oom crash [@ _wrap_image]

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
9 years ago
3 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
1304 _wrap_image (cairo_surface_t *src,
1305  cairo_image_surface_t *image,
1306  void *image_extra,
1307  cairo_image_surface_t **out)
1308 {
1309  static cairo_user_data_key_t wrap_image_key;
1310  cairo_image_surface_t *surface;
1311  cairo_status_t status;
1312 
1313  struct acquire_source_image_data *data = malloc(sizeof(*data));
1314  data->src = src;
1315  data->image = image;
1316  data->image_extra = image_extra; 

Signature	_wrap_image
UUID	34549e97-00d7-44dc-8e11-613862091125
Time 	2009-11-25 08:01:59.644364
Uptime	277
Last Crash	29413 seconds before submission
Product	Firefox
Version	3.6b3
Build ID	20091115182845
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 4
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	_wrap_image 	gfx/cairo/cairo/src/cairo-surface.c:1316
1 	xul.dll 	_cairo_surface_clone_similar 	gfx/cairo/cairo/src/cairo-surface.c:1429
2 	xul.dll 	_cairo_pattern_acquire_surface_for_surface 	gfx/cairo/cairo/src/cairo-pattern.c:1993
3 	xul.dll 	_cairo_pattern_acquire_surface 	gfx/cairo/cairo/src/cairo-pattern.c:2160
4 	xul.dll 	_cairo_pattern_acquire_surfaces 	gfx/cairo/cairo/src/cairo-pattern.c:2237
5 	xul.dll 	_cairo_image_surface_composite 	gfx/cairo/cairo/src/cairo-image-surface.c:972
(Assignee)

Comment 1

9 years ago
Created attachment 414580 [details] [diff] [review]
patch for cairo
Attachment #414580 - Flags: review?(joe)
Attachment #414580 - Flags: review?(joe) → review?(jmuizelaar)
The line number for this is wrong.

1316 doesn't dereference null it dereferences data + 12.
Also, if malloc fails we are in a situation where we're going to abort elsewhere.
example from FF 4.0.1?  bp-f99788ad-c1cf-41c0-9a95-6be442110514
Crash Signature: [@ _wrap_image]
jeff, timeless,
according to crash-stats, this crash GONE in version 7 (after having dropped substantially in version 6 compared to version 5. and none in development builds)
Comment on attachment 414580 [details] [diff] [review]
patch for cairo

Review of attachment 414580 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not interested in changing this code needlessly.
Attachment #414580 - Flags: review?(jmuizelaar) → review-
I am closing this bug as incomplete as we have no reports of this crash recently. Please reopen if this bug is truly something we plan to fix.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.