Closed
Bug 632696
Opened 13 years ago
Closed 13 years ago
Talos tp4 crashes in cairo below "xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction"
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 626602
People
(Reporter: cjones, Assigned: cjones)
References
Details
Attachments
(1 file)
|
1.25 KB,
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
Obviously a regression from bug 626602. The stacks below seem to indicate failed surface allocations. The code that landed doesn't check the allocations but probably should be. I'm spinning up an XP build in the meantime to investigate. I'm not in a hurry to back out 626602 over this, but if we're OOM'ing in talos then there's a decent possibility we've regressed tp4. That would require a more difficult decision. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297221632.1297222842.19369.gz Rev3 WINNT 5.1 mozilla-central talos tp4 on 2011/02/08 19:20:32 ###!!! [Parent][RPCChannel] Error: Channel error: cannot send/recv [etc.] Crash reason: EXCEPTION_ACCESS_VIOLATION Crash address: 0x30 Thread 0 (crashed) 0 xul.dll!_moz_pixman_image_set_transform [pixman-image.c:fa1a4b6abff0 : 577 + 0xa] eip = 0x1030d03a esp = 0x0012eb5c ebp = 0x00000000 ebx = 0x00000015 esi = 0x0012ebf0 edi = 0x00850460 eax = 0x0012eb88 ecx = 0x0012eb88 edx = 0x00000000 efl = 0x00050202 Found by: given as instruction pointer in context 1 xul.dll!_cairo_image_surface_set_attributes [cairo-image-surface.c:fa1a4b6abff0 : 983 + 0x30] eip = 0x102d3361 esp = 0x0012eb68 ebp = 0x0012ecbc ebx = 0x00000015 Found by: call frame info 2 xul.dll!_cairo_image_surface_composite [cairo-image-surface.c:fa1a4b6abff0 : 1142 + 0x5e] eip = 0x102d360a esp = 0x0012ebb0 ebp = 0x0012ecbc Found by: call frame info with scanning 3 mozcrt19.dll!malloc [jemalloc.c:fa1a4b6abff0 : 5882 + 0x2e] eip = 0x781399cd esp = 0x0012ec90 ebp = 0x0012eca0 ebx = 0x00000000 Found by: call frame info with scanning 4 xul.dll!_composite_rectangle [cairo-surface-fallback.c:fa1a4b6abff0 : 745 + 0x31] eip = 0x102e8801 esp = 0x0012ed0c ebp = 0x0012eca0 Found by: call frame info with scanning 5 xul.dll!_clip_and_composite_trapezoids [cairo-surface-fallback.c:fa1a4b6abff0 : 789 + 0x10] eip = 0x102e88d9 esp = 0x0012ed48 ebp = 0x0012eca0 ebx = 0x0012f6d4 Found by: call frame info with scanning 6 xul.dll!_cairo_surface_fallback_fill [cairo-surface-fallback.c:fa1a4b6abff0 : 1408 + 0x35] eip = 0x102e96ef esp = 0x0012ed90 ebp = 0x10cb6ab4 ebx = 0x00000000 Found by: call frame info 7 xul.dll!_cairo_surface_fill [cairo-surface.c:fa1a4b6abff0 : 2228 + 0x21] eip = 0x102cd642 esp = 0x0012f660 ebp = 0x0012f45c ebx = 0x00000001 Found by: call frame info 8 xul.dll!_cairo_gstate_fill [cairo-gstate.c:fa1a4b6abff0 : 1184 + 0x38] eip = 0x102f01b1 esp = 0x0012f698 ebp = 0x0012f6d4 ebx = 0x10cb6938 Found by: call frame info 9 xul.dll!_moz_cairo_fill_preserve [cairo.c:fa1a4b6abff0 : 2338 + 0xf] eip = 0x102cf3cb esp = 0x0012f7c0 ebp = 0x0012f864 ebx = 0x0081d740 Found by: call frame info 10 xul.dll!gfxContext::Fill() [gfxContext.cpp:fa1a4b6abff0 : 151 + 0x7] eip = 0x104bf461 esp = 0x0012f7d0 ebp = 0x0012f864 Found by: call frame info 11 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:fa1a4b6abff0 : 2781 + 0x6] eip = 0x1088841e esp = 0x0012f7d8 ebp = 0x0012f864 Found by: call frame info 12 xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp:fa1a4b6abff0 : 2901 + 0x10] http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297222536.1297223911.24067.gz Rev3 WINNT 6.1 mozilla-central talos tp4 on 2011/02/08 19:35:36 ###!!! [Parent][RPCChannel] Error: Channel error: cannot send/recv [etc.] Crash reason: EXCEPTION_ACCESS_VIOLATION Crash address: 0x10 Thread 0 (crashed) 0 xul.dll!