helps :)

Comment 10

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Nope, still no arguments to cairo, like your original stack.  I have flash r115, I've been reloading rhein-zeitung.de for a while now and have not been able to reproduce a crash :(

Comment 11

[Carsten Book [:Tomcat]]

Attachment: screenshot short before the crash

hey vlad, maybe this helps, its a screenshot short before the crash, the "background" is the firefox trunk default startpage and it seems that Firefox crashed during rendering of this page.

Comment 12

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Still can't reproduce this; tried on two different machines. :(  Tomcat mentioned he was on XP 64-bit, but Marcia, it sounds like you're able to reproduce it with regular Vista x86, right?  Or are you also on x86-64?

Given:
eax=00000000 ebx=05891f14 ecx=008d0000 edx=00000000 esi=00000000 edi=05891f54

xul!_moz_cairo_surface_mark_dirty_rectangle+0x5:
60a43a55 837e1000        cmp     dword ptr [esi+10h],0

The first bit in _cairo_surface_mark_dirty_rectangle is:

if (surface->status)
  return;

and indeed, status is at 0x10 in the struct.  So we're getting a null surface here.

.. hey, we're not checking for a surface that's in error here!

Comment 13

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Attachment: potential fix?

tomcat, if you can still reproduce this, can you give this patch a try?  I don't know why a surface is being created that's in error, but this is good error checking anyway.

Comment 14

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Ok, potential fix checked in.  Will mark this fixed for now, but please reopen if someone sees a crash again.  This issue seems to show up in breakpad every now and then, so let's see if that number goes down.

Comment 15

[Carsten Book [:Tomcat]]

Attachment: screenshot after the fix when in

verified fixed using  Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b5pre) Gecko/2008030904 Minefield/3.0b5pre , the layout is still a little messed up, but i do not crash anymore. Many thanks vlad for fixing this !

Comment 16

[Henrik Skupin [:whimboo][⌚️UTC+1]]

It's still interesting why I cannot see this under a 32bit Windows Vista or XP.