598265 - ShadowLayers crashes on rendering HTML5 video layer or Plugin layer

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Oleg Romashin (:romaxa)]

Crash happen on Null mBackSurface

#0  gfxContext (this=0x4787f2b0, surface=0x0) at gfx/thebes/gfxContext.cpp:64
64	    mCairo = cairo_create(surface->CairoSurface());
(gdb) bt
#0  gfxContext (this=0x4787f2b0, surface=0x0) at gfx/thebes/gfxContext.cpp:64
#1  0x4124f580 in mozilla::layers::BasicShadowableImageLayer::Paint (this=0x4605f300, aContext=<value optimized out>, 
    aCallback=<value optimized out>, aCallbackData=<value optimized out>, aOpacity=1)
    at gfx/layers/basic/BasicLayers.cpp:1581
#2  0x4124c410 in mozilla::layers::BasicLayerManager::PaintLayer (this=0x43e31460, aLayer=0x4605f300, 
    aCallback=0x405d1338 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbeb3d2e0, aOpacity=
/home/rez/gdb/gdb-6.6.dfsg/gdb/regcache.c:930: internal-error: register_offset_hack: Assertion `regnum >= 0 && regnum < descr->nr_cooked_registers' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) n

/home/rez/gdb/gdb-6.6.dfsg/gdb/regcache.c:930: internal-error: register_offset_hack: Assertion `regnum >= 0 && regnum < descr->nr_cooked_registers' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n) n
) at gfx/layers/basic/BasicLayers.cpp:1154
#3  0x4124c53c in mozilla::layers::BasicLayerManager::PaintLayer (this=0x43e31460, aLayer=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    aCallback=0x405d1338 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbeb3d2e0, aOpacity=
/home/rez/gdb/gdb-6.6.dfsg/gdb/regcache.c:930: internal-error: register_offset_hack: Assertion `regnum >= 0 && regnum < descr->nr_cooked_registers' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) n

