Closed Bug 559070 Opened 14 years ago Closed 6 years ago

don't use mD2DWindowSurface if Init fails [@ cairo_d2d_scroll]

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Assigned: bas.schouten)

References

Details

(Keywords: crash)

Crash Data

437 #ifdef CAIRO_HAS_D2D_SURFACE
438           if (!targetSurface &&
439               IsRenderMode(gfxWindowsPlatform::RENDER_DIRECT2D))
440           {
441             if (!mD2DWindowSurface) {
442               mD2DWindowSurface = new gfxD2DSurface(mWnd);
443             }

please don't do this if the surface is unhappy:
444             targetSurface = mD2DWindowSurface;
445           }
446 #endif

and please don't return this if surface is unhappy:
2942 gfxASurface *nsWindow::GetThebesSurface()
2952 #ifdef CAIRO_HAS_D2D_SURFACE
2955     return (new gfxD2DSurface(mWnd));

40 gfxD2DSurface::gfxD2DSurface(HWND aWnd)
42     Init(cairo_d2d_surface_create_for_hwnd(aWnd));

45 gfxD2DSurface::gfxD2DSurface(cairo_surface_t *csurf)
47     Init(csurf, PR_TRUE);

50 gfxD2DSurface::gfxD2DSurface(const gfxIntSize& size,
51                              gfxImageFormat imageFormat)
53     Init(cairo_d2d_surface_create((cairo_format_t)imageFormat, size.width, size.height));

212 gfxASurface::Init(cairo_surface_t* surface, PRBool existingSurface)
213 {
214     if (cairo_surface_status(surface)) {
215         // the surface has an error on it
216         mSurfaceValid = PR_FALSE;
217         cairo_surface_destroy(surface);
218         return;

please let this succeed instead:
2958     return (new gfxWindowsSurface(mWnd));

2373 nsWindow::Scroll(const nsIntPoint& aDelta,
2477 #ifdef CAIRO_HAS_D2D_SURFACE
2478     if (mD2DWindowSurface) {
2479       mD2DWindowSurface->Scroll(aDelta, affectedRect);

67 gfxD2DSurface::Scroll(const nsIntPoint &aDelta, const nsIntRect &aClip)
74     cairo_d2d_scroll(CairoSurface(), aDelta.x, aDelta.y, &rect);

this returns null:
104     cairo_surface_t *CairoSurface() {
105         NS_ASSERTION(mSurface != nsnull, "gfxASurface::CairoSurface called with mSurface == nsnull!");
106         return mSurface;

this crashes:
2295 void cairo_d2d_scroll(cairo_surface_t *surface, int x, int y, cairo_rectangle_t *clip)
2297     if (surface->type != CAIRO_SURFACE_TYPE_D2D) {

Signature	cairo_d2d_scroll
UUID	4df78131-4c86-4f27-beb2-5a0f62100412
Time 	2010-04-12 12:17:25.857379
Uptime	72953
Last Crash	206926 seconds before submission
Product	Firefox
Version	3.7a5pre
Build ID	20100411035843
Branch	1.9.3
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x4
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	cairo_d2d_scroll 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:2280
1 	xul.dll 	gfxD2DSurface::Scroll 	gfx/thebes/src/gfxD2DSurface.cpp:74
2 	xul.dll 	nsWindow::Scroll 	widget/src/windows/nsWindow.cpp:2479
3 	xul.dll 	nsGfxScrollFrameInner::ScrollVisual 	layout/generic/nsGfxScrollFrame.cpp:1718
4 	xul.dll 	nsGfxScrollFrameInner::ScrollToImpl 	
5 	xul.dll 	nsGfxScrollFrameInner::AsyncScrollCallback 	layout/generic/nsGfxScrollFrame.cpp:1362
6 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
7 	nspr4.dll 	_PR_MD_UNLOCK 	nsprpub/pr/src/md/windows/w95cv.c:344
8 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
9 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
10 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:142
11 	xul.dll 	xul.dll@0x96ef1b 	
12 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:216
13 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:199
14 	xul.dll 	xul.dll@0x2def73 	
15 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:173
16 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:174
17 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:239
18 		@0x770effff 	
19 	ieproxy.dll 	ieproxy.dll@0x746d 	
20 	ieproxy.dll 	ieproxy.dll@0x2e6b 	
21 	imm32.dll 	imm32.dll@0x5ffff 	
22 	kernel32.dll 	kernel32.dll@0xfffff 	
23 	kernel32.dll 	kernel32.dll@0xfffff 	
24 	nvwgf2um.dll 	nvwgf2um.dll@0x354552 	
25 	nvwgf2um.dll 	nvwgf2um.dll@0x353364 	
26 	xul.dll 	nsAnnotationService::GetPageAnnotationInfo 	toolkit/components/places/src/nsAnnotationService.cpp:1183
27 	nvwgf2um.dll 	nvwgf2um.dll@0x357471 	
28 	ieproxy.dll 	ieproxy.dll@0x2e72 	
29 	ieproxy.dll 	ieproxy.dll@0x2e33 	

https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=cairo_d2d_scroll&version=Firefox%3A3.7a5pre
The real fix here is understanding why the surface creation is failing. We check for D2D compatibility before setting the render mode. When we set D2D rendermode we should be able to rely on it being succesful. Having said that it would be a good idea to be able to dynamically switch between D2D and GDI on a per-widget basis.
Do we have any steps to reproduce?
Bas: there are some comments from one user in crash-stats who seems to hit the bug, but he is not able to give exact STR or generate a test case. I could try emailing him and ask if he can add himself to this bug.
(In reply to comment #3)
> Bas: there are some comments from one user in crash-stats who seems to hit the
> bug, but he is not able to give exact STR or generate a test case. I could try
> emailing him and ask if he can add himself to this bug.

Hrm, it would be interesting to know what it could be about this user that makes his D2D surfaces fail!
I am here.
What information do you need?
(In reply to comment #6)
> Any updates?
> 
> BTW, is the d3d10_1core.dll@0x2bb04 crash related?
> https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=d3d10_1core.dll@0x2bb04&version=Firefox%3A3.7a5pre

It's hard to say, I wonder why we don't get symbols for that from the MS symbol servers. In any case we still need some rough steps to reproduce to figure out what causes this.
Crash Signature: [@ cairo_d2d_scroll]
Bas, I can't find this signature anymore. Not sure if it was ever something found in the wild. Is is still a problem? Should we leave the bug open? I am going to remove the top crash keyword.
Keywords: topcrash
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.