Crash [@ nsNativeThemeCocoa::DrawPushButton] with huge word-spacing

VERIFIED FIXED

Status

()

P1
critical
VERIFIED FIXED
10 years ago
8 years ago

People

(Reporter: jruderman, Assigned: smichaud)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
crash, testcase, verified1.9.0.4, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
blocking1.9.0.4 +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] fixed by bug 444864, crash signature)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
Created attachment 332264 [details]
testcase (crashes Firefox when loaded)

With MallocScribble enabled, the testcase makes nsNativeThemeCocoa::DrawPushButton dereference 0x55555575.

This might be related to other sg:critical button-drawing bugs (bug 444864, bug 444260).  Or it might be related to bug 410415, which has a matching crash signature but comes from a real-world site and is not marked as sg:critical.

Before the crash, I see:

firefox-bin(81663,0xa0566fa0) malloc: *** mmap(size=2147487744) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
Mon Aug  4 15:39:44 firefox-bin[81663] <Error>: CGBitmapContextInfoCreate: unable to allocate 2147484480 bytes for bitmap data
Mon Aug  4 15:39:44 firefox-bin[81663] <Error>: CGContextTranslateCTM: invalid context
(Reporter)

Updated

10 years ago
Whiteboard: [sg:critical?]
(Assignee)

Comment 1

10 years ago
Created attachment 334896 [details]
Gdb trace of crash (with console log and debug symbols)

Here's a gdb stack trace of this crash, made without MallocScribble on
a recent trunk build containing debug symbols.  The same crash happens
with a 1.9.0-branch build.

As you'll see, this trace includes an error message (logged to the
console) about an autorelease "message" having been sent to a freed
object -- which confirms Jesse's results with MallocScribble.

I tested on OS X 10.5.4.
Assignee: joshmoz → smichaud
Status: NEW → ASSIGNED
(Assignee)

Comment 2

10 years ago
Forgot to mention that there's no crash (in FF 3.0.1) on Windows XP or Linux.
(Assignee)

Comment 3

10 years ago
My patch for bug 444864 (attachment 329570 [details] [diff] [review]) also fixes this crash.

Since the same patch fixes bug 444260, bug 444864 and this bug
(449111), these bugs must be related.  But I don't think they're dups.

For example, there's only very sketchy evidence that bug 444260 and
bug 444864 are triggered by referencing a deleted object.  But it
seems pretty clear for this bug (449111).

I'll try to identify the object that gets referenced after it's
deleted.
(Assignee)

Updated

10 years ago
Priority: -- → P1
(Assignee)

Comment 4

10 years ago
> For example, there's only very sketchy evidence that bug 444260 and
> bug 444864 are triggered by referencing a deleted object.

Oops.  It's only bug 444864 that (I think) is unlikely to be triggered
by dereferencing a deleted object.  The evidence is pretty clear for
_both_ this bug (449111) and bug 444260.
(Assignee)

Comment 5

10 years ago
Created attachment 334946 [details]
Gdb trace that explains autorelease fault

(Following up comment #3)

> I'll try to identify the object that gets referenced after it's deleted.

If you set NSZombieEnabled before you run Firefox in gdb, you'll see that this
is an NSBitmapGraphicsContext object, and that the autorelease-after-deletion
is an Apple bug:  It occurs at the end of the call to +[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that method
releases its local autorelease pool.

When the NSGraphicsContext object is autoreleased, it's	already	been dealloced
in -[NSBitmapGraphicsContext _initWithGraphicsPort:flipped:carbonOffscreen:]
(called indirectly from	+[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES]).

The bug is presumably triggered by calling +[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES] with 'ctx' set to NULL
(thanks to the previous failure of CGBitmapContextCreate(), which displayed
the "can't allocate region" message).

Exactly the same thing happens with bug 444260.
(Assignee)

Comment 6

10 years ago
(Following up comment #5)

> It occurs at the end of the call to +[NSGraphicsContext
> graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that
> method releases its local autorelease pool.

Actually, the autorelease-after-deletion probably occurs (at the end of the
call to +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES])
as objects created locally get (automatically) autoreleased.

(The problem (of course) is that the NSGraphicsContext object has already been
explicitly released (and dealloced).)
(Reporter)

Updated

10 years ago
Flags: blocking1.9.1?
(Assignee)

Comment 7

10 years ago
Fixed by patch for bug 444864, which was just landed on mozilla-central.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

10 years ago
Reopened because I've backed out my patch for bug 444864 (which
probably caused some reftest failures).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
(Assignee)

Comment 9

10 years ago
Fixed by my new patch for bug 444864, which was just landed on mozilla-central.
Status: REOPENED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
(Reporter)

Comment 10

10 years ago
Crashtest is in (bug 444864 comment 26).
Flags: in-testsuite+
Depends on: 444864
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.3+
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 444864
(Assignee)

Comment 11

10 years ago
Fixed on the 1.9.0 branch by the patch for bug 444864.
Keywords: fixed1.9.0.4
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Status: RESOLVED → VERIFIED
Verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4 → verified1.9.0.4
Group: core-security
Keywords: fixed1.9.1
Verified fixed on the 1.9.1 branch using  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081230 Shiretoko/3.1b3pre. Testcase does not crash so updating the keyword.
Keywords: fixed1.9.1 → verified1.9.1
Crash Signature: [@ nsNativeThemeCocoa::DrawPushButton]
You need to log in before you can comment on or make changes to this bug.