Closed Bug 593526 Opened 10 years ago Closed 7 years ago
Crash [@ pixman
_multiply _overflows _int] [@ pixman _image _get _component _alpha]
Tested on Mac OS X 10.6.4 with a 64-bit Firefox debug build from Tinderbox.
Assignee: nobody → jmuizelaar
blocking2.0: --- → final+
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Does this happen in 3.6?
Jeff, can you try to repro in 3.6, please? :)
This testcase does not crash for me using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:126.96.36.199) Gecko/20100914 Firefox/3.6.10.
This doesn't crash for me in my debug build but it looks like there is still badness going on.
Running firefox-bin directly seems to have broken on 10.5 (see bug 607519). This is preventing me from trying things out with valgrind.
valgrind --trace-children=yes --smc-check=all --track-origins=yes --dsymutil=yes ./firefox -P MozillaDebug should work
(In reply to comment #7) > valgrind --trace-children=yes --smc-check=all --track-origins=yes > --dsymutil=yes ./firefox -P MozillaDebug > > should work That just seems to segfault immediately
I'll just use my own build...
I haven't been able to get anything useful out of valgrind. It runs really slow, so it's hard to know if it's hitting the same problems.
OS: Mac OS X → Windows 7
I can reproduce this crash reliably on Mac OS X 10.6. Valgrind isn't required. On Mac OS X 10.5, I don't get a crash, just a white page with a horizontal scrollbar.
OS: Mac OS X → Windows XP
I can't repro the crash on x86_64-Linux. I get a white page with a small square in the top left corner. > On Mac OS X 10.5, I don't get a crash, just a white page with a horizontal > scrollbar. I get that too. Perhaps that's the right behaviour? It looks like the test case is asking to draw something extremely wide. I can't get any badness out of Valgrind memcheck or ptrcheck on either of these platforms. Maybe some integer overflow kind of thing?
> I can reproduce this crash reliably on Mac OS X 10.6. Me too (10.6, 64-bit build I should add): Invalid read of size 4 at 0x100F660D6: pixman_image_get_component_alpha (pixman-image.c:685) by 0x100F2F902: _cairo_surface_clone_similar (cairo-surface.c:1549) by 0x100F240DE: _cairo_pattern_acquire_surface (cairo-pattern.c:2158) by 0x100F2550B: _cairo_pattern_acquire_surfaces (cairo-pattern.c:2411) by 0x100F1AE94: _cairo_image_surface_composite (cairo-image-surface.c:1128) by 0x100F2E001: _cairo_surface_composite (cairo-surface.c:1821) by 0x100F317A0: _clip_and_composite_trapezoids (cairo-surface-fallback.c:740) by 0x100F31EE4: _cairo_surface_fallback_fill (cairo-surface-fallback.c:1406) by 0x100F2EBCB: _cairo_surface_fill (cairo-surface.c:2222) by 0x100F17549: _cairo_gstate_fill (cairo-gstate.c:1177) by 0x100F0BD2E: _moz_cairo_fill_preserve (cairo.c:2338) by 0x100F0C3C6: _moz_cairo_fill (cairo.c:2314) Address 0x60 is not stack'd, malloc'd or (recently) free'd Then it segfaults.
Breakpad sees this as [@ pixman_image_get_component_alpha] bp-0dec65bc-8fbb-40fc-aaa6-9cbea2101119
Summary: Crash [@ pixman_multiply_overflows_int] → Crash [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
Jesse: does this crash still look sg:critical? comment 13 and 14 both look like null dereferences. The original crash stack looks a little different, but we've taken a pixman update since then.
blocking2.0: final+ → ---
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:needinfo][critsmash:investigating]
WFM, not crashing for me any more.
Crash Signature: [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
WFM, in recent Nightly on Linux64, OSX 10.7 and Win7. Also in ASan builds. crash-stats has 3 reports for pixman_multiply_overflows_int (FF6 the latest version) and zero reports for pixman_image_get_component_alpha.
Status: NEW → RESOLVED
Crash Signature: [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha] → [@ pixman_multiply_overflows_int] [@ pixman_image_get_component_alpha]
Closed: 7 years ago
Resolution: --- → WORKSFORME
Landed a couple of tests: https://hg.mozilla.org/integration/mozilla-inbound/rev/921ef3217211
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.