Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines

VERIFIED FIXED in Firefox 6

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: curtisk, Assigned: mats)

Tracking

({crash, testcase})

5 Branch
mozilla8
x86
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox6+ fixed, firefox7 fixed)

Details

(Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes], crash signature)

Attachments

(4 attachments, 2 obsolete attachments)

Steps to reproduce:
1) go to https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do?v_locale=en_US&v_mobileUAFlag=AA
2) Enter information for flight (first name, last name, record locator)
3) Print boarding passes
4) On new window that opens choose either print boarding passes or print without offers
5) Printer dialogue opens
6) Click print button
7) Browser crashes items do not print

Expected Results:
* Boarding passes should print and browser should not crash

Steps attempted to fix:
* Print from a clean profile also crashes
* Reset printer information

Crashes from about:crashes
bp-14d498f9-bacc-4968-be01-209c721106172011/06/174:07 
PMbp-7424235d-b3a3-4174-ae98-4892e21106172011/06/173:59 
PMbp-190cc4b0-22b5-496d-b357-6dbae2110617
Tested in the QA lab and was able to print, must be something wrong with my particular box.
(Assignee)

Comment 2

6 years ago
bp-14d498f9-bacc-4968-be01-209c72110617
bp-7424235d-b3a3-4174-ae98-4892e2110617
bp-190cc4b0-22b5-496d-b357-6dbae2110617
Severity: normal → critical
Crash Signature: [@ gfxContext::gfxContext ]
Component: General → General
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Component: General → Graphics
QA Contact: general → thebes
This is crashing on a null-deref; I bet the surface passed to the gfxContext constructor is null or its CairoSurface() is null...
Assignee: nobody → matspal
Regression? Any chance of a regression window?
Created attachment 544430 [details]
testcase

I'm crashing with this stacktrace in current trunk build on the Mac:
https://crash-stats.mozilla.com/report/index/203028a6-a5e0-4394-91ed-0feac2110707
0 	XUL 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	XUL 	nsRenderingContext::Init 	gfx/src/nsRenderingContext.cpp:91
2 	XUL 	nsDeviceContext::CreateRenderingContext 	gfx/src/nsDeviceContext.cpp:442
3 	XUL 	PresShell::GetReferenceRenderingContext 	layout/base/nsPresShell.cpp:3808
4 	XUL 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7867
5 	XUL 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:8076
6 	XUL 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4802
7 	XUL 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:398
8 	CoreGraphics 	CGEventSourceCounterForEventType 	
9 	XUL 	js::mjit::FrameState::ensureTypeSynced 	js/src/assembler/assembler/AssemblerBuffer.h:76

Updated

6 years ago
Keywords: testcase
I meant, that I'm crashing with the testcase, while trying to print.

Comment 7

6 years ago
It is #1 top browser crasher on Mac OS X in 6.0 with 10% of all crashes.

There is a correlation with PrintingPrivate:
100% (93/93) vs.  20% (129/639) PrintingPrivate
tracking-firefox6: --- → ?

Updated

6 years ago
Summary: Crash when printing boarding passes on American Airlines → Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines
(Assignee)

Comment 8

6 years ago
Created attachment 546369 [details]
stack from a debug build
(Assignee)

Comment 9

6 years ago
Created attachment 546370 [details] [diff] [review]
fix

On MacOSX, mPrintingSurface is nulled out in nsDeviceContext::EndPage
and re-created in BeginPage.  The reflow comes in-between, so mPrintingSurface
is null and we crash.  There are other methods that don't null-check
mPrintingSurface so it seems more robust to just re-create it directly.
Attachment #546370 - Flags: review?(roc)
(Assignee)

Comment 10

6 years ago
Created attachment 546371 [details] [diff] [review]
crashtest.diff

I tried to make Martijn's testcase into a crashtest but it doesn't
crash when run by the reftest framework.  It does crash when I load
it directly and try to print, so I don't know what the problem is...
(Assignee)

Comment 11

6 years ago
Created attachment 546375 [details] [diff] [review]
fix

Doing it in BeginPage works better... 
(last patch printed the page upside down, oops)
Attachment #546370 - Attachment is obsolete: true
Attachment #546370 - Flags: review?(roc)
Attachment #546375 - Flags: review?(roc)
(Assignee)

Comment 12

6 years ago
Builds for testing:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/mpalmgren@mozilla.com-1126e44f4649/
Comment on attachment 546375 [details] [diff] [review]
fix

Review of attachment 546375 [details] [diff] [review]:
-----------------------------------------------------------------

I don't understand this patch. Why set mPrintingSurface to null at all? The following call to GetSurfaceForPrinter will overwrite it anyway.

::: gfx/src/nsDeviceContext.cpp
@@ +638,5 @@
> +    // We need to release the CGContextRef in the surface here as these
> +    // CGContextRefs are only good for one page.
> +    mPrintingSurface = nsnull;
> +    // We need to get a new surface for each page on the Mac.
> +    // We do this here rather than in BeginPage so it's always non-null.

rather than in EndPage

Updated

6 years ago
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes]

Comment 14

6 years ago
We're considering this for Beta so please help us understand the risk as you review it. Thanks.
tracking-firefox6: ? → +
(Assignee)

Comment 15

6 years ago
Created attachment 546645 [details] [diff] [review]
fix

> Why set mPrintingSurface to null at all?

My intention was to make it clear that we're deliberately
releasing the existing surface, but maybe it's just confusing.
Fair enough, the comment should make that clear I hope.
Attachment #546375 - Attachment is obsolete: true
Attachment #546375 - Flags: review?(roc)
Attachment #546645 - Flags: review?(roc)
Comment on attachment 546645 [details] [diff] [review]
fix

Review of attachment 546645 [details] [diff] [review]:
-----------------------------------------------------------------

Risk seems extremely low.
Attachment #546645 - Flags: review?(roc) → review+
(Assignee)

Comment 17

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/be8e253130ff
Flags: in-testsuite?
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes] → [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound]
Target Milestone: --- → mozilla8
http://hg.mozilla.org/mozilla-central/rev/be8e253130ff
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound] → [#1 Mac topcrash in 6 Beta with 10% of all crashes]

Comment 19

6 years ago
Aurora and Beta landing?

Updated

6 years ago
status-firefox6: --- → affected
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-aurora?

Comment 20

6 years ago
Filed bug 675709 on adding a way to test this.

Comment 21

6 years ago
Comment on attachment 546645 [details] [diff] [review]
fix

Please hurry with the beta landing. Time is short for our (hopefully) final Beta build.
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-beta+
Attachment #546645 - Flags: approval-mozilla-aurora?
Attachment #546645 - Flags: approval-mozilla-aurora+
http://hg.mozilla.org/releases/mozilla-beta/rev/7fc29f37f62d
(Assignee)

Comment 23

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/822f8a8e65aa
status-firefox6: affected → fixed
status-firefox7: --- → fixed

Comment 24

6 years ago
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20100101 Firefox/6.0 - beta 5

Verified issue on Mac OS X 10.6 and 10.7 on all three channels (Nightly, Aurora, Beta) using the attached testcase - crash no longer reproducible

Setting status to Verified Fixed.
Status: RESOLVED → VERIFIED

Updated

5 years ago
Blocks: 639168
Depends on: 684622
(Assignee)

Comment 25

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/88e4547bdbcf
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/88e4547bdbcf
You need to log in before you can comment on or make changes to this bug.