Last Comment Bug 671428 - Firefox Crash @ _moz_pixman_image_create_bits
: Firefox Crash @ _moz_pixman_image_create_bits
Status: VERIFIED FIXED
[qa!]
: crash, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla9
Assigned To: Jeff Muizelaar [:jrmuizel]
:
Mentors:
: 672781 (view as bug list)
Depends on: 676459 678505
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-13 15:16 PDT by Marcia Knous [:marcia - use ni]
Modified: 2013-12-27 14:33 PST (History)
12 users (show)
mounir: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
fixed
fixed


Attachments
Try to crash earlier and record some stuff. (1.01 KB, patch)
2011-08-04 12:34 PDT, Jeff Muizelaar [:jrmuizel]
joe: review+
Details | Diff | Splinter Review
Crash even earlier, and try to figure out what went wrong with the image surface (968 bytes, patch)
2011-08-10 13:09 PDT, Jeff Muizelaar [:jrmuizel]
jacob.benoit.1: review+
Details | Diff | Splinter Review
Fix a compile problem (972 bytes, patch)
2011-08-10 16:32 PDT, Jeff Muizelaar [:jrmuizel]
no flags Details | Diff | Splinter Review
Handle bad strides in acquire_source_surface (3.48 KB, patch)
2011-08-16 06:44 PDT, Jeff Muizelaar [:jrmuizel]
no flags Details | Diff | Splinter Review
Handle bad strides in acquire_source_surface v2 (2.29 KB, patch)
2011-08-16 09:16 PDT, Jeff Muizelaar [:jrmuizel]
no flags Details | Diff | Splinter Review
Handle bad strides in acquire_source_surface v2 (4.70 KB, patch)
2011-08-16 09:37 PDT, Jeff Muizelaar [:jrmuizel]
bas: review+
christian: approval‑mozilla‑aurora+
christian: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Marcia Knous [:marcia - use ni] 2011-07-13 15:16:52 PDT
Seen while looking at Aurora crash stats, but seen across all versions. https://crash-stats.mozilla.com/report/list?signature=_moz_pixman_image_create_bits to the reports which are low volume. Small spikes are seen around the 20110711 build as well as when we release.

https://crash-stats.mozilla.com/report/index/c6d63a78-fda2-4cbc-aa33-012e12110713

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	_moz_pixman_image_create_bits 	gfx/cairo/libpixman/src/pixman-bits-image.c:1568
1 	xul.dll 	_pixman_image_for_surface 	gfx/cairo/cairo/src/cairo-image-surface.c:1521
2 	xul.dll 	_cairo_image_surface_composite 	gfx/cairo/cairo/src/cairo-image-surface.c:4232
3 	xul.dll 	_cairo_surface_fallback_composite 	gfx/cairo/cairo/src/cairo-surface-fallback.c:1437
4 	xul.dll 	_cairo_surface_composite 	gfx/cairo/cairo/src/cairo-surface.c:1897
5 	xul.dll 	_composite_trap_region 	gfx/cairo/cairo/src/cairo-surface-fallback.c:522
Comment 1 Sheila Mooney 2011-07-14 14:27:51 PDT
So this is not new. The volume in 5.0 is similar to 4.0.1 ie: 24 a week. There have been more of these on the trunk and in aurora. We probably need to check and see if something regressed this. I looked for 6.0a2 and found 1 crash in a 4 week period.
Comment 2 Sheila Mooney 2011-07-14 14:30:59 PDT
Oops...I probably should have added that we are seeing 90 a week on Aurora.
Comment 3 Sheila Mooney 2011-07-18 10:29:27 PDT
We need to get someone assigned to look at this one. Still sitting in the top 5 for Aurora.
Comment 4 Sheila Mooney 2011-07-18 16:56:19 PDT
JP, I forgot to mention this one in today's meeting. Can we get someone to look at this one also?
Comment 5 JP Rosevear [:jpr] 2011-07-19 14:11:54 PDT
Adding Jeff because of pixman
Comment 6 Jeff Muizelaar [:jrmuizel] 2011-07-19 14:22:41 PDT
One comment we have is "Virgin Media crashes Firefox every time" do we have any way of reproducing this?
Comment 7 Marcia Knous [:marcia - use ni] 2011-07-19 17:11:35 PDT
I tried that with no luck. Adding chofmann to grab some more URLs across all versions. I also tried reproducing it on the trunk with some of the URLs, but some are behind logins.

(In reply to comment #6)
> One comment we have is "Virgin Media crashes Firefox every time" do we have
> any way of reproducing this?
Comment 8 chris hofmann 2011-07-19 21:01:24 PDT
urls for test from crash reports since july 10

  19 
  14 http://www.realtor.com/
  14 \N
   6 about:blank
   4 http://www.youtube.com/watch?v=lO5UURtxKUU
   3 https://my.virginmedia.com/dashboard/start?buspart=Portal_HP_c_topnav_2_1
   3 http://www.virginmedia.com/customers/movinghouse/
   3 http://vochongao.com/forum/forum.php
   3 http://pixel.fetchback.com/timeout.html
   3 http://forums.watchuseek.com/f25/scratches-watch-band-recommended-shop-polish-watch-552777.html
   2 https://my.virginmedia.com/home/signIn
   2 https://my.virginmedia.com/dashboard/start
   2 http://www.virginmedia.com/help/?buspart=Portal_HP_c_topnav_3_1
   2 http://www.virginmedia.com/
   1 https://my.virginmedia.com/home/index?buspart=Portal_HP_c_topnav_2_1
   1 https://my.virginmedia.com/home/index?buspart=Portal_HP_MyVM_14
   1 https://my.virginmedia.com/home/index

   s few https://plus.google.com/u/0/_/notifications/ ...

   2 http://www.realtor.com/realestateagents/
   2 http://www.realtor.com/realestateagency/Ellis-Real-Estate-Inc_Logan_WV__43498101
   2 http://www.realtor.com/homes-for-sale/austin_tx/
   1 http://www.realtor.com/realestateagency/Neuhaus-Realty-Inc_Staten-Island_NY_37740   1 http://www.realtor.com/handlers/redirects/inbound.ashx?pgnum=1&st=TX&frm=bycomm&mls=austin&mlsttl=Austin&dsid=39&comm=Red+Rock


   2 http://www.filme-net.com/
   2 http://www.allzack.com.br/
   2 http://trail.dealply.com/dealdo/event-report?type=heart_bit&partner=vn&channel=pcdealply&uid=894936537343170283&cb=6_12&suspended=false
   2 http://s7.addthis.com/static/r07/sh45.html#
   2 http://payango.com/categories/premium
   2 http://nobba.us/pixels.php

   2 http://letras.terra.com.br/ivete-sangalo/35008/
   2 http://letras.terra.com.br/bow-wow/981217/traducao.html
   2 http://letras.terra.com.br/arctic-monkeys/746911/traducao.html
   1 http://letras.terra.com.br/pink/1766561/traducao.html
   1 http://letras.terra.com.br/parachute/1546520/traducao.html
   1 http://letras.terra.com.br/nickelback/286115/traducao.html
   1 http://letras.terra.com.br/nickelback/259804/traducao.html
   1 http://letras.terra.com.br/ira/84271/
   1 http://letras.terra.com.br/evanescence/68005/
   1 http://letras.terra.com.br/black-eyed-peas/446106/traducao.html
   1 http://korpijaakko.wordpress.com/2011/06/29/recommended-watch-bee

   2 http://forums.watchuseek.com/f5/
   2 http://dauden.vn/content/?s= ...

several 
http://www.facebook.com/ajax/pagelet/generic.php/pagelet/home/morestories.php?ajaxpipe=1&data= ....
Comment 9 Marcia Knous [:marcia - use ni] 2011-07-21 10:47:51 PDT
*** Bug 672781 has been marked as a duplicate of this bug. ***
Comment 10 Jeff Muizelaar [:jrmuizel] 2011-08-03 14:07:18 PDT
Is it possible to get a report of the flash versions used in these crashes? It seems possible that this could have something to do with flash.
Comment 11 Jeff Muizelaar [:jrmuizel] 2011-08-03 14:33:05 PDT
Real stack:

>	xul.dll!_moz_pixman_image_create_bits()  Line 1568 + 0xe bytes	C
 	xul.dll!_pixman_image_for_surface(const _cairo_surface_pattern * pattern=0x005ca338, int is_mask=1, const _cairo_rectangle_int * extents=0x005ca1f8, int * ix=0x005ca1d0, int * iy=0x005ca1cc)  Line 1521 + 0x27 bytes	C
 	xul.dll!_cairo_image_surface_composite(_cairo_operator op=, const _cairo_pattern * src_pattern=, const _cairo_pattern * mask_pattern=, void * abstract_dst=, int src_x=, int src_y=, int mask_x=, int mask_y=, int dst_x=, int dst_y=, unsigned int width=, unsigned int height=, _cairo_region * clip_region=)  Line 4232 + 0x2a bytes	C
 	xul.dll!_cairo_surface_fallback_composite(_cairo_operator op=CAIRO_OPERATOR_DEST_OUT, const _cairo_pattern * src=0x58b8bd68, const _cairo_pattern * mask=0x005ca338, _cairo_surface * dst=0x0d0f3500, int src_x=433, int src_y=118, int mask_x=433, int mask_y=30, int dst_x=211806576, int dst_y=118, unsigned int width=500, unsigned int height=500, _cairo_region * clip_region=0x0deecd00)  Line 1437 + 0x56 bytes	C
 	xul.dll!_cairo_surface_composite(_cairo_operator op=CAIRO_OPERATOR_DEST_OUT, const _cairo_pattern * src=0x58b8bd68, const _cairo_pattern * mask=0x005ca338)  Line 1897 + 0x36 bytes	C
 	xul.dll!_composite_trap_region(_cairo_clip * clip=0x00000000, const _cairo_pattern * src=0x58b8bd68, _cairo_operator op=CAIRO_OPERATOR_DEST_OUT, _cairo_surface * dst=0x0d0f3500, _cairo_region * trap_region=0x0deecd00, const _cairo_rectangle_int * extents=0x005cad20)  Line 522 + 0x23 bytes	C
 	xul.dll!_clip_and_composite_region(const _cairo_pattern * src=0x58b8bce0, _cairo_operator op=CAIRO_OPERATOR_CLEAR, _cairo_surface * dst=0x0d0f3500, _cairo_region * trap_region=0x0deecd00, _cairo_clip * clip=0x005cadac, _cairo_rectangle_int * extents=0x005cad20)  Line 635 + 0x13 bytes	C
 	xul.dll!_clip_and_composite_trapezoids(const _cairo_pattern * src=0x58b8bce0, _cairo_operator op=CAIRO_OPERATOR_CLEAR, _cairo_surface * dst=0x0d0f3500, _cairo_traps * traps=0x00000000, _cairo_antialias antialias=CAIRO_ANTIALIAS_DEFAULT, _cairo_clip * clip=0x005cadac, _cairo_rectangle_int * extents=0x005cad20)  Line 850	C
 	xul.dll!_cairo_surface_fallback_fill(_cairo_surface * surface=0x0d0f3500, _cairo_operator op=CAIRO_OPERATOR_CLEAR, const _cairo_pattern * source=0x58b8bce0, _cairo_path_fixed * path=0x58f8145c, _cairo_fill_rule fill_rule=CAIRO_FILL_RULE_WINDING, double tolerance=0.10000000000000001, _cairo_antialias antialias=CAIRO_ANTIALIAS_DEFAULT, _cairo_clip * clip=0x005cadac)  Line 1216 + 0x27 bytes	C
 	xul.dll!_cairo_gstate_fill(_cairo_gstate * gstate=0x0d0f3a80, _cairo_path_fixed * path=0x58f8145c)  + 0x252def bytes	C
 	xul.dll!_moz_cairo_fill_preserve()  Line 2460	C
 	xul.dll!gfxContext::Fill()  Line 152	C++
 	xul.dll!DoSingleColorFastPath(gfxContext * aContext=0x00000000, const gfxRGBA & aSinglePixelColor={...}, const gfxRect & aFill={...})  + 0x1a5f53 bytes	C++
 	xul.dll!imgFrame::Draw(gfxContext * aContext=0x0de84360, gfxPattern::GraphicsFilter aFilter=FILTER_GOOD, const gfxMatrix & aUserSpaceToImageSpace={...}, const gfxRect & aFill={...}, const nsIntMargin & aPadding={...}, const nsIntRect & aSubimage={...})  Line 446 + 0xf bytes	C++
 	xul.dll!mozilla::imagelib::RasterImage::Draw(gfxContext * aContext=0x0de84360, gfxPattern::GraphicsFilter aFilter=FILTER_GOOD, const gfxMatrix & aUserSpaceToImageSpace={...}, const gfxRect & aFill={...}, const nsIntRect & aSubimage={...}, const nsIntSize & __formal={...}, unsigned int aFlags=0)  Line 2510	C++
 	xul.dll!DrawImageInternal(nsRenderingContext * aRenderingContext=0x0deecc40, imgIContainer * aImage=0x073b79d0, gfxPattern::GraphicsFilter aGraphicsFilter=FILTER_GOOD, const nsRect & aDest={...}, const nsRect & aFill={...}, const nsPoint & aAnchor={...}, const nsRect & aDirty={...}, const nsIntSize & aImageSize={...}, unsigned int aImageFlags=0)  Line 3396	C++
 	xul.dll!nsLayoutUtils::DrawImage(nsRenderingContext * aRenderingContext=0x0deecc40, imgIContainer * aImage=0x073b79d0, gfxPattern::GraphicsFilter aGraphicsFilter=FILTER_GOOD, const nsRect & aDest={...}, const nsRect & aFill={...}, const nsPoint & aAnchor={...}, const nsRect & aDirty={...}, unsigned int aImageFlags=0)  Line 3582 + 0x20 bytes	C++
 	xul.dll!ImageRenderer::Draw(nsPresContext * aPresContext=0x09419c00, nsRenderingContext & aRenderingContext={...}, const nsRect & aDest={...}, const nsRect & aFill={...}, const nsPoint & aAnchor={...}, const nsRect & aDirty={...})  Line 3950 + 0x24 bytes	C++
 	xul.dll!nsCSSRendering::PaintBackgroundWithSC(nsPresContext * aPresContext=, nsRenderingContext & aRenderingContext=, nsIFrame * aForFrame=, const nsRect & aDirtyRect=, const nsRect & aBorderArea=, nsStyleContext * aBackgroundSC=, const nsStyleBorder & aBorder=, unsigned int aFlags=, nsRect * aBGClipRect=)  Line 2428 + 0x54 bytes	C++
 	xul.dll!mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer * aLayer=0x073d1800, gfxContext * aContext=0x0de84360, const nsIntRegion & aRegionToDraw={...}, const nsIntRegion & aRegionToInvalidate={...}, void * aCallbackData=0x005cbcb0)  Line 2142 + 0x18b bytes	C++
 	xul.dll!mozilla::layers::ThebesLayerD3D10::DrawRegion(nsIntRegion & aRegion={...}, mozilla::layers::Layer::SurfaceMode aMode=SURFACE_OPAQUE)  Line 394 + 0x17 bytes	C++
 	xul.dll!mozilla::layers::ThebesLayerD3D10::Validate(mozilla::layers::ReadbackProcessor * aReadback=0x005cb9a4)  Line 277	C++
 	xul.dll!mozilla::layers::ContainerLayerD3D10::Validate()  Line 370	C++
 	xul.dll!mozilla::layers::LayerManagerD3D10::Render()  Line 615	C++
 	xul.dll!mozilla::layers::LayerManagerD3D10::EndTransaction(void (mozilla::layers::ThebesLayer *, gfxContext *, const nsIntRegion &, const nsIntRegion &, void *)* aCallback=0x58258ea0, void * aCallbackData=0x005cbcb0)  Line 334	C++
 	xul.dll!nsDisplayList::PaintForFrame(nsDisplayListBuilder * aBuilder=0x005cbcb0, nsRenderingContext * aCtx=0x00000000, nsIFrame * aForFrame=0x0a4cd7f0, unsigned int aFlags=5)  Line 631	C++
 	xul.dll!nsLayoutUtils::PaintFrame(nsRenderingContext * aRenderingContext=0x00000000, nsIFrame * aFrame=0x0a4cd7f0, const nsRegion & aDirtyRegion={...}, unsigned int aBackstop=4294967295, unsigned int aFlags=260)  Line 1645	C++
 	xul.dll!PresShell::Paint(nsIView * aViewToPaint=0x01f1a668, nsIWidget * aWidgetToPaint=0x09076d60, const nsRegion & aDirtyRegion={...}, const nsIntRegion & aIntDirtyRegion={...}, int aPaintDefaultBackground=6078960, int aWillSendDidPaint=1)  Line 6188	C++
 	xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=)  Line 4839 + 0x9 bytes	C++
 	mozcrt19.dll!arena_malloc_small(arena_s * arena=0x0a4bd840, unsigned int size=0, int zero=6078904)  Line 3687	C
 	xul.dll!AttachedHandleEvent(nsGUIEvent * aEvent=0x0a4bd840)  Line 193	C++
 	xul.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x005cc1b8, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 3550 + 0x3 bytes	C++
 	xul.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x005cc1b8, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 3579	C++
 	xul.dll!nsWindow::OnPaint(HDC__ * aDC=0x768c6210, unsigned int aNestingLevel=1989345840)  + 0x2dba65 bytes	C++
 	user32.dll!__EndUserApiHook@0()  + 0x11 bytes	
 	user32.dll!_SystemParametersInfoA@16()  + 0x8c bytes	
 	xul.dll!cairo_win32_get_system_text_quality()  Line 274 + 0xd bytes	C
 	xul.dll!nsWindow::ProcessMessage(unsigned int msg=4114868229, unsigned int & wParam=, long & lParam=, long * aRetValue=0x000000ff)  Line 4845 + 0xb bytes	C++
Comment 12 Marcia Knous [:marcia - use ni] 2011-08-03 15:31:53 PDT
chofmann reports on IRC:

for some reason we don't seem to be getting flash version info on that sig
july 20-29
  305 [blank]
  2 10.1.85.3
  1 10.1.82.76
  1 10.1.102.64
  1 10.0.22.87
Comment 13 Robert Kaiser 2011-08-03 16:26:51 PDT
So this means it doesn't happen in Flash plugin processes, probably.
Comment 14 Jeff Muizelaar [:jrmuizel] 2011-08-03 17:36:15 PDT
The crash seems to be happening here:

    bpp = PIXMAN_FORMAT_BPP (format);
    if (pixman_multiply_overflows_int (width, bpp))
        return NULL;

which seems to imply the format is bad which is very odd and seems to suggest the image surface we get back from _cairo_surface_acquire_source_image is bogus.
Comment 15 Jeff Muizelaar [:jrmuizel] 2011-08-03 21:24:50 PDT
I've filed a bug about the truncated stack as bug 676459
Comment 16 Jeff Muizelaar [:jrmuizel] 2011-08-04 12:34:31 PDT
Created attachment 550794 [details] [diff] [review]
Try to crash earlier and record some stuff.
Comment 17 Joe Drew (not getting mail) 2011-08-04 12:38:28 PDT
Comment on attachment 550794 [details] [diff] [review]
Try to crash earlier and record some stuff.

As long as we never run into a case where the bpp is 0 in normal usage, this looks good.
Comment 18 Marco Bonardo [::mak] 2011-08-05 09:08:17 PDT
http://hg.mozilla.org/mozilla-central/rev/6bcb177d3402
Comment 19 Jeff Muizelaar [:jrmuizel] 2011-08-10 09:53:13 PDT
It's d2d_acquire_source_image that's giving us back a bad image.
Comment 20 Jeff Muizelaar [:jrmuizel] 2011-08-10 13:09:28 PDT
Created attachment 552193 [details] [diff] [review]
Crash even earlier, and try to figure out what went wrong with the image surface
Comment 21 Benoit Jacob [:bjacob] (mostly away) 2011-08-10 16:29:45 PDT
Comment on attachment 552193 [details] [diff] [review]
Crash even earlier, and try to figure out what went wrong with the image surface

My head hurts, please take this out as soon as it's not needed anymore!
Comment 22 Jeff Muizelaar [:jrmuizel] 2011-08-10 16:32:22 PDT
Created attachment 552260 [details] [diff] [review]
Fix a compile problem
Comment 23 Mounir Lamouri (:mounir) 2011-08-11 04:26:29 PDT
Pushed:
http://hg.mozilla.org/mozilla-central/rev/17fa5a741f84
Comment 24 Jeff Muizelaar [:jrmuizel] 2011-08-12 12:13:03 PDT
This should find the crashes we're looking for:
http://tinyurl.com/3gtewb4
Comment 25 jgbittar 2011-08-15 07:34:44 PDT
Hello you all probably know this already but going to realtor.com on the latest version of Aurora 7.0a(2011-08-14) and Nightly 8.0a1(2011-08-15)momentarily displays the page correctly and then it immediately crashes firefox.  On version 5.01 it still missing the entries to do a search for a property on the first page, thanks jorge.
Comment 26 Jeff Muizelaar [:jrmuizel] 2011-08-15 09:01:44 PDT
(In reply to jgbittar from comment #25)
> Hello you all probably know this already but going to realtor.com on the
> latest version of Aurora 7.0a(2011-08-14) and Nightly
> 8.0a1(2011-08-15)momentarily displays the page correctly and then it
> immediately crashes firefox.  On version 5.01 it still missing the entries
> to do a search for a property on the first page, thanks jorge.

Can you link to one of the crash urls that you get?
Comment 27 jgbittar 2011-08-15 09:18:19 PDT
(In reply to Jeff Muizelaar [:jrmuizel] from comment #26)
> (In reply to jgbittar from comment #25)
> > Hello you all probably know this already but going to realtor.com on the
> > latest version of Aurora 7.0a(2011-08-14) and Nightly
> > 8.0a1(2011-08-15)momentarily displays the page correctly and then it
> > immediately crashes firefox.  On version 5.01 it still missing the entries
> > to do a search for a property on the first page, thanks jorge.
> 
> Can you link to one of the crash urls that you get?

here you go

bp-8e65f7c8-9279-41bf-9fff-29ecb21108158/15/20119:55 AM (nightly crash)
bp-fb4ac2ac-bb3e-487d-bc78-c527d21108158/15/20119:48 AM (aurora crash)
Comment 28 Jeff Muizelaar [:jrmuizel] 2011-08-15 10:54:28 PDT
(In reply to jgbittar from comment #27)
> (In reply to Jeff Muizelaar [:jrmuizel] from comment #26)
> > (In reply to jgbittar from comment #25)
> > > Hello you all probably know this already but going to realtor.com on the
> > > latest version of Aurora 7.0a(2011-08-14) and Nightly
> > > 8.0a1(2011-08-15)momentarily displays the page correctly and then it
> > > immediately crashes firefox.  On version 5.01 it still missing the entries
> > > to do a search for a property on the first page, thanks jorge.
> > 
> > Can you link to one of the crash urls that you get?
> 
> here you go
> 
> bp-8e65f7c8-9279-41bf-9fff-29ecb21108158/15/20119:55 AM (nightly crash)
> bp-fb4ac2ac-bb3e-487d-bc78-c527d21108158/15/20119:48 AM (aurora crash)

