Crash [@ cairo_d2d_present_backbuffer ] invalid & oversize select option content causes crash on clicking select box

VERIFIED FIXED in Firefox 10

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: loki1985, Assigned: bas)

Tracking

({crash, testcase, verified-beta})

2.0 Branch
mozilla10
x86
Windows 7
crash, testcase, verified-beta
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox6-, firefox8 affected, firefox9 affected, firefox10 verified)

Details

(Whiteboard: [tbird crash][qa!], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

while developing a PHP site, i had a serverside bug which destroyed the sites content and filled the content of a select option tag with html.

then i noticed that clicking said select in firefox, it crashed firefox.

i managed to reduce the HTML to a working testcase, see "additional information".

when reducing the dummy text content (lorem ipsum) by half, instead of crashing firefox causes windows 7 to switch to basic color mode in an ugly way.

speculation: could have to do with multimonitor setups, since all machines i have access to at the moment have 2 or 3 monitors. cannot test on single monitor machine right now.


Reproducible: Always

Steps to Reproduce:
1. create somefile.html on your harddrive
2. copy HTML from "additinal information" somefile.html and save
3. open somefile.html in firefox
4. click on visible selectbox (lorem ipsum text)


Actual Results:  
firefox crashes

Expected Results:  
no crash

<div>
<select>
<option value="0">
<html>
<body>
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et
accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.
</body>
</html>

Comment 1

6 years ago
Created attachment 531921 [details]
testcase

I don't crash with Nightly nor Namaroka on Mac.

Comment 2

6 years ago
Nor 4.0, 4.0.1 or Nightly on WinXp. loki, can you submit a crash report and paste the id here? http://support.mozilla.com/en-US/kb/Firefox%20crashes?s=crash+report&as=s
(Reporter)

Comment 3

6 years ago
bp-d44d9c8b-7c2a-4580-9dfc-01d0c2110512

Comment 4

6 years ago
maybe related to bug 595990 ?

not security sensitive.
Summary: invalid & oversize select option content causes crash on clicking select box → Crash [@ cairo_d2d_present_backbuffer ] invalid & oversize select option content causes crash on clicking select box

Updated

6 years ago
Group: core-security
(Assignee)

Comment 5

6 years ago
This function (should) never get called with default settings, considering this only occurs in a combination of Direct2D with BasicLayers, which is unsupported. Could you post your about:support?
(Reporter)

Comment 6

6 years ago

  Allgemeine Informationen

        Name
        Firefox

        Version
        4.0.1

        User-Agent
        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

        Profilordner

          Beinhaltenden Ordner anzeigen

        Aktivierte Plugins

          about:plugins

        Build-Konfiguration

          about:buildconfig

  Erweiterungen

        Name

        Version

        Aktiviert

        ID

        Java Console
        6.0.23
        true
        {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

        Java Console
        6.0.25
        true
        {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

        Firebug
        1.7.0
        true
        firebug@software.joehewitt.com

        FirePHP
        0.5.0
        true
        FirePHPExtension-Build@firephp.org

        Adblock Plus
        1.3.6
        true
        {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

  Modifizierte Einstellungen

      Name

      Wert

        accessibility.typeaheadfind.flashBar
        0

        browser.places.importBookmarksHTML
        false

        browser.places.smartBookmarksVersion
        2

        browser.startup.homepage
        http://www.google.de/

        browser.startup.homepage_override.buildID
        20110413222027

        browser.startup.homepage_override.mstone
        rv:2.0.1

        extensions.lastAppVersion
        4.0.1

        network.cookie.prefsMigrated
        true

        places.database.lastMaintenance
        1305188377

        places.history.expiration.transient_current_max_pages
        128466

        privacy.sanitize.migrateFx3Prefs
        true

        security.warn_viewing_mixed
        false

  Grafik

        Karten-Beschreibung
        NVIDIA GeForce 8500 GT

        Vendor-ID
        10de

        Geräte-ID
        0421

        Karten-Ram
        256

        Karten-Treiber
        nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um

        Treiber-Version
        8.17.12.6658

        Treiber-Datum
        1-7-2011

        Direct2D aktiviert
        true

        DirectWrite aktiviert
        true (6.1.7601.17563, font cache 1,43 MB)

        WebGL-Renderer
        Google Inc. -- ANGLE -- OpenGL ES 2.0 (ANGLE 0.0.0.611)

        GPU-beschleunigte Fenster
        1/1 Direct3D 10
(Reporter)

Comment 7

6 years ago
some more information: my machine has 3 monitors on 2 graphics cards active, one nvidia (shown above), one intel onboard, and runs windows 7.

the problem was reproducible on 2 other machines, specs not completely known, but with 2 monitors each.
(Reporter)

Comment 8

6 years ago
forgot to say: the 2 other machines are also running windows 7.

so this was only reproduced on win7 by me.
(Assignee)

Comment 9

6 years ago
So, I can confirm this bug, the problem is that this is causing a window to be created which is two big for the D3D10 layer manager, so its creation fails. It then creates a fallback layermanager. Which is a problem, in the past we clamped window sizes but it seems somehow that stopped.

I suspect we'll want this fixed for Firefox 6.
tracking-firefox6: --- → ?

Updated

6 years ago
Version: unspecified → 4.0 Branch
Keywords: crash, testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Looks like this is broken since 4.0 and hence not 6.0-specific - we would like to see an approval request for a safe fix, but not tracking+
tracking-firefox6: ? → -

Updated

6 years ago
Duplicate of this bug: 659626
Component: General → Graphics
Product: Firefox → Core
QA Contact: general → thebes
Version: 4.0 Branch → unspecified
Crash Signature: [@ cairo_d2d_present_backbuffer ]
Blocks: 682103
(Assignee)

Updated

6 years ago
Assignee: nobody → bas.schouten
(Assignee)

Updated

6 years ago
Duplicate of this bug: 682103
(Assignee)

Comment 13

6 years ago
Created attachment 556574 [details] [diff] [review]
Avoid using non-functional Direct2D surfaces

This patch causes us to:

1. Not use accelerated layers when the window is very big. (On my ATI drivers D3D9 would pretend to succesfully create a swap chain but not actually work, this made this bug not crash for me, but not work right either)
2. Fallback to GDI when a non-functional D2D surface is created.
Attachment #556574 - Flags: review?(jmathies)

Comment 14

6 years ago
Comment on attachment 556574 [details] [diff] [review]
Avoid using non-functional Direct2D surfaces

Review of attachment 556574 [details] [diff] [review]:
-----------------------------------------------------------------

This solves the crash problem on my system. I did see an assert though when selecting the drop down:

###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!: 'mSurface != nsnull', file f:\Mozilla\firefox\MC-DBG\dist\include\gfxASurface.h, line 119

Is that expected?

::: widget/src/windows/nsWindow.cpp
@@ +3183,5 @@
>  
> +// We should never really try to accelerate windows bigger than this. In some
> +// cases this might lead to no D3D9 acceleration where we could have had it
> +// but D3D9 does not reliably report when it supports bigger windows.
> +#define MAX_ACCELERATED_DIMENSION 8192

Please move this up to the top of the file with the rest of the defines. What was your reasoning for using this specific value?
reporter of bp-ca41b661-9deb-4dba-a14a-89bb62110826 could possibly test once this lands.  ("hitting send button kills nvidia 330m driver on spring 2010 macbook pro 15, win 7 64 ult, all updates. happens all the time.")
Severity: normal → critical
Whiteboard: [tbird crash]
(Assignee)

Comment 16

6 years ago
Ugh, this review escaped my attention during the all-hands it seems.

(In reply to Jim Mathies [:jimm] from comment #14)
> Comment on attachment 556574 [details] [diff] [review] [diff] [details] [review]
> Avoid using non-functional Direct2D surfaces
> 
> Review of attachment 556574 [details] [diff] [review] [diff] [details] [review]:
> -----------------------------------------------------------------
> 
> This solves the crash problem on my system. I did see an assert though when
> selecting the drop down:
> 
> ###!!! ASSERTION: gfxASurface::CairoSurface called with mSurface == nsnull!:
> 'mSurface != nsnull', file
> f:\Mozilla\firefox\MC-DBG\dist\include\gfxASurface.h, line 119
> 
> Is that expected?

It is. We use CairoSurface() to check the validity. We conclude it's invalid, it kinda sucks that asserts. I could switch this to just use CairoStatus which returns -1 if the surface is invalid.

> 
> ::: widget/src/windows/nsWindow.cpp
> @@ +3183,5 @@
> >  
> > +// We should never really try to accelerate windows bigger than this. In some
> > +// cases this might lead to no D3D9 acceleration where we could have had it
> > +// but D3D9 does not reliably report when it supports bigger windows.
> > +#define MAX_ACCELERATED_DIMENSION 8192
> 
> Please move this up to the top of the file with the rest of the defines.
> What was your reasoning for using this specific value?

This is the maximum texture size for D3D10. I'm fine with moving it up.
(Assignee)

Updated

6 years ago
Blocks: 679859
(Assignee)

Comment 17

6 years ago
Created attachment 564169 [details] [diff] [review]
Avoid using non-functional Direct2D surfaces v2

Updated to address review comments.
Attachment #556574 - Attachment is obsolete: true
Attachment #556574 - Flags: review?(jmathies)
Attachment #564169 - Flags: review?(jmathies)

Updated

6 years ago
Attachment #564169 - Flags: review?(jmathies) → review+
(Assignee)

Comment 18

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/30c3c5ab99e7
https://hg.mozilla.org/mozilla-central/rev/30c3c5ab99e7
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10

Comment 20

6 years ago
If the fix of this bug is required to fix bug 679859 (tracking for Fx 8), the patch should land on Aurora and Beta.
status-firefox8: --- → affected
status-firefox9: --- → affected
Version: unspecified → 2.0 Branch
status-firefox10: --- → fixed
Whiteboard: [tbird crash] → [tbird crash][qa+]

Comment 21

6 years ago
I've tested this using the steps from the description and I confirm the fact that Firefox doesn't crash any more.

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0 beta 2
Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 beta 2

Considering this, setting resolution to Verified Fixed.
Status: RESOLVED → VERIFIED
status-firefox10: fixed → verified
Keywords: verified-beta
Whiteboard: [tbird crash][qa+] → [tbird crash][qa!]

Comment 22

6 years ago
Just an observation I made with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 on W7 Pro x64 : FF does not crash but it seems that "dwm.exe" crashes, leaving Aero mode switching to basic windowing. "dwm.exe" gets immediately restartet, but only once I exit FF Aero gets restored.
You need to log in before you can comment on or make changes to this bug.