Fennec 4.0b5 crash [@ gfxContext::gfxContext]

RESOLVED FIXED in Firefox 5

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: jdm, Assigned: roc)

Tracking

({crash, topcrash})

Trunk
mozilla7
ARM
Android
crash, topcrash
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox5 fixed, firefox6 fixed)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-c9f10352-4dcb-4049-9783-c60b52110223 .
============================================================= 

Looks like the line 

64    mCairo = cairo_create(surface->CairoSurface());

is crashing, since surface is presumably null (crash address of 0x4 on every reported crash).  ThebesLayerBuffer::GetContextForQuadrantUpdate seems to pass mBuffer to |new gfxContext| unconditionally, when it can potentially be null.

0 	libxul.so 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	libxul.so 	mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate 	nsAutoPtr.h:992
2 	libxul.so 	mozilla::layers::ThebesLayerBuffer::BeginPaint 	nsAutoPtr.h:954
3 	libxul.so 	mozilla::layers::BasicThebesLayer::Paint 	nsRegion.h:385
4 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1431
5 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1436
6 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	gfx/layers/basic/BasicLayers.cpp:1308
7 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:1256
8 	libxul.so 	mozilla::layers::BasicShadowLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:2699
9 	libxul.so 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:541
10 	libxul.so 	nsDisplayList::PaintRoot 	layout/base/nsDisplayList.cpp:460
11 	libxul.so 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1570
12 	libxul.so 	PresShell::Paint 	layout/base/nsPresShell.cpp:6190
13 	libxul.so 	nsViewManager::RenderViews 	view/src/nsViewManager.cpp:459
14 	libxul.so 	nsViewManager::Refresh 	view/src/nsViewManager.h:250
15 	libxul.so 	nsViewManager::DispatchEvent 	nsCOMPtr.h:492
16 	libxul.so 	HandleEvent 	nsCOMPtr.h:492
17 	libxul.so 	mozilla::widget::PuppetWidget::DispatchEvent 	widget/src/xpwidgets/PuppetWidget.cpp:308
18 	libxul.so 	mozilla::widget::PuppetWidget::DispatchPaintEvent 	widget/src/xpwidgets/PuppetWidget.cpp:514
19 	libxul.so 	mozilla::widget::PuppetWidget::PaintTask::Run 	widget/src/xpwidgets/PuppetWidget.cpp:556
20 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
21 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
22 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
23 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
24 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
25 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
26 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
27 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:678
28 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
29 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
30 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
31 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
32 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:778
33 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
34 	libc.so 	libc.so@0xd67a 

More crashes at https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-05%2005%3A00%3A00&signature=gfxContext%3A%3AgfxContext&version=Fennec%3A4.0b5
(Reporter)

Updated

6 years ago
Component: General → Graphics
Product: Fennec → Core
QA Contact: general → thebes

Comment 1

6 years ago
It is #15 top crasher in 4.0.

Updated

6 years ago
Keywords: topcrash
OS: Linux → Android
Hardware: All → ARM
Version: Trunk → 2.0 Branch

Comment 2

6 years ago
maybe just a OOM, but mBuffer is being tested before use in other places in this file.  Maybe it is comment that mBuffer is nulled out (like in Clear()).
Created attachment 534989 [details] [diff] [review]
possible fix

This might help. BufferSizeOkFor might return true even if the buffer dimensions are 0,0 after being cleared, if the needed region is empty.

With this patch, I can't see that we'd get to GetContextForQuadrantUpdate with a null mBuffer.
Assignee: nobody → roc
Attachment #534989 - Flags: review?(tnikkel)
Created attachment 534990 [details] [diff] [review]
actual patch
Attachment #534989 - Attachment is obsolete: true
Attachment #534989 - Flags: review?(tnikkel)
Attachment #534990 - Flags: review?(tnikkel)
Comment on attachment 534990 [details] [diff] [review]
actual patch

Seems fine, although I'm not very familiar with this code.
Attachment #534990 - Flags: review?(tnikkel) → review+
Whiteboard: [needs landing]
http://hg.mozilla.org/projects/cedar/rev/37923e6be386
Whiteboard: [needs landing] → [fixed-in-cedar]
Pushed:
http://hg.mozilla.org/mozilla-central/rev/37923e6be386
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [fixed-in-cedar]
Target Milestone: --- → mozilla7
Version: 2.0 Branch → Trunk
Comment on attachment 534990 [details] [diff] [review]
actual patch

Review of attachment 534990 [details] [diff] [review]:
-----------------------------------------------------------------

Super-safe patch, might fix topcrash.
Attachment #534990 - Flags: approval-mozilla-beta?
Attachment #534990 - Flags: approval-mozilla-aurora?

Updated

6 years ago
Attachment #534990 - Flags: approval-mozilla-beta?
Attachment #534990 - Flags: approval-mozilla-beta+
Attachment #534990 - Flags: approval-mozilla-aurora?
Attachment #534990 - Flags: approval-mozilla-aurora+
http://hg.mozilla.org/releases/mozilla-aurora/rev/c43281466451

http://hg.mozilla.org/releases/mozilla-beta/rev/77075f01ce94
status-firefox5: --- → fixed
status-firefox6: --- → fixed
Crash Signature: [@ gfxContext::gfxContext]
(Reporter)

Comment 10

6 years ago
Still seeing the same stack on Fennec 5.

https://crash-stats.mozilla.com/report/index/2513d055-8f36-400c-8292-7f28c2110622
(Reporter)

Updated

6 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 11

6 years ago
Bug 665218 has STR that end in a gfxContext::gfxContext crash.

Updated

6 years ago
Crash Signature: [@ gfxContext::gfxContext] → [@ gfxContext::gfxContext] [@ gfxContext::gfxContext(gfxASurface*) ]

Comment 12

5 years ago
There have been no crashes in Fennec versions above 5.0 for the last four weeks.
I close it as fixed.
Status: REOPENED → RESOLVED
Crash Signature: [@ gfxContext::gfxContext] [@ gfxContext::gfxContext(gfxASurface*) ] → [@ gfxContext::gfxContext]
Last Resolved: 6 years ago5 years ago
Depends on: 665218
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.