Closed
Bug 418882
Opened 16 years ago
Closed 16 years ago
Crash on www.rhein-zeitung.de [@ _moz_cairo_surface_mark_dirty_rectangle]
Categories
(Core :: Graphics, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: cbook, Assigned: vlad)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(4 files)
11.70 KB,
text/plain
|
Details | |
178.03 KB,
image/jpeg
|
Details | |
1.87 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
115.97 KB,
image/jpeg
|
Details |
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b4pre) Gecko/2008022005 Minefield/3.0b4pre Steps to reproduce: Load www.rhein-zeitung.de Crash during loading this site Might be related to a ad on this site or to a plugin. Stack: (fd0.ed4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=05891f14 ecx=008d0000 edx=00000000 esi=00000000 edi=05891f54 eip=60a43a55 esp=0012edfc ebp=0012eea8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 xul!_moz_cairo_surface_mark_dirty_rectangle+0x5: 60a43a55 837e1000 cmp dword ptr [esi+10h],0 ds:002b:00000010=???????? 0:000> kp ChildEBP RetAddr 0012edfc 60a447a2 xul!_moz_cairo_surface_mark_dirty_rectangle+0x5 0012ee14 607e7b86 xul!_moz_cairo_surface_mark_dirty+0x12 0012eea8 607e7542 xul!nsObjectFrame::PaintPlugin(class nsIRenderingContext * aRenderingContext = 0x05899510)+0x253 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1415] 0012eecc 60711f34 xul!PaintPlugin(class nsIFrame * aFrame = 0x05891f14, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012ef2c, struct nsPoint aPt = struct nsPoint)+0x27 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1039] 0012eef4 6072d20e xul!nsDisplayGeneric::Paint(class nsDisplayListBuilder * aBuilder = 0x0012efc8, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012ef2c)+0x27 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.h @ 837] 0012ef0c 6072e06d xul!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x6072d20e, class nsIRenderingContext * aCtx = 0x0012efc8, struct nsRect * aDirtyRect = 0x05899510)+0x1b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 294] 0012ef3c 6072d20e xul!nsDisplayClip::Paint(class nsDisplayListBuilder * aBuilder = 0x0012efc8, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0x0012f26c)+0x4c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 884] 0012ef54 60675c0c xul!nsDisplayList::Paint(class nsDisplayListBuilder * aBuilder = 0x605f9f21, class nsIRenderingContext * aCtx = 0x05899510, struct nsRect * aDirtyRect = 0xffffffff)+0x1b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nsdisplaylist.cpp @ 294] 0012f210 605f9f21 xul!nsLayoutUtils::PaintFrame(class nsIRenderingContext * aRenderingContext = 0x05899510, class nsIFrame * aFrame = 0x05891f14, class nsRegion * aDirtyRegion = 0x008d0000, unsigned int aBackground = 0xffffffff)+0x14f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nslayoututils.cpp @ 874] 0012f228 605f0e17 xul!PresShell::Paint(class nsIView * aView = 0x00000000, class nsIRenderingContext * aRenderingContext = 0x05899510, class nsRegion * aDirtyRegion = 0x0012f24c)+0x82 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\base\nspresshell.cpp @ 5357] 0012f288 605f0c65 xul!nsViewManager::RenderViews(class nsView * aView = 0x00000000, class nsIRenderingContext * aRC = 0x00000000, class nsRegion * aRegion = 0x0012f2d0)+0x6d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 603] 0012f334 605f17ce xul!nsViewManager::Refresh(class nsView * aView = 0x05775940, class nsIRenderingContext * aContext = 0x058b1a60, class nsIRegion * aRegion = 0x0000003c, unsigned int aUpdateFlags = 0x12f390)+0x163 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 493] 0012f390 60685e6c xul!nsViewManager::DispatchEvent(class nsGUIEvent * aEvent = 0x0012f40c, nsEventStatus * aStatus = 0x0012f3a8)+0x23c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsviewmanager.cpp @ 1134] 0012f3ac 60952d40 xul!HandleEvent(class nsGUIEvent * aEvent = 0x0012f40c)+0x26 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\view\src\nsview.cpp @ 171] 0012f3c0 60952da9 xul!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, nsEventStatus * aStatus = 0xeb2bdad7)+0x35 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1052] 0012f3d4 6095744b xul!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x6095595a, nsEventStatus * aStatus = 0x00000000)+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1078] 0012f4c0 6095595a xul!nsWindow::OnPaint(struct HDC__ * aDC = 0x00000000)+0x382 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 5672] 0012f680 60953157 xul!nsWindow::ProcessMessage(unsigned int msg = 0xf, unsigned int wParam = 0, long lParam = 0, long * aRetValue = 0x0012f6a8)+0x2bd [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 4159] 0012f6bc 7d9472d8 xul!nsWindow::WindowProc(struct HWND__ * hWnd = 0x00190626, unsigned int msg = 0xf, unsigned int wParam = 0, long lParam = 62026948)+0xc7 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1267] 0012f6e8 7d947568 USER32!InternalCallWinProc+0x28
Flags: blocking1.9?
