530343 - [10.4] 1.9.0 Crash [@ nsNativeThemeCocoa::DrawPushButton(CGContext*, CGRect const&, int, int, int) ] or [@ objc_msgSend | nsNativeThemeCocoa::DrawPushButton(CGContext*, CGRect const&, int, int, int) ]

Status: RESOLVED WORKSFORME

(Core :: Widget: Cocoa, defect)

Description

[Smokey Ardisson (offline for a while; not following bugs - do not email)]

There are repeated crashes related to drawing form controls "[t]rying to draw when core isn't expecting it somehow."  

While the most common cause is Google Desktop thumbnailing (those where libgoogleintercept.dylib is in the stack), we also have a lot of these crashes in Camino related to Tabsposé (e.g. http://crash-stats.mozilla.com/report/index/d34a7a77-9330-47a3-b457-d13c52091120).

There are also some that are printing (e.g. Camino, http://crash-stats.mozilla.com/report/index/23cea438-580c-400a-8435-ba7b82091119) and some are who knows what (e.g. Firefox, http://crash-stats.mozilla.com/report/index/be37a571-f45a-40ab-9217-466b12091118), perhaps just calling <canvas>?

Comment 1

[Smokey Ardisson (offline for a while; not following bugs - do not email)]

Some more things I noticed today:

1) Unsurprisingly (given where most people crash), if I'm reading the code right, the site of the crash seems to be in the square-button drawing: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm&rev=1.96&mark=449#449

2) This crash only seems to happen on 10.4; Intel has the objc_msgSend frame 0 and PPC has the garbage frame 0.

3) Interestingly, in bug 418497 (which has blame for the line above), Markus noted a rendering difference on 10.4, so something wasn't quite the same on 10.4 already.

Comment 2

[Smokey Ardisson (offline for a while; not following bugs - do not email)]

Oooh!  I just ran this search broadly for Firefox, and it turned up a bunch of crashes in nsObjCExceptionLogAbort(NSException*) | nsNativeThemeCocoa::DrawPushButton(CGContext*, CGRect const&, int, int, int) in older versions of 1.9.0.x when exceptions were still fatal.  The crashing line moves to wherever NS_OBJC_END_TRY_ABORT_BLOCK; is in each build...but we get exceptions collected from Fx 3.0.5 to Fx 3.0.11:

NSInvalidArgumentException: *** -[NSMutableRLEArray isDrawingToScreen]: selector not recognized [self = 0x11307970]

NSInvalidArgumentException: *** -[NSConcreteAttributedString isDrawingToScreen]: selector not recognized [self = 0x192bcc50]

NSInvalidArgumentException: *** -[NSAttributeDictionary initialize]: selector not recognized [self = 0x197352e0]

NSInvalidArgumentException: *** -[NSImage isDrawingToScreen]: selector not recognized [self = 0x182e1620]

The latter two were less common; the last one I saw only once, and the NSAttributeDictionary exception only about 3-4 times.

Most of the Firefox crashes are with Google Desktop, as you'd expect, but there are some, e.g. http://crash-stats.mozilla.com/report/index/12498118-6150-4df4-960e-e7d812091209 and http://crash-stats.mozilla.com/report/index/f0576b68-e663-4002-9c4c-d4cf12091207, that indicate the same exception is turning up in un-tickled cases of these crashes.

Comment 3

[Smokey Ardisson (offline for a while; not following bugs - do not email)]

So, why didn't bug 458961 fix this?  See Markus's bug 458961 comment 13, which is the very same thing as I just spent two comments trying to say ;)

Did the patch that landed on 1.9.0 not include enough/all of the null-checks Stuart wanted, or did bug 394892 move things around, or are there just additional lifetime problems we didn't see before?

Also, regarding the crashes in comment 2, we can ignore all the ones before 3.0.6 (since 1.9.0.6 first had the fix for bug 458961), but all the 3.0.6+ crashes are déjà vu.

Comment 4

[Wayne Mery (:wsmwk)]

No crashes in past month https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=nsNativeThemeCocoa%3A%3ADrawPushButton#tab-reports

If you still see this, please reopen with details