_moz_cairo_surface_flush [cairo-surface.c:fa1a4b6abff0 : 967 + 0x4] eip = 0x6ae7bf65 esp = 0x0023f3f4 ebp = 0x0023f430 ebx = 0x00416600 esi = 0x00000000 edi = 0x00416600 eax = 0x00000000 ecx = 0x000007d0 edx = 0x000007d0 efl = 0x00210246 Found by: given as instruction pointer in context 1 xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:fa1a4b6abff0 : 73 + 0x8] eip = 0x6abb3021 esp = 0x0023f3fc ebp = 0x0023f430 Found by: call frame info 2 xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:fa1a4b6abff0 : 62 + 0x1e] eip = 0x6abb32b0 esp = 0x0023f438 ebp = 0x0023f474 Found by: previous frame's frame pointer 3 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:fa1a4b6abff0 : 2815 + 0xb] eip = 0x6b438478 esp = 0x0023f47c ebp = 0x0023f514 Found by: previous frame's frame pointer 4 xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp:fa1a4b6abff0 : 2901 + 0x10]
|
Assignee | |
Comment 1•13 years ago
|
||
I just repro'd the second crash by loading a bajillion GUIMark3 tabs, https://bugzilla.mozilla.org/attachment.cgi?id=508714, in an XP VM with 512MB physical memory allocated. Repro'ing was Hard. (Are we not GC'ing during Tp? :S) I'll see what's going wrong here and have a patch up soon.
|
|
Assignee | |
Comment 2•13 years ago
|
||
The stack VS was showing me was bizarrely wrong, but poking around a bit revealed that we failed to allocate a temporary white buffer, as expected. Easy fix. (Not that it's particular relevant, but this bug existed before bug 626602.)
|
|
Assignee | |
Comment 3•13 years ago
|
||
(Oh, I should note that I repro'd with a patch to force alpha recovery even when we have a background.)
|
|
Assignee | |
Comment 4•13 years ago
|
||
I was able to push the windows memory manager hard enough with this patch that it had to enlarge the swap file, and neither firefox-bin nor plugin-container crashed. (That in itself is pretty damn shocking!)
Assignee: nobody → jones.chris.g
Attachment #510966 -
Flags: review?(matt.woodrow+bugzilla)
|
||
Updated•13 years ago
|
Attachment #510966 -
Flags: review?(matt.woodrow+bugzilla) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1c05e64aab54
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 6•13 years ago
|
||
This seems to have caused what might turn into a perma-orange. On the cset in comment 5, we have: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297243018.1297246637.27566.gz Rev3 WINNT 6.1 mozilla-central debug test reftest on 2011/02/09 01:16:58 REFTEST TEST-UNEXPECTED-FAIL | file:///c:/talos-slave/test/build/reftest/tests/modules/plugin/test/reftest/plugin-background-10-step.html | image comparison (==) It seems highly probable that this test-failure was caused by this bug's checkin, given that the checkin comment mentioned backgrounds and was for plugin code. There haven't been any later Win Debug Reftest cycles than this one, but there's one in-progress... we'll see if it turns out to be orange. mattwoodrow / cjones: if you're awake, please advise as to best course of action... given that this was just a one-liner and wasn't a blocker, I'm tempted to just back it out, but I suppose the other option would be to temporarily mark the test as "random-if(d2d)" pending investivation.
