Closed Bug 640272 Opened 9 years ago Closed 9 years ago

Crash [@ nsCSSRendering::PaintBorderWithStyleBorder ] [@ DrawBorderImage ] | ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0'

Categories

(Core :: Layout, defect, major)

x86
All
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
blocking2.0 --- Macaw+
status2.0 --- .1-fixed
status1.9.2 --- unaffected

People

(Reporter: bc, Assigned: mats)

References

(Blocks 1 open bug, )

Details

(4 keywords)

Crash Data

Attachments

(4 files)

1. http://prodotti.esplorasviluppo.com/
2. crash mac/win/linux 2.0.0 but not 1.9.2

bp-10b572a1-d4b1-4d66-8f0f-0a9e52110309 (mac)
bp-e619b03a-301d-4350-9683-153e52110309 (winxp)

on mac debug

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/nsCOMPtr.h, line 819

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x04d1055c in DrawBorderImage (aPresContext=0xf28400, aRenderingContext=@0x23bc1620, aForFrame=0xfbb060, aBorderArea=@0xbfffad98, aStyleBorder=@0xfbb0d0, aDirtyRect=@0xf61158) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsCSSRendering.cpp:2767
2767	  if (NS_FAILED(imgContainer->GetWidth(&imageSize.width))) {
(gdb) bt
#0  0x04d1055c in DrawBorderImage (aPresContext=0xf28400, aRenderingContext=@0x23bc1620, aForFrame=0xfbb060, aBorderArea=@0xbfffad98, aStyleBorder=@0xfbb0d0, aDirtyRect=@0xf61158) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsCSSRendering.cpp:2767
#1  0x04d1415e in nsCSSRendering::PaintBorderWithStyleBorder (aPresContext=0xf28400, aRenderingContext=@0x23bc1620, aForFrame=0xfbb060, aDirtyRect=@0xf61158, aBorderArea=@0xbfffad98, aStyleBorder=@0xfbb0d0, aStyleContext=0xfbad70, aSkipSides=0) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsCSSRendering.cpp:542
#2  0x04d14c6f in nsCSSRendering::PaintBorder (aPresContext=0xf28400, aRenderingContext=@0x23bc1620, aForFrame=0xfbb060, aDirtyRect=@0xf61158, aBorderArea=@0xbfffad98, aStyleContext=0xfbad70, aSkipSides=0) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsCSSRendering.cpp:489
#3  0x04d2e903 in nsDisplayBorder::Paint (this=0xf61144, aBuilder=0xbfffbba4, aCtx=0x23bc1620) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsDisplayList.cpp:1290
#4  0x04ce17d8 in mozilla::FrameLayerBuilder::DrawThebesLayer (aLayer=0x235c9480, aContext=0x1f0298e0, aRegionToDraw=@0xbfffb1e0, aRegionToInvalidate=@0xbfffb210, aCallbackData=0xbfffbba4) at /work/mozilla/builds/2.0.0/mozilla/layout/base/FrameLayerBuilder.cpp:1874
#5  0x062d5eac in mozilla::layers::BasicThebesLayer::PaintBuffer (this=0x235c9480, aContext=0x1f0298e0, aRegionToDraw=@0xbfffb1e0, aRegionToInvalidate=@0xbfffb210, aCallback=0x4ce0ebe <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0xbfffbba4) at /work/mozilla/builds/2.0.0/mozilla/gfx/layers/basic/BasicLayers.cpp:438

wgetting the page results in a reproducible crash. I'll reduce it as time permits.
Attached file Firefox.css
Attached file testlocal.html
1. save testlocal.html to disk.
2. save Firefox.css to css/ relative to testlocal.html
3. load testlocal.html
4. crash

Including the css in a style element, placing the css on bugzilla, or placing the css file in the same directory as the html file do not reproduce the crash.
Regression range:  2009-09-12-03 -- 2009-09-13-03
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff3496b1f6c7&tochange=bf0fdec8f43b
bug 512435 or bug 435296?

I can't reproduce the crash with the testcase, but the URL crash every time.
The problem seems to be the stylesheet border images are served as text/html.

# wget -S http://prodotti.esplorasviluppo.com/css/Img/bg-tab-sel.png

HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Fri, 25 Mar 2011 05:04:01 GMT
  Server: Apache/2.0.63 (CentOS)
  X-Powered-By: PHP/5.1.6
  Set-Cookie: symfony=i3mgd52knea1afbcc4135rch77; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Content-Length: 0
  Connection: close
  Content-Type: text/html; charset=UTF-8
Length: 0 [text/html]
Attached patch fixSplinter Review
make IsBorderImageLoaded() check imgIRequest::STATUS_ERROR
Assignee: nobody → matspal
Attachment #521725 - Flags: review?(bzbarsky)
Comment on attachment 521725 [details] [diff] [review]
fix

r=me.
Attachment #521725 - Flags: review?(bzbarsky) → review+
We should get this into any update we do for fx4...
blocking2.0: --- → ?
status2.0: --- → ?
Attached patch crashtest.diffSplinter Review
Fixed in Cedar:
http://hg.mozilla.org/projects/cedar/rev/44629b1dd299
Flags: in-testsuite+
Whiteboard: fixed-in-cedar
http://hg.mozilla.org/mozilla-central/rev/44629b1dd299
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-cedar
Target Milestone: --- → mozilla2.2
Comment on attachment 521725 [details] [diff] [review]
fix

Low-risk crash fix for mozilla-2.0 branch.
Attachment #521725 - Flags: approval2.0?
Comment on attachment 521725 [details] [diff] [review]
fix

Approved for the mozilla2.0 repository, a=dveditz for release-drivers

Please land this for the Tumucumaque Macaw release.
Attachment #521725 - Flags: approval2.0? → approval2.0+
blocking2.0: ? → Macaw+
Crash Signature: [@ nsCSSRendering::PaintBorderWithStyleBorder ] [@ DrawBorderImage ]
You need to log in before you can comment on or make changes to this bug.