Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 639168 - Fennec 4.0b5 crash [@ gfxContext::gfxContext]
: Fennec 4.0b5 crash [@ gfxContext::gfxContext]
: crash, topcrash
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: ARM Android
: -- critical (vote)
: mozilla7
Assigned To: Robert O'Callahan (:roc) (email my personal email if necessary)
: Milan Sreckovic [:milan]
Depends on: 665218
  Show dependency treegraph
Reported: 2011-03-05 08:27 PST by Josh Matthews [:jdm]
Modified: 2011-12-13 07:32 PST (History)
7 users (show)
mounir: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

possible fix (120 bytes, patch)
2011-05-24 22:15 PDT, Robert O'Callahan (:roc) (email my personal email if necessary)
no flags Details | Diff | Splinter Review
actual patch (1.06 KB, patch)
2011-05-24 22:20 PDT, Robert O'Callahan (:roc) (email my personal email if necessary)
tnikkel: review+
jpr: approval‑mozilla‑aurora+
jpr: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Josh Matthews [:jdm] 2011-03-05 08:27:43 PST
This bug was filed from the Socorro interface and is 
report bp-c9f10352-4dcb-4049-9783-c60b52110223 .

Looks like the line 

64    mCairo = cairo_create(surface->CairoSurface());

is crashing, since surface is presumably null (crash address of 0x4 on every reported crash).  ThebesLayerBuffer::GetContextForQuadrantUpdate seems to pass mBuffer to |new gfxContext| unconditionally, when it can potentially be null.

0 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate 	nsAutoPtr.h:992
2 	mozilla::layers::ThebesLayerBuffer::BeginPaint 	nsAutoPtr.h:954
3 	mozilla::layers::BasicThebesLayer::Paint 	nsRegion.h:385
4 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1431
5 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1436
6 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	gfx/layers/basic/BasicLayers.cpp:1308
7 	mozilla::layers::BasicLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:1256
8 	mozilla::layers::BasicShadowLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:2699
9 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:541
10 	nsDisplayList::PaintRoot 	layout/base/nsDisplayList.cpp:460
11 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1570
12 	PresShell::Paint 	layout/base/nsPresShell.cpp:6190
13 	nsViewManager::RenderViews 	view/src/nsViewManager.cpp:459
14 	nsViewManager::Refresh 	view/src/nsViewManager.h:250
15 	nsViewManager::DispatchEvent 	nsCOMPtr.h:492
16 	HandleEvent 	nsCOMPtr.h:492
17 	mozilla::widget::PuppetWidget::DispatchEvent 	widget/src/xpwidgets/PuppetWidget.cpp:308
18 	mozilla::widget::PuppetWidget::DispatchPaintEvent 	widget/src/xpwidgets/PuppetWidget.cpp:514
19 	mozilla::widget::PuppetWidget::PaintTask::Run 	widget/src/xpwidgets/PuppetWidget.cpp:556
20 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
21 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
22 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
23 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
24 	MessageLoop::RunInternal 	ipc/chromium/src/base/
25 	MessageLoop::Run 	ipc/chromium/src/base/
26 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
27 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:678
28 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
29 	MessageLoop::RunInternal 	ipc/chromium/src/base/
30 	MessageLoop::Run 	ipc/chromium/src/base/
31 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
32 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:778
33 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69

More crashes at
Comment 1 Scoobidiver (away) 2011-03-31 09:39:51 PDT
It is #15 top crasher in 4.0.
Comment 2 Doug Turner (:dougt) 2011-05-24 19:09:22 PDT
maybe just a OOM, but mBuffer is being tested before use in other places in this file.  Maybe it is comment that mBuffer is nulled out (like in Clear()).
Comment 3 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-05-24 22:15:45 PDT
Created attachment 534989 [details] [diff] [review]
possible fix

This might help. BufferSizeOkFor might return true even if the buffer dimensions are 0,0 after being cleared, if the needed region is empty.

With this patch, I can't see that we'd get to GetContextForQuadrantUpdate with a null mBuffer.
Comment 4 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-05-24 22:20:29 PDT
Created attachment 534990 [details] [diff] [review]
actual patch
Comment 5 Timothy Nikkel (:tnikkel) 2011-05-25 11:33:09 PDT
Comment on attachment 534990 [details] [diff] [review]
actual patch

Seems fine, although I'm not very familiar with this code.
Comment 6 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-05-29 20:33:24 PDT
Comment 7 Mounir Lamouri (:mounir) 2011-05-30 06:02:54 PDT
Comment 8 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-05-30 14:37:05 PDT
Comment on attachment 534990 [details] [diff] [review]
actual patch

Review of attachment 534990 [details] [diff] [review]:

Super-safe patch, might fix topcrash.
Comment 9 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-06-01 17:32:24 PDT
Comment 10 Josh Matthews [:jdm] 2011-06-22 20:24:20 PDT
Still seeing the same stack on Fennec 5.
Comment 11 Josh Matthews [:jdm] 2011-07-07 08:37:14 PDT
Bug 665218 has STR that end in a gfxContext::gfxContext crash.
Comment 12 Scoobidiver (away) 2011-12-13 07:32:09 PST
There have been no crashes in Fennec versions above 5.0 for the last four weeks.
I close it as fixed.

Note You need to log in before you can comment on or make changes to this bug.