cairo crash when TileManager.js is broken

RESOLVED WONTFIX

Status

Firefox for Android Graveyard
General
RESOLVED WONTFIX
9 years ago
8 years ago

People

(Reporter: blassey, Unassigned)

Tracking

Trunk
All
Windows Mobile 6 Professional

Details

(Whiteboard: mothballed)

Attachments

(1 attachment, 1 obsolete attachment)

Created attachment 395360 [details] [diff] [review]
patch that produces crash

I have a typo in patch which causes us to crash on start up (reproduced 4 times, including after full rebuild).  My concern is that something similar could be done from content although I haven't tried.

*Crash details*

Console output:

<snip>
painting:{
result is null from dispatch
	[0, 0, 961, 558],
}
painting:{
Data Abort: Thread=8944a400 Proc=80458cd0 'fennec.exe'
AKY=08000001 PC=7abf3c88(xul.dll+0x00be3c88) RA=000000ef(???+0x000000ef) BVA=6692e000 FSR=00000807
First-chance exception at 0x7abf3c88 in fennec.exe: 0xC0000005: Access violation writing location 0x6692e000.
<crash>

Registers:
R0 = 0xffdedede R1 = 0x6692d5e0 R2 = 0x6692e4e4 R3 = 0x6692e000 R4 = 0x000003c1 
R5 = 0x000003c4 R6 = 0x39bcbe04 R7 = 0x00000001 R8 = 0x00000000 R9 = 0x662dbe20 
R10 = 0x39bcbe48 R11 = 0xffdedede R12 = 0x39bcbe10 Sp = 0x39bcbdcc Lr = 0x000000ee 
Pc = 0x7abf3c88 Psr = 0x80000010 


Stack:
>	xul.dll!_moz_pixman_fill(unsigned int* bits = 0xffdedede, int stride = 1720899040, int bpp = 1720902884, int x = 1720901632, int y = 0, int width = 961, int height = 558, unsigned int xor = 4292796126) Line: 178, Byte Offsets: 0x68	C
 	xul.dll!_moz_pixman_image_fill_rectangles(pixman_op_t op = -2171170, pixman_image* dest = 0x6692d5e0, pixman_color* color = 0x6692e4e4, int n_rects = 1720901632, pixman_rectangle16* rects = 0x39bcbe48) Line: 719, Byte Offsets: 0x11c	C
 	xul.dll!_cairo_image_surface_fill_rectangles(void* abstract_surface = 0xffdedede, _cairo_operator op = 1720899040, _cairo_color* color = 0x6692e4e4, _cairo_rectangle_int* rects = 0x6692e000, int num_rects = 1) Line: 1075, Byte Offsets: 0x164	C
 	xul.dll!_cairo_surface_fill_rectangles(_cairo_surface* surface = 0xffdedede, _cairo_operator op = 1720899040, _cairo_color* color = 0x6692e4e4, _cairo_rectangle_int* rects = 0x6692e000, int num_rects = 1) Line: 1745, Byte Offsets: 0xa0	C
 	xul.dll!_cairo_surface_fill_region(_cairo_surface* surface = 0xffdedede, _cairo_operator op = 1720899040, _cairo_color* color = 0x6692e4e4, _cairo_region* region = 0x6692e000) Line: 1700, Byte Offsets: 0xf4	C
 	xul.dll!_clip_and_composite_trapezoids(_cairo_pattern* src = 0xffdedede, _cairo_operator op = 1720899040, _cairo_surface* dst = 0x6692e4e4, _cairo_traps* traps = 0x6692e000, _cairo_clip* clip = 0x00000000, _cairo_antialias antialias = 0) Line: 612, Byte Offsets: 0x208	C
 	xul.dll!_cairo_surface_fallback_fill(_cairo_surface* surface = 0xffdedede, _cairo_operator op = 1720899040, _cairo_pattern* source = 0x6692e4e4, _cairo_path_fixed* path = 0x6692e000, _cairo_fill_rule fill_rule = 0, double tolerance = 0.10000000000000001, _cairo_antialias antialias = 0) Line: 990, Byte Offsets: 0x1c8	C
 	xul.dll!_cairo_surface_fill(_cairo_surface* surface = 0xffdedede, _cairo_operator op = 1720899040, _cairo_pattern* source = 0x6692e4e4, _cairo_path_fixed* path = 0x6692e000, _cairo_fill_rule fill_rule = 0, double tolerance = 0.10000000000000001, _cairo_antialias antialias = 0, _cairo_rectangle_int* extents = 0x00000000) Line: 2004, Byte Offsets: 0xf0	C
 	xul.dll!_cairo_gstate_fill(_cairo_gstate* gstate = 0xffdedede, _cairo_path_fixed* path = 0x6692d5e0) Line: 1078, Byte Offsets: 0xa4	C
 	xul.dll!_moz_cairo_fill_preserve(_cairo* cr = 0xffdedede) Line: 2203, Byte Offsets: 0x20	C
 	xul.dll!nsThebesRenderingContext::FillRect(nsRect& aRect = {...}) Line: 627, Byte Offsets: 0x184	C++
 	xul.dll!nsDisplaySolidColor::Paint(nsDisplayListBuilder* aBuilder = 0x6692d5e0, nsIRenderingContext* aCtx = 0x6692e4e4, nsRect& aDirtyRect = {...}) Line: 558, Byte Offsets: 0x84	C++
 	xul.dll!nsDisplayList::Paint(nsDisplayListBuilder* aBuilder = 0x6692d5e0, nsIRenderingContext* aCtx = 0x6692e4e4, nsRect& aDirtyRect = {...}) Line: 374, Byte Offsets: 0x3c	C++
 	xul.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext* aRenderingContext = 0xffdedede, nsIFrame* aFrame = 0x6692d5e0, nsRegion& aDirtyRegion = {...}, unsigned int aBackstop = 1720901632, unsigned int aFlags = 0) Line: 1133, Byte Offsets: 0x318	C++
 	xul.dll!PresShell::Paint(nsIView* aView = 0x6692d5e0, nsIRenderingContext* aRenderingContext = 0x6692e4e4, nsRegion& aDirtyRegion = {...}) Line: 5716, Byte Offsets: 0x7c	C++
 	xul.dll!nsViewManager::RenderViews(nsView* aView = 0x6692d5e0, nsIRenderingContext& aRC = {...}, nsRegion& aRegion = {...}) Line: 535, Byte Offsets: 0x158	C++
 	xul.dll!nsViewManager::Refresh(nsView* aView = 0x6692d5e0, nsIRenderingContext* aContext = 0x6692e4e4, nsIRegion* aRegion = 0x6692e000, unsigned int aUpdateFlags = 1) Line: 495, Byte Offsets: 0x340	C++
 	xul.dll!nsViewManager::DispatchEvent(nsGUIEvent* aEvent = 0x6692d5e0, nsIView* aView = 0x6692e4e4, nsEventStatus* aStatus = 0x6692e000) Line: 996, Byte Offsets: 0x308	C++
 	xul.dll!HandleEvent(nsGUIEvent* aEvent = 0xffdedede) Line: 168, Byte Offsets: 0xc4	C++
 	xul.dll!nsWindow::DispatchEvent(nsGUIEvent* event = 0x6692d5e0, nsEventStatus& aStatus = 0) Line: 2832, Byte Offsets: 0x48	C++
 	xul.dll!nsWindow::DispatchWindowEvent(nsGUIEvent* event = 0x6692d5e0, nsEventStatus& aStatus = 0) Line: 2866, Byte Offsets: 0x14	C++
 	xul.dll!nsWindow::PaintRect(tagRECT rcPaint = {...}, nsPaintEvent* event = 0x6692d5e0) Line: 888, Byte Offsets: 0x1fc	C++
 	xul.dll!nsWindow::OnPaintImageDDraw16(void) Line: 1048, Byte Offsets: 0x3b8	C++
 	xul.dll!nsWindow::OnPaint(HDC__* aDC = 0x6692d5e0) Line: 645, Byte Offsets: 0x2c	C++
 	xul.dll!nsWindow::ProcessMessage(unsigned int msg = 1720899040, unsigned int& wParam = 0, long int& lParam = 0, long int* aRetValue = 0x39bcdbd8) Line: 3745, Byte Offsets: 0x2e8	C++
 	xul.dll!nsWindow::WindowProc(HWND__* hWnd = 0xffdedede, unsigned int msg = 1720899040, unsigned int wParam = 1720902884, long int lParam = 1720901632) Line: 3448, Byte Offsets: 0x150	C++
 	0xf000fffc
If that backtrace's arguments are to be believed, all sorts of things are bogus (the cairo operator, the stride, etc).  But this is coming in from windowproc, so anything JS-related would have had to scribble memory or something...
(In reply to comment #1)
> If that backtrace's arguments are to be believed, all sorts of things are bogus
> (the cairo operator, the stride, etc).  But this is coming in from windowproc,
> so anything JS-related would have had to scribble memory or something...

this is an optimized build so very typically the arguments in the back trace are garbage anyway
Created attachment 395368 [details] [diff] [review]
patch with missing paren

sorry, attached the patch without the typo
Attachment #395360 - Attachment is obsolete: true
Can you build debug and get a real stack?

Comment 5

9 years ago
This is the line with the missing paren:

+    dump("rederTile: "+t2-t1)+"\nappendTileSave: "+(t3-t2)+"\nholdTile: "+(t4-t3) +"\n");
(In reply to comment #5)
> This is the line with the missing paren:
> 
> +    dump("rederTile: "+t2-t1)+"\nappendTileSave: "+(t3-t2)+"\nholdTile:
> "+(t4-t3) +"\n");

yes
here's a stack from a debug build:
>	xul.dll!pixman_fill32(unsigned int* bits = 0x66f2d5e0, int stride = 964, int x = 0, int y = 0, int width = 961, int height = 239, unsigned int xor = 4292796126) Line: 133, Byte Offsets: 0x98	C
 	xul.dll!_moz_pixman_fill(unsigned int* bits = 0x66e02000, int stride = 964, int bpp = 32, int x = 0, int y = 0, int width = 961, int height = 558, unsigned int xor = 4292796126) Line: 179, Byte Offsets: 0xcc	C
 	xul.dll!_moz_pixman_image_fill_rectangles(pixman_op_t op = 1, pixman_image* dest = 0x63c7abe0, pixman_color* color = 0x3bbc9944, int n_rects = 1, pixman_rectangle16* rects = 0x3bbc9138) Line: 720, Byte Offsets: 0x248	C
 	xul.dll!_cairo_image_surface_fill_rectangles(void* abstract_surface = 0x63ca6ad0, _cairo_operator op = 2, _cairo_color* color = 0x63cfe638, _cairo_rectangle_int* rects = 0x3bbc99e0, int num_rects = 1) Line: 1075, Byte Offsets: 0x27c	C
 	xul.dll!_cairo_surface_fill_rectangles(_cairo_surface* surface = 0x63ca6ad0, _cairo_operator op = 2, _cairo_color* color = 0x63cfe638, _cairo_rectangle_int* rects = 0x3bbc99e0, int num_rects = 1) Line: 1744, Byte Offsets: 0x108	C
 	xul.dll!_cairo_surface_fill_region(_cairo_surface* surface = 0x63ca6ad0, _cairo_operator op = 2, _cairo_color* color = 0x63cfe638, _cairo_region* region = 0x63d2dea0) Line: 1698, Byte Offsets: 0x1b8	C
 	xul.dll!_clip_and_composite_trapezoids(_cairo_pattern* src = 0x63cfe5e0, _cairo_operator op = 2, _cairo_surface* dst = 0x63ca6ad0, _cairo_traps* traps = 0x3bbca330, _cairo_clip* clip = 0x00000000, _cairo_antialias antialias = 0) Line: 612, Byte Offsets: 0x364	C
 	xul.dll!_cairo_surface_fallback_fill(_cairo_surface* surface = 0x63ca6ad0, _cairo_operator op = 2, _cairo_pattern* source = 0x63cfe5e0, _cairo_path_fixed* path = 0x66349ae4, _cairo_fill_rule fill_rule = 0, double tolerance = 0.10000000000000001, _cairo_antialias antialias = 0) Line: 990, Byte Offsets: 0x2c4	C
 	xul.dll!_cairo_surface_fill(_cairo_surface* surface = 0x63ca6ad0, _cairo_operator op = 2, _cairo_pattern* source = 0x63cfe5e0, _cairo_path_fixed* path = 0x66349ae4, _cairo_fill_rule fill_rule = 0, double tolerance = 0.10000000000000001, _cairo_antialias antialias = 0, _cairo_rectangle_int* extents = 0x00000000) Line: 2004, Byte Offsets: 0x174	C
 	xul.dll!_cairo_gstate_fill(_cairo_gstate* gstate = 0x66c067c0, _cairo_path_fixed* path = 0x66349ae4) Line: 1076, Byte Offsets: 0x128	C
 	xul.dll!_moz_cairo_fill_preserve(_cairo* cr = 0x66349800) Line: 2203, Byte Offsets: 0x40	C
 	xul.dll!gfxContext::Fill(void) Line: 148, Byte Offsets: 0x1c	C++
 	xul.dll!nsThebesRenderingContext::FillRect(nsRect& aRect = {...}) Line: 629, Byte Offsets: 0x4ac	C++
 	xul.dll!nsDisplaySolidColor::Paint(nsDisplayListBuilder* aBuilder = 0x3bbca958, nsIRenderingContext* aCtx = 0x63c56500, nsRect& aDirtyRect = {...}) Line: 558, Byte Offsets: 0xac	C++
 	xul.dll!nsDisplayList::Paint(nsDisplayListBuilder* aBuilder = 0x3bbca958, nsIRenderingContext* aCtx = 0x63c56500, nsRect& aDirtyRect = {...}) Line: 375, Byte Offsets: 0x70	C++
 	xul.dll!nsLayoutUtils::PaintFrame(nsIRenderingContext* aRenderingContext = 0x63c56500, nsIFrame* aFrame = 0x66b3d618, nsRegion& aDirtyRegion = {...}, unsigned int aBackstop = 4294967295, unsigned int aFlags = 0) Line: 1133, Byte Offsets: 0x4cc	C++
 	xul.dll!PresShell::Paint(nsIView* aView = 0x662c2640, nsIRenderingContext* aRenderingContext = 0x63c56500, nsRegion& aDirtyRegion = {...}) Line: 5711, Byte Offsets: 0xf0	C++
 	xul.dll!nsViewManager::RenderViews(nsView* aView = 0x662c2640, nsIRenderingContext& aRC = {...}, nsRegion& aRegion = {...}) Line: 535, Byte Offsets: 0x148	C++
 	xul.dll!nsViewManager::Refresh(nsView* aView = 0x662c2640, nsIRenderingContext* aContext = 0x63c56500, nsIRegion* aRegion = 0x662d9600, unsigned int aUpdateFlags = 1) Line: 495, Byte Offsets: 0x490	C++
 	xul.dll!nsViewManager::DispatchEvent(nsGUIEvent* aEvent = 0x3bbcb3c0, nsIView* aView = 0x662c2640, nsEventStatus* aStatus = 0x3bbcb150) Line: 996, Byte Offsets: 0x6b8	C++
 	xul.dll!HandleEvent(nsGUIEvent* aEvent = 0x3bbcb3c0) Line: 168, Byte Offsets: 0xa0	C++
 	xul.dll!nsWindow::DispatchEvent(nsGUIEvent* event = 0x3bbcb3c0, nsEventStatus& aStatus = 0) Line: 2832, Byte Offsets: 0x80	C++
 	xul.dll!nsWindow::DispatchWindowEvent(nsGUIEvent* event = 0x3bbcb3c0, nsEventStatus& aStatus = 0) Line: 2866, Byte Offsets: 0x34	C++
 	xul.dll!nsWindow::PaintRect(tagRECT rcPaint = {...}, nsPaintEvent* event = 0x3bbcb3c0) Line: 887, Byte Offsets: 0x41c	C++
 	xul.dll!nsWindow::OnPaintImageDDraw16(void) Line: 1048, Byte Offsets: 0x584	C++
 	xul.dll!nsWindow::OnPaint(HDC__* aDC = 0x00000000) Line: 259, Byte Offsets: 0x30	C++
 	xul.dll!nsWindow::ProcessMessage(unsigned int msg = 15, unsigned int& wParam = 0, long int& lParam = 0, long int* aRetValue = 0x3bbcbdd4) Line: 3745, Byte Offsets: 0x9bc	C++
 	xul.dll!nsWindow::WindowProc(HWND__* hWnd = 0x7c0969a0, unsigned int msg = 15, unsigned int wParam = 0, long int lParam = 0) Line: 3448, Byte Offsets: 0x1b0	C++
 	0xf000fffc	

