Last Comment Bug 639168 - Fennec 4.0b5 crash [@ gfxContext::gfxContext]
: Fennec 4.0b5 crash [@ gfxContext::gfxContext]
Status: RESOLVED FIXED
: crash, topcrash
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: ARM Android
: -- critical (vote)
: mozilla7
Assigned To: Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
:
Mentors:
Depends on: 665218
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-05 08:27 PST by Josh Matthews [:jdm]
Modified: 2011-12-13 07:32 PST (History)
7 users (show)
mounir: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed


Attachments
possible fix (120 bytes, patch)
2011-05-24 22:15 PDT, Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
no flags Details | Diff | Splinter Review
actual patch (1.06 KB, patch)
2011-05-24 22:20 PDT, Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
tnikkel: review+
jpr: approval‑mozilla‑aurora+
jpr: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Josh Matthews [:jdm] 2011-03-05 08:27:43 PST
This bug was filed from the Socorro interface and is 
report bp-c9f10352-4dcb-4049-9783-c60b52110223 .
============================================================= 

Looks like the line 

64    mCairo = cairo_create(surface->CairoSurface());

is crashing, since surface is presumably null (crash address of 0x4 on every reported crash).  ThebesLayerBuffer::GetContextForQuadrantUpdate seems to pass mBuffer to |new gfxContext| unconditionally, when it can potentially be null.

0 	libxul.so 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	libxul.so 	mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate 	nsAutoPtr.h:992
2 	libxul.so 	mozilla::layers::ThebesLayerBuffer::BeginPaint 	nsAutoPtr.h:954
3 	libxul.so 	mozilla::layers::BasicThebesLayer::Paint 	nsRegion.h:385
4 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1431
5 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1436
6 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	gfx/layers/basic/BasicLayers.cpp:1308
7 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:1256
8 	libxul.so 	mozilla::layers::BasicShadowLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:2699
9 	libxul.so 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:541
10 	libxul.so 	nsDisplayList::PaintRoot 	layout/base/nsDisplayList.cpp:460
11 	libxul.so 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1570
12 	libxul.so 	PresShell::Paint 	layout/base/nsPresShell.cpp:6190
13 	libxul.so 	nsViewManager::RenderViews 	view/src/nsViewManager.cpp:459
14 	libxul.so 	nsViewManager::Refresh 	view/src/nsViewManager.h:250
15 	libxul.so 	nsViewManager::DispatchEvent 	nsCOMPtr.h:492
16 	libxul.so 	HandleEvent 	nsCOMPtr.h:492
17 	libxul.so 	mozilla::widget::PuppetWidget::DispatchEvent 	widget/src/xpwidgets/PuppetWidget.cpp:308
18 	libxul.so 	mozilla::widget::PuppetWidget::DispatchPaintEvent 	widget/src/xpwidgets/PuppetWidget.cpp:514
19 	libxul.so 	mozilla::widget::PuppetWidget::PaintTask::Run 	widget/src/xpwidgets/PuppetWidget.cpp:556
20 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
21 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
22 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
23 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
24 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
25 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
26 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
27 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:678
28 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
29 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
30 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
31 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
32 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:778
33 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
34 	libc.so 	libc.so@0xd67a 

More crashes at https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-05%2005%3A00%3A00&signature=gfxContext%3A%3AgfxContext&version=Fennec%3A4.0b5
Comment 1 Scoobidiver (away) 2011-03-31 09:39:51 PDT
It is #15 top crasher in 4.0.
Comment 2 Doug Turner (:dougt) 2011-05-24 19:09:22 PDT
maybe just a OOM, but mBuffer is being tested before use in other places in this file.  Maybe it is comment that mBuffer is nulled out (like in Clear()).
Comment 3 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-05-24 22:15:45 PDT
Created attachment 534989 [details] [diff] [review]
possible fix

This might help. BufferSizeOkFor might return true even if the buffer dimensions are 0,0 after being cleared, if the needed region is empty.

With this patch, I can't see that we'd get to GetContextForQuadrantUpdate with a null mBuffer.
Comment 4 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-05-24 22:20:29 PDT
Created attachment 534990 [details] [diff] [review]
actual patch
Comment 5 Timothy Nikkel (:tnikkel) 2011-05-25 11:33:09 PDT
Comment on attachment 534990 [details] [diff] [review]
actual patch

Seems fine, although I'm not very familiar with this code.
Comment 6 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-05-29 20:33:24 PDT
http://hg.mozilla.org/projects/cedar/rev/37923e6be386
Comment 7 Mounir Lamouri (:mounir) 2011-05-30 06:02:54 PDT
Pushed:
http://hg.mozilla.org/mozilla-central/rev/37923e6be386
Comment 8 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-05-30 14:37:05 PDT
Comment on attachment 534990 [details] [diff] [review]
actual patch

Review of attachment 534990 [details] [diff] [review]:
-----------------------------------------------------------------

Super-safe patch, might fix topcrash.
Comment 9 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-06-01 17:32:24 PDT
http://hg.mozilla.org/releases/mozilla-aurora/rev/c43281466451

http://hg.mozilla.org/releases/mozilla-beta/rev/77075f01ce94
Comment 10 Josh Matthews [:jdm] 2011-06-22 20:24:20 PDT
Still seeing the same stack on Fennec 5.

https://crash-stats.mozilla.com/report/index/2513d055-8f36-400c-8292-7f28c2110622
Comment 11 Josh Matthews [:jdm] 2011-07-07 08:37:14 PDT
Bug 665218 has STR that end in a gfxContext::gfxContext crash.
Comment 12 Scoobidiver (away) 2011-12-13 07:32:09 PST
There have been no crashes in Fennec versions above 5.0 for the last four weeks.
I close it as fixed.

Note You need to log in before you can comment on or make changes to this bug.