|
|
||
Comment 7•13 years ago
|
||
(In reply to comment #6) > There haven't been any later Win Debug Reftest cycles than this one, but > there's one in-progress... we'll see if it turns out to be orange. Hm - so that next reftest cycle turned out green, so despite my suspicions, this isn't a perma-orange (and hence doesn't necessitate as immediate of a backout/test-disabling). I guess it's is a new randomorange (though still possibly/probably introduced by this checkin, since it's never been reported before), so I filed a new randomorange bug to track it: Bug 632765
|
||
Comment 8•13 years ago
|
||
This didn't fix the problem, apparently; both XP and Win7 crashed in the same way in Tp4 on this push. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297250293.1297251511.18503.gz Crash reason: EXCEPTION_ACCESS_VIOLATION Crash address: 0x10 Thread 0 (crashed) 0 xul.dll!_moz_cairo_surface_flush [cairo-surface.c:1bb9a9e03483 : 967 + 0x4] eip = 0x102cb185 esp = 0x0012f744 ebp = 0x0012f780 ebx = 0x00817580 esi = 0x00000000 edi = 0x00817580 eax = 0x00000000 ecx = 0x000007d0 edx = 0x000007d0 efl = 0x00050246 Found by: given as instruction pointer in context 1 xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:1bb9a9e03483 : 73 + 0x8] eip = 0x10002f61 esp = 0x0012f74c ebp = 0x0012f780 Found by: call frame info 2 xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:1bb9a9e03483 : 62 + 0x1e] eip = 0x100031f0 esp = 0x0012f788 ebp = 0x0012f7c4 Found by: previous frame's frame pointer 3 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:1bb9a9e03483 : 2818 + 0xb] eip = 0x10878c38 esp = 0x0012f7cc ebp = 0x0012f864 Found by: previous frame's frame pointer http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297250446.1297251941.21130.gz Crash reason: EXCEPTION_ACCESS_VIOLATION Crash address: 0x10 Thread 0 (crashed) 0 xul.dll!_moz_cairo_surface_flush [cairo-surface.c:1bb9a9e03483 : 967 + 0x4] eip = 0x6840b185 esp = 0x0012f284 ebp = 0x0012f2c8 ebx = 0x00416600 esi = 0x00000000 edi = 0x00416600 eax = 0x00000000 ecx = 0x000007d0 edx = 0x000007d0 efl = 0x00210246 Found by: given as instruction pointer in context 1 xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:1bb9a9e03483 : 73 + 0x8] eip = 0x68142f61 esp = 0x0012f28c ebp = 0x0012f2c8 Found by: call frame info 2 xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:1bb9a9e03483 : 62 + 0x1e] eip = 0x681431f0 esp = 0x0012f2d0 ebp = 0x0012f30c Found by: previous frame's frame pointer 3 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:1bb9a9e03483 : 2818 + 0xb] eip = 0x689b8c38 esp = 0x0012f314 ebp = 0x0012f3ac Found by: previous frame's frame pointer
|
|
||
Updated•13 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 9•13 years ago
|
||
Looks like being perma-orange, or at least very frequent: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297252421.1297253679.30471.gz http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297252261.1297255340.6478.gz
|
||
Comment 10•13 years ago
|
||
We've closed the tree for this for the time being.
|
||
Comment 11•13 years ago
|
||
I've backed out bug 626602, this bug and bug 631388 (just because it was conflicting with code changes) to try to reopen the tree. Waiting for results before reopening both the tree and the bugs.
|
||
Updated•13 years ago
|
tracking-fennec: --- → ?
|
|
Assignee | |
Comment 12•13 years ago
|
||
(In reply to comment #6) > This seems to have caused what might turn into a perma-orange. On the cset in > comment 5, we have: > http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297243018.1297246637.27566.gz > Rev3 WINNT 6.1 mozilla-central debug test reftest on 2011/02/09 01:16:58 > REFTEST TEST-UNEXPECTED-FAIL | > file:///c:/talos-slave/test/build/reftest/tests/modules/plugin/test/reftest/plugin-background-10-step.html > | image comparison (==) This was a test added by bug 626602. The windows plugins tests have been observed not to work properly (not wait for a plugin paint before snapshotting), so marking these random would have been OK. The talos crashes are something we need to sort out in 626602.
|
|
Assignee | |
Updated•13 years ago
|
Status: REOPENED → RESOLVED
tracking-fennec: ? → ---
Closed: 13 years ago → 13 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 14•13 years ago
|
||
I backed out all the changesets in this bug (the temporary patch in comment 5)
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•