Closed Bug 656589 Opened 14 years ago Closed 13 years ago

Crash [@ cairo_d2d_present_backbuffer ] invalid & oversize select option content causes crash on clicking select box

Categories

(Core :: Graphics, defect)

2.0 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla10
Tracking Status
firefox6 - ---
firefox8 --- affected
firefox9 --- affected
firefox10 --- verified

People

(Reporter: loki1985, Assigned: bas.schouten)

References

Details

(Keywords: crash, testcase, verified-beta, Whiteboard: [tbird crash][qa!])

Crash Data

Attachments

(2 files, 1 obsolete file)

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 while developing a PHP site, i had a serverside bug which destroyed the sites content and filled the content of a select option tag with html. then i noticed that clicking said select in firefox, it crashed firefox. i managed to reduce the HTML to a working testcase, see "additional information". when reducing the dummy text content (lorem ipsum) by half, instead of crashing firefox causes windows 7 to switch to basic color mode in an ugly way. speculation: could have to do with multimonitor setups, since all machines i have access to at the moment have 2 or 3 monitors. cannot test on single monitor machine right now. Reproducible: Always Steps to Reproduce: 1. create somefile.html on your harddrive 2. copy HTML from "additinal information" somefile.html and save 3. open somefile.html in firefox 4. click on visible selectbox (lorem ipsum text) Actual Results: firefox crashes Expected Results: no crash <div> <select> <option value="0"> <html> <body> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. </body> </html>
Attached file testcase
I don't crash with Nightly nor Namaroka on Mac.
Nor 4.0, 4.0.1 or Nightly on WinXp. loki, can you submit a crash report and paste the id here? http://support.mozilla.com/en-US/kb/Firefox%20crashes?s=crash+report&as=s
maybe related to bug 595990 ? not security sensitive.
Summary: invalid & oversize select option content causes crash on clicking select box → Crash [@ cairo_d2d_present_backbuffer ] invalid & oversize select option content causes crash on clicking select box
Group: core-security
This function (should) never get called with default settings, considering this only occurs in a combination of Direct2D with BasicLayers, which is unsupported. Could you post your about:support?
Allgemeine Informationen Name Firefox Version 4.0.1 User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Profilordner Beinhaltenden Ordner anzeigen Aktivierte Plugins about:plugins Build-Konfiguration about:buildconfig Erweiterungen Name Version Aktiviert ID Java Console 6.0.23 true {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} Java Console 6.0.25 true {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} Firebug 1.7.0 true firebug@software.joehewitt.com FirePHP 0.5.0 true FirePHPExtension-Build@firephp.org Adblock Plus 1.3.6 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Modifizierte Einstellungen Name Wert accessibility.typeaheadfind.flashBar 0 browser.places.importBookmarksHTML false browser.places.smartBookmarksVersion 2 browser.startup.homepage http://www.google.de/ browser.startup.homepage_override.buildID 20110413222027 browser.startup.homepage_override.mstone rv:2.0.1 extensions.lastAppVersion 4.0.1 network.cookie.prefsMigrated true places.database.lastMaintenance 1305188377 places.history.expiration.transient_current_max_pages 128466 privacy.sanitize.migrateFx3Prefs true security.warn_viewing_mixed false Grafik Karten-Beschreibung NVIDIA GeForce 8500 GT Vendor-ID 10de Geräte-ID 0421 Karten-Ram 256 Karten-Treiber nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um Treiber-Version 8.17.12.6658 Treiber-Datum 1-7-2011 Direct2D aktiviert true DirectWrite aktiviert true (6.1.7601.17563, font cache 1,43 MB) WebGL-Renderer Google Inc. -- ANGLE -- OpenGL ES 2.0 (ANGLE 0.0.0.611) GPU-beschleunigte Fenster 1/1 Direct3D 10
some more information: my machine has 3 monitors on 2 graphics cards active, one nvidia (shown above), one intel onboard, and runs windows 7. the problem was reproducible on 2 other machines, specs not completely known, but with 2 monitors each.
forgot to say: the 2 other machines are also running windows 7. so this was only reproduced on win7 by me.
So, I can confirm this bug, the problem is that this is causing a window to be created which is two big for the D3D10 layer manager, so its creation fails. It then creates a fallback layermanager. Which is a problem, in the past we clamped window sizes but it seems somehow that stopped. I suspect we'll want this fixed for Firefox 6.
Version: unspecified → 4.0 Branch
Keywords: crash, testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Looks like this is broken since 4.0 and hence not 6.0-specific - we would like to see an approval request for a safe fix, but not tracking+
Component: General → Graphics
Product: Firefox → Core
QA Contact: general → thebes
Version: 4.0 Branch → unspecified
Crash Signature: [@ cairo_d2d_present_backbuffer ]
Blocks: 682103
Assignee: nobody → bas.schouten
This patch causes us to: 1. Not use accelerated layers when the window is very big. (On my ATI drivers D3D9 would pretend to succesfully create a swap chain but not actually work, this made this bug not crash for me, but not work right either) 2. Fallback to GDI when a non-functional D2D surface is created.
Attachment #556574 - Flags: review?(jmathies)
Comment on attachment 556574 [details] [diff] [review] Avoid using non-functional Direct2D surfaces Review of attachment 556574 [details] [diff] [review]: ----------------------------------------------------------------- This solves the crash problem on my system. I did see an assert though when selecting the drop down: ###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file f:\Mozilla\firefox\MC-DBG\dist\include\gfxASurface.h, line 119 Is that expected? ::: widget/src/windows/nsWindow.cpp @@ +3183,5 @@ > > +// We should never really try to accelerate windows bigger than this. In some > +// cases this might lead to no D3D9 acceleration where we could have had it > +// but D3D9 does not reliably report when it supports bigger windows. > +#define MAX_ACCELERATED_DIMENSION 8192 Please move this up to the top of the file with the rest of the defines. What was your reasoning for using this specific value?
reporter of bp-ca41b661-9deb-4dba-a14a-89bb62110826 could possibly test once this lands. ("hitting send button kills nvidia 330m driver on spring 2010 macbook pro 15, win 7 64 ult, all updates. happens all the time.")
Severity: normal → critical
Whiteboard: [tbird crash]
Ugh, this review escaped my attention during the all-hands it seems. (In reply to Jim Mathies [:jimm] from comment #14) > Comment on attachment 556574 [details] [diff] [review] [diff] [details] [review] > Avoid using non-functional Direct2D surfaces > > Review of attachment 556574 [details] [diff] [review] [diff] [details] [review]: > ----------------------------------------------------------------- > > This solves the crash problem on my system. I did see an assert though when > selecting the drop down: > > ###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: > 'mSurface != nsnull', file > f:\Mozilla\firefox\MC-DBG\dist\include\gfxASurface.h, line 119 > > Is that expected? It is. We use CairoSurface() to check the validity. We conclude it's invalid, it kinda sucks that asserts. I could switch this to just use CairoStatus which returns -1 if the surface is invalid. > > ::: widget/src/windows/nsWindow.cpp > @@ +3183,5 @@ > > > > +// We should never really try to accelerate windows bigger than this. In some > > +// cases this might lead to no D3D9 acceleration where we could have had it > > +// but D3D9 does not reliably report when it supports bigger windows. > > +#define MAX_ACCELERATED_DIMENSION 8192 > > Please move this up to the top of the file with the rest of the defines. > What was your reasoning for using this specific value? This is the maximum texture size for D3D10. I'm fine with moving it up.
Blocks: 679859
Updated to address review comments.
Attachment #556574 - Attachment is obsolete: true
Attachment #556574 - Flags: review?(jmathies)
Attachment #564169 - Flags: review?(jmathies)
Attachment #564169 - Flags: review?(jmathies) → review+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
If the fix of this bug is required to fix bug 679859 (tracking for Fx 8), the patch should land on Aurora and Beta.
Version: unspecified → 2.0 Branch
Whiteboard: [tbird crash] → [tbird crash][qa+]
I've tested this using the steps from the description and I confirm the fact that Firefox doesn't crash any more. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0 beta 2 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 beta 2 Considering this, setting resolution to Verified Fixed.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [tbird crash][qa+] → [tbird crash][qa!]
Just an observation I made with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 on W7 Pro x64 : FF does not crash but it seems that "dwm.exe" crashes, leaving Aero mode switching to basic windowing. "dwm.exe" gets immediately restartet, but only once I exit FF Aero gets restored.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: