Closed Bug 449111 Opened 17 years ago Closed 16 years ago

Crash [@ nsNativeThemeCocoa::DrawPushButton] with huge word-spacing

Categories

(Core :: Widget: Cocoa, defect, P1)

Product:
Core
Component:
Widget: Cocoa
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: smichaud)

References

Details

(4 keywords, Whiteboard: [sg:critical?] fixed by bug 444864)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
130 bytes, text/html
Details
Gdb trace of crash (with console log and debug symbols)
8.94 KB, text/plain
Details
Gdb trace that explains autorelease fault
17.36 KB, text/plain
Details
With MallocScribble enabled, the testcase makes nsNativeThemeCocoa::DrawPushButton dereference 0x55555575. This might be related to other sg:critical button-drawing bugs (bug 444864, bug 444260). Or it might be related to bug 410415, which has a matching crash signature but comes from a real-world site and is not marked as sg:critical. Before the crash, I see: firefox-bin(81663,0xa0566fa0) malloc: *** mmap(size=2147487744) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug Mon Aug 4 15:39:44 firefox-bin[81663] <Error>: CGBitmapContextInfoCreate: unable to allocate 2147484480 bytes for bitmap data Mon Aug 4 15:39:44 firefox-bin[81663] <Error>: CGContextTranslateCTM: invalid context
Whiteboard: [sg:critical?]
Here's a gdb stack trace of this crash, made without MallocScribble on a recent trunk build containing debug symbols. The same crash happens with a 1.9.0-branch build. As you'll see, this trace includes an error message (logged to the console) about an autorelease "message" having been sent to a freed object -- which confirms Jesse's results with MallocScribble. I tested on OS X 10.5.4.
Assignee: joshmoz → smichaud
Status: NEW → ASSIGNED
Forgot to mention that there's no crash (in FF 3.0.1) on Windows XP or Linux.
My patch for bug 444864 (attachment 329570 [details] [diff] [review]) also fixes this crash. Since the same patch fixes bug 444260, bug 444864 and this bug (449111), these bugs must be related. But I don't think they're dups. For example, there's only very sketchy evidence that bug 444260 and bug 444864 are triggered by referencing a deleted object. But it seems pretty clear for this bug (449111). I'll try to identify the object that gets referenced after it's deleted.
Priority: -- → P1
> For example, there's only very sketchy evidence that bug 444260 and > bug 444864 are triggered by referencing a deleted object. Oops. It's only bug 444864 that (I think) is unlikely to be triggered by dereferencing a deleted object. The evidence is pretty clear for _both_ this bug (449111) and bug 444260.
(Following up comment #3) > I'll try to identify the object that gets referenced after it's deleted. If you set NSZombieEnabled before you run Firefox in gdb, you'll see that this is an NSBitmapGraphicsContext object, and that the autorelease-after-deletion is an Apple bug: It occurs at the end of the call to +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that method releases its local autorelease pool. When the NSGraphicsContext object is autoreleased, it's already been dealloced in -[NSBitmapGraphicsContext _initWithGraphicsPort:flipped:carbonOffscreen:] (called indirectly from +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES]). The bug is presumably triggered by calling +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES] with 'ctx' set to NULL (thanks to the previous failure of CGBitmapContextCreate(), which displayed the "can't allocate region" message). Exactly the same thing happens with bug 444260.
(Following up comment #5) > It occurs at the end of the call to +[NSGraphicsContext > graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that > method releases its local autorelease pool. Actually, the autorelease-after-deletion probably occurs (at the end of the call to +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES]) as objects created locally get (automatically) autoreleased. (The problem (of course) is that the NSGraphicsContext object has already been explicitly released (and dealloced).)
Flags: blocking1.9.1?
Fixed by patch for bug 444864, which was just landed on mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reopened because I've backed out my patch for bug 444864 (which probably caused some reftest failures).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: blocking1.9.1? → blocking1.9.1+
Fixed by my new patch for bug 444864, which was just landed on mozilla-central.
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
Crashtest is in (bug 444864 comment 26).
Flags: in-testsuite+
Depends on: 444864
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.3+
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 444864
Fixed on the 1.9.0 branch by the patch for bug 444864.
Keywords: fixed1.9.0.4
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Status: RESOLVED → VERIFIED
Verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4verified1.9.0.4
Group: core-security
Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081230 Shiretoko/3.1b3pre. Testcase does not crash so updating the keyword.
Keywords: fixed1.9.1verified1.9.1
Crash Signature: [@ nsNativeThemeCocoa::DrawPushButton]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: