Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines

VERIFIED FIXED in Firefox 6

Status

()

defect
--
critical
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: curtisk, Assigned: mats)

Tracking

({crash, testcase})

5 Branch
mozilla8
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox6+ fixed, firefox7 fixed)

Details

(Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes], crash signature)

Attachments

(4 attachments, 2 obsolete attachments)

Steps to reproduce:
1) go to https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do?v_locale=en_US&v_mobileUAFlag=AA
2) Enter information for flight (first name, last name, record locator)
3) Print boarding passes
4) On new window that opens choose either print boarding passes or print without offers
5) Printer dialogue opens
6) Click print button
7) Browser crashes items do not print

Expected Results:
* Boarding passes should print and browser should not crash

Steps attempted to fix:
* Print from a clean profile also crashes
* Reset printer information

Crashes from about:crashes
bp-14d498f9-bacc-4968-be01-209c721106172011/06/174:07 
PMbp-7424235d-b3a3-4174-ae98-4892e21106172011/06/173:59 
PMbp-190cc4b0-22b5-496d-b357-6dbae2110617
Tested in the QA lab and was able to print, must be something wrong with my particular box.
(Assignee)

Comment 2

8 years ago
bp-14d498f9-bacc-4968-be01-209c72110617
bp-7424235d-b3a3-4174-ae98-4892e2110617
bp-190cc4b0-22b5-496d-b357-6dbae2110617
Severity: normal → critical
Crash Signature: [@ gfxContext::gfxContext ]
Component: General → General
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Component: General → Graphics
QA Contact: general → thebes
This is crashing on a null-deref; I bet the surface passed to the gfxContext constructor is null or its CairoSurface() is null...
Regression? Any chance of a regression window?
Posted file testcase
I'm crashing with this stacktrace in current trunk build on the Mac:
https://crash-stats.mozilla.com/report/index/203028a6-a5e0-4394-91ed-0feac2110707
0 	XUL 	gfxContext::gfxContext 	gfx/thebes/gfxContext.cpp:64
1 	XUL 	nsRenderingContext::Init 	gfx/src/nsRenderingContext.cpp:91
2 	XUL 	nsDeviceContext::CreateRenderingContext 	gfx/src/nsDeviceContext.cpp:442
3 	XUL 	PresShell::GetReferenceRenderingContext 	layout/base/nsPresShell.cpp:3808
4 	XUL 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7867
5 	XUL 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:8076
6 	XUL 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4802
7 	XUL 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:398
8 	CoreGraphics 	CGEventSourceCounterForEventType 	
9 	XUL 	js::mjit::FrameState::ensureTypeSynced 	js/src/assembler/assembler/AssemblerBuffer.h:76
Keywords: testcase
I meant, that I'm crashing with the testcase, while trying to print.
It is #1 top browser crasher on Mac OS X in 6.0 with 10% of all crashes.

There is a correlation with PrintingPrivate:
100% (93/93) vs.  20% (129/639) PrintingPrivate
Summary: Crash when printing boarding passes on American Airlines → Crash [@ gfxContext::gfxContext ] when printing boarding passes on American Airlines
(Assignee)

Comment 8

8 years ago
(Assignee)

Comment 9

8 years ago
Posted patch fix (obsolete) — Splinter Review
On MacOSX, mPrintingSurface is nulled out in nsDeviceContext::EndPage
and re-created in BeginPage.  The reflow comes in-between, so mPrintingSurface
is null and we crash.  There are other methods that don't null-check
mPrintingSurface so it seems more robust to just re-create it directly.
Attachment #546370 - Flags: review?(roc)
(Assignee)

Comment 10

8 years ago
I tried to make Martijn's testcase into a crashtest but it doesn't
crash when run by the reftest framework.  It does crash when I load
it directly and try to print, so I don't know what the problem is...
(Assignee)

Comment 11

8 years ago
Posted patch fix (obsolete) — Splinter Review
Doing it in BeginPage works better... 
(last patch printed the page upside down, oops)
Attachment #546370 - Attachment is obsolete: true
Attachment #546370 - Flags: review?(roc)
Attachment #546375 - Flags: review?(roc)
Comment on attachment 546375 [details] [diff] [review]
fix

Review of attachment 546375 [details] [diff] [review]:
-----------------------------------------------------------------

I don't understand this patch. Why set mPrintingSurface to null at all? The following call to GetSurfaceForPrinter will overwrite it anyway.

::: gfx/src/nsDeviceContext.cpp
@@ +638,5 @@
> +    // We need to release the CGContextRef in the surface here as these
> +    // CGContextRefs are only good for one page.
> +    mPrintingSurface = nsnull;
> +    // We need to get a new surface for each page on the Mac.
> +    // We do this here rather than in BeginPage so it's always non-null.

rather than in EndPage

Updated

8 years ago
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes]
We're considering this for Beta so please help us understand the risk as you review it. Thanks.
(Assignee)

Comment 15

8 years ago
Posted patch fixSplinter Review
> Why set mPrintingSurface to null at all?

My intention was to make it clear that we're deliberately
releasing the existing surface, but maybe it's just confusing.
Fair enough, the comment should make that clear I hope.
Attachment #546375 - Attachment is obsolete: true
Attachment #546375 - Flags: review?(roc)
Attachment #546645 - Flags: review?(roc)
Comment on attachment 546645 [details] [diff] [review]
fix

Review of attachment 546645 [details] [diff] [review]:
-----------------------------------------------------------------

Risk seems extremely low.
Attachment #546645 - Flags: review?(roc) → review+
(Assignee)

Comment 17

8 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/be8e253130ff
Flags: in-testsuite?
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes] → [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound]
Target Milestone: --- → mozilla8
http://hg.mozilla.org/mozilla-central/rev/be8e253130ff
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: [#1 Mac topcrash in 6 Beta with 10% of all crashes][inbound] → [#1 Mac topcrash in 6 Beta with 10% of all crashes]
Aurora and Beta landing?
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-aurora?

Comment 20

8 years ago
Filed bug 675709 on adding a way to test this.
Comment on attachment 546645 [details] [diff] [review]
fix

Please hurry with the beta landing. Time is short for our (hopefully) final Beta build.
Attachment #546645 - Flags: approval-mozilla-beta?
Attachment #546645 - Flags: approval-mozilla-beta+
Attachment #546645 - Flags: approval-mozilla-aurora?
Attachment #546645 - Flags: approval-mozilla-aurora+

Comment 24

8 years ago
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20100101 Firefox/6.0 - beta 5

Verified issue on Mac OS X 10.6 and 10.7 on all three channels (Nightly, Aurora, Beta) using the attached testcase - crash no longer reproducible

Setting status to Verified Fixed.
Status: RESOLVED → VERIFIED

Updated

8 years ago
Blocks: 639168
Depends on: 684622
(Assignee)

Comment 25

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/88e4547bdbcf
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.