Comment 1•16 years ago
|
||
I see this on Vista as well using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b4pre) Gecko/2008022104 Minefield/3.0b4pre. Unfortunately breakpad does not fire on this crash, I only get the Windows error that there is a problem with the program.
Comment 2•16 years ago
|
||
Crashes that evade Breakpad seem bad. Vlad/Pav should feel free to minus if they think Damon and I are being aggro, here.
Component: General → GFX
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
QA Contact: general → general
Updated•16 years ago
|
Summary: Crash on www.rhein-zeitung.de → Crash on www.rhein-zeitung.de [@ _moz_cairo_surface_mark_dirty_rectangle]
Comment 3•16 years ago
|
||
No crash: Build identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9b4pre) Gecko/2008022108 SeaMonkey/2.0a1pre
Comment 4•16 years ago
|
||
I even cannot reproduce this issue under WinXP. Having a look at the page info dialog shows me that there are two flash ads which are included into the page. But because we don't have frames within the stack which points to a plugin issue it could be a broken image or something else? Alfred, do you have an idea?
Comment 5•16 years ago
|
||
I have Adblocker, so maybe that is why mine didn't crash. Hope that helps.
Comment 6•16 years ago
|
||
But even with deactivated extensions it doesn't crash. Like I already talked with Tomcat it could a specific advertisement.
Comment 7•16 years ago
|
||
(In reply to comment #6) > But even with deactivated extensions it doesn't crash. Like I already talked > with Tomcat it could a specific advertisement. Flash 9.0 r115 is crashing on some flash files, whereas 9.0 r47 is working (with security issues) Did you test using the latest flash? If this bug can't be reproduced older flash versions I asume it would be caused by the plugin. There are lots of bugs about this marked invalid (because it is up to Macromedia to fix the plugin). Bug 419256 – Adobe Flash Player 9,0,115,0 crashes Firefox 2 and 3 version Bug 408090 – Firefox & Seamonkey stop Most of the bugs I read with mentioning (or not) but dependend on plugins don't specify the version. Did all people not having crashes use Flash 9.0 r115? Does anyone crashing on this not use Flash 9.0 r115?
Assignee | ||
Comment 8•16 years ago
|
||
Tomcat, if you can still reproduce this, can you try to get a full stacktrace, including argument values for the cairo methods? It doesn't look like you have symbols for the topmost things in that stack.
Flags: blocking1.9?
Reporter | ||
Comment 9•16 years ago
|
||
Hi Vlad, this is all i got with windbg, hope that helps :)
Assignee | ||
Comment 10•16 years ago
|
||
Nope, still no arguments to cairo, like your original stack. I have flash r115, I've been reloading rhein-zeitung.de for a while now and have not been able to reproduce a crash :(
Updated•16 years ago
|
Flags: tracking1.9+
Flags: blocking1.9?
Flags: blocking1.9+
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → vladimir
Reporter | ||
Comment 11•16 years ago
|
||
hey vlad, maybe this helps, its a screenshot short before the crash, the "background" is the firefox trunk default startpage and it seems that Firefox crashed during rendering of this page.
Assignee | ||
Comment 12•16 years ago
|
||
Still can't reproduce this; tried on two different machines. :( Tomcat mentioned he was on XP 64-bit, but Marcia, it sounds like you're able to reproduce it with regular Vista x86, right? Or are you also on x86-64? Given: eax=00000000 ebx=05891f14 ecx=008d0000 edx=00000000 esi=00000000 edi=05891f54 xul!_moz_cairo_surface_mark_dirty_rectangle+0x5: 60a43a55 837e1000 cmp dword ptr [esi+10h],0 The first bit in _cairo_surface_mark_dirty_rectangle is: if (surface->status) return; and indeed, status is at 0x10 in the struct. So we're getting a null surface here. .. hey, we're not checking for a surface that's in error here!
Assignee | ||
Comment 13•16 years ago
|
||
tomcat, if you can still reproduce this, can you give this patch a try? I don't know why a surface is being created that's in error, but this is good error checking anyway.
Attachment #307659 -
Flags: review?(roc)
Attachment #307659 -
Flags: superreview+
Attachment #307659 -
Flags: review?(roc)
Attachment #307659 -
Flags: review+
Assignee | ||
Comment 14•16 years ago
|
||
Ok, potential fix checked in. Will mark this fixed for now, but please reopen if someone sees a crash again. This issue seems to show up in breakpad every now and then, so let's see if that number goes down.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 15•16 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b5pre) Gecko/2008030904 Minefield/3.0b5pre , the layout is still a little messed up, but i do not crash anymore. Many thanks vlad for fixing this !
Reporter | ||
Updated•16 years ago
|
Status: RESOLVED → VERIFIED
Comment 16•16 years ago
|
||
It's still interesting why I cannot see this under a 32bit Windows Vista or XP.
Updated•13 years ago
|
Crash Signature: [@ _moz_cairo_surface_mark_dirty_rectangle]
You need to log in
before you can comment on or make changes to this bug.
Description
•