Closed Bug 665218 Opened 10 years ago Closed 10 years ago

Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines

Categories

(Core :: Graphics, defect)

5 Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla8
Tracking Status
firefox6 + fixed
firefox7 --- fixed

People

(Reporter: curtisk, Assigned: mats)

References

Details

(Keywords: crash, testcase, Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes])

Crash Data

Attachments

(4 files, 2 obsolete files)

Steps to reproduce:
1) go to https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do?v_locale=en_US&v_mobileUAFlag=AA
2) Enter information for flight (first name, last name, record locator)
3) Print boarding passes
4) On new window that opens choose either print boarding passes or print without offers
5) Printer dialogue opens
6) Click print button
7) Browser crashes items do not print

Expected Results:
* Boarding passes should print and browser should not crash

Steps attempted to fix:
* Print from a clean profile also crashes
* Reset printer information

Crashes from about:crashes
bp-14d498f9-bacc-4968-be01-209c721106172011/06/174:07 
PMbp-7424235d-b3a3-4174-ae98-4892e21106172011/06/173:59 
PMbp-190cc4b0-22b5-496d-b357-6dbae2110617
Tested in the QA lab and was able to print, must be something wrong with my particular box.
bp-14d498f9-bacc-4968-be01-209c72110617
bp-7424235d-b3a3-4174-ae98-4892e2110617
bp-190cc4b0-22b5-496d-b357-6dbae2110617
Severity: normal → critical
Crash Signature: [@ gfxContext::gfxContext ]
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Component: General → Graphics
QA Contact: general → thebes
This is crashing on a null-deref; I bet the surface passed to the gfxContext constructor is null or its CairoSurface() is null...
Regression? Any chance of a regression window?
Attached file testcase
I'm crashing with this stacktrace in current trunk build on the Mac:
https://crash-stats.mozilla.com/report/index/203028a6-a5e0-4394-91ed-0feac2110707
0 	XUL 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	XUL 	nsRenderingContext::Init 	gfx/src/nsRenderingContext.cpp:91
2 	XUL 	nsDeviceContext::CreateRenderingContext 	gfx/src/nsDeviceContext.cpp:442
3 	XUL 	PresShell::GetReferenceRenderingContext 	layout/base/nsPresShell.cpp:3808
4 	XUL 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7867
5 	XUL 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:8076
6 	XUL 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4802
7 	XUL 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:398
8 	CoreGraphics 	CGEventSourceCounterForEventType 	
9 	XUL 	js::mjit::FrameState::ensureTypeSynced 	js/src/assembler/assembler/AssemblerBuffer.h:76
Keywords: testcase
I meant, that I'm crashing with the testcase, while trying to print.
It is #1 top browser crasher on Mac OS X in 6.0 with 10% of all crashes.

There is a correlation with PrintingPrivate:
100% (93/93) vs.  20% (129/639) PrintingPrivate
Summary: Crash when printing boarding passes on American Airlines → Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines
Attached patch fix (obsolete) — Splinter Review
On MacOSX, mPrintingSurface is nulled out in nsDeviceContext::EndPage
and re-created in BeginPage.  The reflow comes in-between, so mPrintingSurface
is null and we crash.  There are other methods that don't null-check
mPrintingSurface so it seems more robust to just re-create it directly.
Attachment #546370 - Flags: review?(roc)
Attached patch crashtest.diffSplinter Review
I tried to make Martijn's testcase into a crashtest but it doesn't
crash when run by the reftest framework.  It does crash when I load
it directly and try to print, so I don't know what the problem is...
Attached patch fix (obsolete) — Splinter Review
Doing it in BeginPage works better... 
(last patch printed the page upside down, oops)
Attachment #546370 - Attachment is obsolete: true
Attachment #546370 - Flags: review?(roc)
Attachment #546375 - Flags: review?(roc)
Comment on attachment 546375 [details] [diff] [review]
fix

Review of attachment 546375 [details] [diff] [review]:
-----------------------------------------------------------------

I don't understand this patch. Why set mPrintingSurface to null at all? The following call to GetSurfaceForPrinter will overwrite it anyway.

::: gfx/src/nsDeviceContext.cpp
@@ +638,5 @@
> +    // We need to release the CGContextRef in the surface here as these
> +    // CGContextRefs are only good for one page.
> +    mPrintingSurface = nsnull;
> +    // We need to get a new surface for each page on the Mac.
> +    // We do this here rather than in BeginPage so it's always non-null.

rather than in EndPage
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes]
We're considering this for Beta so please help us understand the risk as you review it. Thanks.
Attached patch fixSplinter Review
> Why set mPrintingSurface to null at all?

My intention was to make it clear that we're deliberately
releasing the existing surface, but maybe it's just confusing.
Fair enough, the comment should make that clear I hope.
Attachment #546375 - Attachment is obsolete: true
Attachment #546375 - Flags: review?(roc)
Attachment #546645 - Flags: review?(roc)
Comment on attachment 546645 [details] [diff] [review]
fix

Review of attachment 546645 [details] [diff] [review]:
-----------------------------------------------------------------

Risk seems extremely low.
Attachment #546645 - Flags: review?(roc) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/be8e253130ff
Flags: in-testsuite?
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes] → [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound]
Target Milestone: --- → mozilla8
http://hg.mozilla.org/mozilla-central/rev/be8e253130ff
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound] → [#1 Mac topcrash in 6 Beta with 10% of all crashes]
Aurora and Beta landing?
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-aurora?
Filed bug 675709 on adding a way to test this.
Comment on attachment 546645 [details] [diff] [review]
fix

Please hurry with the beta landing. Time is short for our (hopefully) final Beta build.
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-beta+
Attachment #546645 - Flags: approval-mozilla-aurora?
Attachment #546645 - Flags: approval-mozilla-aurora+
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20100101 Firefox/6.0 - beta 5

Verified issue on Mac OS X 10.6 and 10.7 on all three channels (Nightly, Aurora, Beta) using the attached testcase - crash no longer reproducible

Setting status to Verified Fixed.
Status: RESOLVED → VERIFIED
Blocks: 639168
Depends on: 684622
You need to log in before you can comment on or make changes to this bug.