and registers:
R0 = 0x66e02000 R1 = 0x00000288 R2 = 0x66f2e000 R3 = 0xffdedede R4 = 0x7b561c5c 
R5 = 0x00000000 R6 = 0x00000000 R7 = 0x00000000 R8 = 0x7c0969a0 R9 = 0x00000000 
R10 = 0x00000000 R11 = 0x3bbcbe74 R12 = 0x3bbc902c Sp = 0x3bbc9010 Lr = 0x7b5ef470 
Pc = 0x7b5ef708 Psr = 0x80000010 


and console output: 
Data Abort: Thread=897f9400 Proc=80458dc0 'fennec.exe'
AKY=10000001 PC=7b5ef708(xul.dll+0x015df708) RA=7b5ef470(xul.dll+0x015df470) BVA=66f2e000 FSR=00000807
First-chance exception at 0x7b5ef708 in fennec.exe: 0xC0000005: Access violation writing location 0x66f2e000.

Comment 8

9 years ago
I don't see any JS being involved here. This looks like cairo insanity.
For sanity's sake, can you try replacing the entire tileManager.js file with something that causes a parse error, like a single "}" or something?

Updated

8 years ago
Assignee: general → nobody
Component: JavaScript Engine → Windows Mobile
Product: Core → Fennec
QA Contact: general → mobile-windows

Updated

8 years ago
Summary: crash with missing paren in TileManager.js → cairo crash when TileManager.js is broken

Updated

8 years ago
Group: core-security
This year we mothballed windows mobile development.  See:

  http://blog.pavlov.net/2010/03/22/stopping-development-for-windows-mobile/

Marking bugs in the windows mobile / windows ce bucket as WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
Whiteboard: mothballed

Updated

8 years ago
Component: Windows Mobile → General
QA Contact: mobile-windows → general
Hardware: ARM → All
You need to log in before you can comment on or make changes to this bug.