/home/rez/gdb/gdb-6.6.dfsg/gdb/regcache.c:930: internal-error: register_offset_hack: Assertion `regnum >= 0 && regnum < descr->nr_cooked_registers' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n) n
) at gfx/layers/basic/BasicLayers.cpp:1166
#4  0x41250744 in mozilla::layers::BasicLayerManager::EndTransaction (this=0x43e31460, 
    aCallback=0x405d1338 <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbeb3d2e0)
    at gfx/layers/basic/BasicLayers.cpp:1061
#5  0x41250950 in mozilla::layers::BasicShadowLayerManager::EndTransaction (this=0x4787f2b0, aCallback=0, 
    aCallbackData=0x43cbd040) at gfx/layers/basic/BasicLayers.cpp:2217
---Type <return> to continue, or q <return> to quit---
#6  0x405fe190 in nsDisplayList::PaintForFrame (this=0xbeb3d62c, aBuilder=0xbeb3d2e0, aCtx=<value optimized out>, 
    aForFrame=<value optimized out>, aFlags=1)
    at layout/base/nsDisplayList.cpp:452
#7  0x405fe3c0 in nsDisplayList::PaintRoot (this=0x4787f2b0, aBuilder=0x0, aCtx=0x43cbd040, aFlags=<value optimized out>)
    at layout/base/nsDisplayList.cpp:360
#8  0x40610d0c in nsLayoutUtils::PaintFrame (aRenderingContext=0x0, aFrame=0x478ca6d8, aDirtyRegion=@0xbeb3d768, 
    aBackstop=4294967295, aFlags=4) at layout/base/nsLayoutUtils.cpp:1429
#9  0x4061d9a0 in PresShell::Paint (this=0x45305720, aDisplayRoot=0x478c3820, aViewToPaint=0x478c3820, 
    aWidgetToPaint=0x47889a40, aDirtyRegion=@0xbeb3d768, aIntDirtyRegion=@0xbeb3d9a4, aPaintDefaultBackground=0, 
    aWillSendDidPaint=0) at layout/base/nsPresShell.cpp:6089
#10 0x409bb624 in nsViewManager::RenderViews (this=0x46cfee20, aView=0x478c3820, aWidget=0x47889a40, aRegion=@0xbeb3d7d0, 
    aIntRegion=@0xbeb3d9a4, aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at view/src/nsViewManager.cpp:447
#11 0x409bb738 in nsViewManager::Refresh (this=0x46cfee20, aView=0x478c3820, aWidget=0x47889a40, aRegion=@0xbeb3d9a4, 
    aUpdateFlags=1) at view/src/nsViewManager.cpp:413
#12 0x409bcae4 in nsViewManager::DispatchEvent (this=0x46cfee20, aEvent=0xbeb3d970, aView=0xbeb3d848, 
    aStatus=<value optimized out>) at view/src/nsViewManager.cpp:913
#13 0x409b82bc in HandleEvent (aEvent=0xbeb3d970) at view/src/nsView.cpp:161
---Type <return> to continue, or q <return> to quit---
#14 0x40fbf680 in mozilla::widget::PuppetWidget::DispatchEvent (this=0x47889a40, event=0xbeb3d970, aStatus=@0xbeb3d9dc)
    at widget/src/xpwidgets/PuppetWidget.cpp:256
#15 0x40fc0154 in mozilla::widget::PuppetWidget::DispatchPaintEvent (this=0x47889a40)
    at widget/src/xpwidgets/PuppetWidget.cpp:307
#16 0x40fc02f8 in mozilla::widget::PuppetWidget::PaintTask::Run (this=<value optimized out>)
    at widget/src/xpwidgets/PuppetWidget.cpp:346
#17 0x4118128c in nsThread::ProcessNextEvent (this=0x43e04240, mayWait=<value optimized out>, result=0xbeb3da44)
    at xpcom/threads/nsThread.cpp:547
#18 0x4113c23c in NS_ProcessNextEvent_P (thread=0x4787f2b0, mayWait=0) at nsThreadUtils.cpp:250
#19 0x4102538c in mozilla::ipc::MessagePump::Run (this=0x43e021c0, aDelegate=0xbeb3e378)
    at ipc/glue/MessagePump.cpp:110
#20 0x410254cc in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x4787f2b0, aDelegate=0x0)
    at ipc/glue/MessagePump.cpp:229
#21 0x411c76ec in MessageLoop::RunInternal (this=0xbeb3e378)
    at ipc/chromium/src/base/message_loop.cc:219
#22 0x411c76fc in MessageLoop::RunHandler (this=0x4787f2b0)
    at ipc/chromium/src/base/message_loop.cc:202
#23 0x411c776c in MessageLoop::Run (this=0xbeb3e378)

Comment 1

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Oleg reports that this is a use-after-free error; the dtor is being called before Paint().  I can't repro on a desktop DEBUG fennec build, with or without FORCE_SHMEM.

Comment 2

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Attachment: WIP: fix uninitialized value error reported by valgrind

Probably unrelated to the crash.

Comment 3

[Oleg Romashin (:romaxa)]

Comment on attachment 477051 [details] [diff] [review]
WIP: fix uninitialized value error reported by valgrind

Cool, this is fixing crash!

Comment 4

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Attachment: Initialize BasicImageLayer::mSize

Comment 5

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 477052 [details] [diff] [review]
Initialize BasicImageLayer::mSize

-    NS_ASSERTION(oldSize == gfxIntSize(0, 0), "video changed size?");
+    NS_ASSERTION(oldSize == gfxIntSize(-1, -1), "video changed size?");

This assertion is actually wrong, videos are allowed to change size. However we don't currently have any decoders that do that, so it can't be tested.

Comment 6

[Oleg Romashin (:romaxa)]

this is blocking fennec with remote layers

Comment 7

[Oleg Romashin (:romaxa)]

http://hg.mozilla.org/mozilla-central/rev/081779dc7d17

Comment 8

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Thanks Oleg.

Comment 9

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

(In reply to comment #5)
> Comment on attachment 477052 [details] [diff] [review]
> Initialize BasicImageLayer::mSize
> 
> -    NS_ASSERTION(oldSize == gfxIntSize(0, 0), "video changed size?");
> +    NS_ASSERTION(oldSize == gfxIntSize(-1, -1), "video changed size?");
> 
> This assertion is actually wrong, videos are allowed to change size. However we
> don't currently have any decoders that do that, so it can't be tested.

OK.  The shadow layers code properly handles resizes; I added this assertion with the v0 of this code just to see if it ever happened.  Will rm in the next patch in the vicinity of this code.