Talos tp4 crashes in cairo below "xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction"

RESOLVED DUPLICATE of bug 626602

Status

()

defect
RESOLVED DUPLICATE of bug 626602
8 years ago
8 years ago

People

(Reporter: cjones, Assigned: cjones)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Obviously a regression from bug 626602.  The stacks below seem to indicate failed surface allocations.  The code that landed doesn't check the allocations but probably should be.  I'm spinning up an XP build in the meantime to investigate.

I'm not in a hurry to back out 626602 over this, but if we're OOM'ing in talos then there's a decent possibility we've regressed tp4.  That would require a more difficult decision.

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297221632.1297222842.19369.gz
Rev3 WINNT 5.1 mozilla-central talos tp4 on 2011/02/08 19:20:32 
###!!! [Parent][RPCChannel] Error: Channel error: cannot send/recv
[etc.]
Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x30

Thread 0 (crashed)
 0  xul.dll!_moz_pixman_image_set_transform [pixman-image.c:fa1a4b6abff0 : 577 + 0xa]
    eip = 0x1030d03a   esp = 0x0012eb5c   ebp = 0x00000000   ebx = 0x00000015
    esi = 0x0012ebf0   edi = 0x00850460   eax = 0x0012eb88   ecx = 0x0012eb88
    edx = 0x00000000   efl = 0x00050202
    Found by: given as instruction pointer in context
 1  xul.dll!_cairo_image_surface_set_attributes [cairo-image-surface.c:fa1a4b6abff0 : 983 + 0x30]
    eip = 0x102d3361   esp = 0x0012eb68   ebp = 0x0012ecbc   ebx = 0x00000015
    Found by: call frame info
 2  xul.dll!_cairo_image_surface_composite [cairo-image-surface.c:fa1a4b6abff0 : 1142 + 0x5e]
    eip = 0x102d360a   esp = 0x0012ebb0   ebp = 0x0012ecbc
    Found by: call frame info with scanning
 3  mozcrt19.dll!malloc [jemalloc.c:fa1a4b6abff0 : 5882 + 0x2e]
    eip = 0x781399cd   esp = 0x0012ec90   ebp = 0x0012eca0   ebx = 0x00000000
    Found by: call frame info with scanning
 4  xul.dll!_composite_rectangle [cairo-surface-fallback.c:fa1a4b6abff0 : 745 + 0x31]
    eip = 0x102e8801   esp = 0x0012ed0c   ebp = 0x0012eca0
    Found by: call frame info with scanning
 5  xul.dll!_clip_and_composite_trapezoids [cairo-surface-fallback.c:fa1a4b6abff0 : 789 + 0x10]
    eip = 0x102e88d9   esp = 0x0012ed48   ebp = 0x0012eca0   ebx = 0x0012f6d4
    Found by: call frame info with scanning
 6  xul.dll!_cairo_surface_fallback_fill [cairo-surface-fallback.c:fa1a4b6abff0 : 1408 + 0x35]
    eip = 0x102e96ef   esp = 0x0012ed90   ebp = 0x10cb6ab4   ebx = 0x00000000
    Found by: call frame info
 7  xul.dll!_cairo_surface_fill [cairo-surface.c:fa1a4b6abff0 : 2228 + 0x21]
    eip = 0x102cd642   esp = 0x0012f660   ebp = 0x0012f45c   ebx = 0x00000001
    Found by: call frame info
 8  xul.dll!_cairo_gstate_fill [cairo-gstate.c:fa1a4b6abff0 : 1184 + 0x38]
    eip = 0x102f01b1   esp = 0x0012f698   ebp = 0x0012f6d4   ebx = 0x10cb6938
    Found by: call frame info
 9  xul.dll!_moz_cairo_fill_preserve [cairo.c:fa1a4b6abff0 : 2338 + 0xf]
    eip = 0x102cf3cb   esp = 0x0012f7c0   ebp = 0x0012f864   ebx = 0x0081d740
    Found by: call frame info
10  xul.dll!gfxContext::Fill() [gfxContext.cpp:fa1a4b6abff0 : 151 + 0x7]
    eip = 0x104bf461   esp = 0x0012f7d0   ebp = 0x0012f864
    Found by: call frame info
11  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:fa1a4b6abff0 : 2781 + 0x6]
    eip = 0x1088841e   esp = 0x0012f7d8   ebp = 0x0012f864
    Found by: call frame info
12  xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp:fa1a4b6abff0 : 2901 + 0x10]


http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297222536.1297223911.24067.gz
Rev3 WINNT 6.1 mozilla-central talos tp4 on 2011/02/08 19:35:36
###!!! [Parent][RPCChannel] Error: Channel error: cannot send/recv
[etc.]
Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x10

Thread 0 (crashed)
 0  xul.dll!_moz_cairo_surface_flush [cairo-surface.c:fa1a4b6abff0 : 967 + 0x4]
    eip = 0x6ae7bf65   esp = 0x0023f3f4   ebp = 0x0023f430   ebx = 0x00416600
    esi = 0x00000000   edi = 0x00416600   eax = 0x00000000   ecx = 0x000007d0
    edx = 0x000007d0   efl = 0x00210246
    Found by: given as instruction pointer in context
 1  xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:fa1a4b6abff0 : 73 + 0x8]
    eip = 0x6abb3021   esp = 0x0023f3fc   ebp = 0x0023f430
    Found by: call frame info
 2  xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:fa1a4b6abff0 : 62 + 0x1e]
    eip = 0x6abb32b0   esp = 0x0023f438   ebp = 0x0023f474
    Found by: previous frame's frame pointer
 3  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:fa1a4b6abff0 : 2815 + 0xb]
    eip = 0x6b438478   esp = 0x0023f47c   ebp = 0x0023f514
    Found by: previous frame's frame pointer
 4  xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp:fa1a4b6abff0 : 2901 + 0x10]
I just repro'd the second crash by loading a bajillion GUIMark3 tabs, https://bugzilla.mozilla.org/attachment.cgi?id=508714, in an XP VM with 512MB physical memory allocated.  Repro'ing was Hard.  (Are we not GC'ing during Tp? :S)  I'll see what's going wrong here and have a patch up soon.
The stack VS was showing me was bizarrely wrong, but poking around a bit revealed that we failed to allocate a temporary white buffer, as expected.  Easy fix.  (Not that it's particular relevant, but this bug existed before bug 626602.)
(Oh, I should note that I repro'd with a patch to force alpha recovery even when we have a background.)
I was able to push the windows memory manager hard enough with this patch that it had to enlarge the swap file, and neither firefox-bin nor plugin-container crashed.  (That in itself is pretty damn shocking!)
Assignee: nobody → jones.chris.g
Attachment #510966 - Flags: review?(matt.woodrow+bugzilla)
Attachment #510966 - Flags: review?(matt.woodrow+bugzilla) → review+
http://hg.mozilla.org/mozilla-central/rev/1c05e64aab54
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
This seems to have caused what might turn into a perma-orange.  On the cset in comment 5, we have:
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297243018.1297246637.27566.gz
Rev3 WINNT 6.1 mozilla-central debug test reftest on 2011/02/09 01:16:58
REFTEST TEST-UNEXPECTED-FAIL | file:///c:/talos-slave/test/build/reftest/tests/modules/plugin/test/reftest/plugin-background-10-step.html | image comparison (==)

It seems highly probable that this test-failure was caused by this bug's checkin, given that the checkin comment mentioned backgrounds and was for plugin code.

There haven't been any later Win Debug Reftest cycles than this one, but there's one in-progress... we'll see if it turns out to be orange.

mattwoodrow / cjones: if you're awake, please advise as to best course of action...

given that this was just a one-liner and wasn't a blocker, I'm tempted to just back it out, but I suppose the other option would be to temporarily mark the test as "random-if(d2d)" pending investivation.
(In reply to comment #6)
> There haven't been any later Win Debug Reftest cycles than this one, but
> there's one in-progress... we'll see if it turns out to be orange.

Hm - so that next reftest cycle turned out green, so despite my suspicions, this isn't a perma-orange (and hence doesn't necessitate as immediate of a backout/test-disabling).

I guess it's is a new randomorange (though still possibly/probably introduced by this checkin, since it's never been reported before), so I filed a new randomorange bug to track it: Bug 632765
This didn't fix the problem, apparently; both XP and Win7 crashed in the same way in Tp4 on this push.

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297250293.1297251511.18503.gz
Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x10

Thread 0 (crashed)
 0  xul.dll!_moz_cairo_surface_flush [cairo-surface.c:1bb9a9e03483 : 967 + 0x4]
    eip = 0x102cb185   esp = 0x0012f744   ebp = 0x0012f780   ebx = 0x00817580
    esi = 0x00000000   edi = 0x00817580   eax = 0x00000000   ecx = 0x000007d0
    edx = 0x000007d0   efl = 0x00050246
    Found by: given as instruction pointer in context
 1  xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:1bb9a9e03483 : 73 + 0x8]
    eip = 0x10002f61   esp = 0x0012f74c   ebp = 0x0012f780
    Found by: call frame info
 2  xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:1bb9a9e03483 : 62 + 0x1e]
    eip = 0x100031f0   esp = 0x0012f788   ebp = 0x0012f7c4
    Found by: previous frame's frame pointer
 3  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:1bb9a9e03483 : 2818 + 0xb]
    eip = 0x10878c38   esp = 0x0012f7cc   ebp = 0x0012f864
    Found by: previous frame's frame pointer

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297250446.1297251941.21130.gz
Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x10

Thread 0 (crashed)
 0  xul.dll!_moz_cairo_surface_flush [cairo-surface.c:1bb9a9e03483 : 967 + 0x4]
    eip = 0x6840b185   esp = 0x0012f284   ebp = 0x0012f2c8   ebx = 0x00416600
    esi = 0x00000000   edi = 0x00416600   eax = 0x00000000   ecx = 0x000007d0
    edx = 0x000007d0   efl = 0x00210246
    Found by: given as instruction pointer in context
 1  xul.dll!gfxAlphaRecovery::RecoverAlphaSSE2(gfxImageSurface *,gfxImageSurface const *) [gfxAlphaRecoverySSE2.cpp:1bb9a9e03483 : 73 + 0x8]
    eip = 0x68142f61   esp = 0x0012f28c   ebp = 0x0012f2c8
    Found by: call frame info
 2  xul.dll!gfxAlphaRecovery::RecoverAlpha(gfxImageSurface *,gfxImageSurface const *,gfxAlphaRecovery::Analysis *) [gfxAlphaRecovery.cpp:1bb9a9e03483 : 62 + 0x1e]
    eip = 0x681431f0   esp = 0x0012f2d0   ebp = 0x0012f30c
    Found by: previous frame's frame pointer
 3  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectWithAlphaExtraction(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp:1bb9a9e03483 : 2818 + 0xb]
    eip = 0x689b8c38   esp = 0x0012f314   ebp = 0x0012f3ac
    Found by: previous frame's frame pointer
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We've closed the tree for this for the time being.
I've backed out bug 626602, this bug and bug 631388 (just because it was conflicting with code changes) to try to reopen the tree.

Waiting for results before reopening both the tree and the bugs.
tracking-fennec: --- → ?
(In reply to comment #6)
> This seems to have caused what might turn into a perma-orange.  On the cset in
> comment 5, we have:
> http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1297243018.1297246637.27566.gz
> Rev3 WINNT 6.1 mozilla-central debug test reftest on 2011/02/09 01:16:58
> REFTEST TEST-UNEXPECTED-FAIL |
> file:///c:/talos-slave/test/build/reftest/tests/modules/plugin/test/reftest/plugin-background-10-step.html
> | image comparison (==)

This was a test added by bug 626602.  The windows plugins tests have been observed not to work properly (not wait for a plugin paint before snapshotting), so marking these random would have been OK.

The talos crashes are something we need to sort out in 626602.
Status: REOPENED → RESOLVED
tracking-fennec: ? → ---
Last Resolved: 8 years ago8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 626602
I backed out all the changesets in this bug (the temporary patch in comment 5)
You need to log in before you can comment on or make changes to this bug.