Can you get the crash url on 8.0a1 with an 32bit version instead of a 64bit one?
Comment 29 jgbittar 2011-08-15 11:04:05 PDT
(In reply to Jeff Muizelaar [:jrmuizel] from comment #28)
> (In reply to jgbittar from comment #27)
> > (In reply to Jeff Muizelaar [:jrmuizel] from comment #26)
> > > (In reply to jgbittar from comment #25)
> > > > Hello you all probably know this already but going to realtor.com on the
> > > > latest version of Aurora 7.0a(2011-08-14) and Nightly
> > > > 8.0a1(2011-08-15)momentarily displays the page correctly and then it
> > > > immediately crashes firefox.  On version 5.01 it still missing the entries
> > > > to do a search for a property on the first page, thanks jorge.
> > > 
> > > Can you link to one of the crash urls that you get?
> > 
> > here you go
> > 
> > bp-8e65f7c8-9279-41bf-9fff-29ecb21108158/15/20119:55 AM (nightly crash)
> > bp-fb4ac2ac-bb3e-487d-bc78-c527d21108158/15/20119:48 AM (aurora crash)
> 
> Can you get the crash url on 8.0a1 with an 32bit version instead of a 64bit
> one?

With 5.01 it does not crash it just does not display the search parameters on the first page.  thanks Jorge
Comment 30 Jeff Muizelaar [:jrmuizel] 2011-08-15 11:19:48 PDT
(In reply to jgbittar from comment #29)
> With 5.01 it does not crash it just does not display the search parameters
> on the first page.  thanks Jorge

Did you mean 8.0a1?
Comment 31 jgbittar 2011-08-15 11:22:31 PDT
(In reply to Jeff Muizelaar [:jrmuizel] from comment #30)
> (In reply to jgbittar from comment #29)
> > With 5.01 it does not crash it just does not display the search parameters
> > on the first page.  thanks Jorge
> 
> Did you mean 8.0a1?

no 5.01, or do you mean to download the 32bit version of nightly?
Comment 32 Jeff Muizelaar [:jrmuizel] 2011-08-15 11:30:30 PDT
(In reply to jgbittar from comment #31)
> (In reply to Jeff Muizelaar [:jrmuizel] from comment #30)
> > (In reply to jgbittar from comment #29)
> > > With 5.01 it does not crash it just does not display the search parameters
> > > on the first page.  thanks Jorge
> > 
> > Did you mean 8.0a1?
> 
> no 5.01, or do you mean to download the 32bit version of nightly?

Yes, the 32bit version of nightly.
Comment 33 jgbittar 2011-08-15 13:05:22 PDT
(In reply to Jeff Muizelaar [:jrmuizel] from comment #32)
> (In reply to jgbittar from comment #31)
> > (In reply to Jeff Muizelaar [:jrmuizel] from comment #30)
> > > (In reply to jgbittar from comment #29)
> > > > With 5.01 it does not crash it just does not display the search parameters
> > > > on the first page.  thanks Jorge
> > > 
> > > Did you mean 8.0a1?
> > 
> > no 5.01, or do you mean to download the 32bit version of nightly?
> 
> Yes, the 32bit version of nightly.

Here you go, it exhibits the same behavior. thanks-jorge

bp-0ed7f4b9-2e35-4dca-894e-79f4821108158/15/20113:51 PM
Comment 34 Jeff Muizelaar [:jrmuizel] 2011-08-16 06:44:19 PDT
Created attachment 553455 [details] [diff] [review]
Handle bad strides in acquire_source_surface

This handles bad strides by copying the data to a new image surface.
Comment 35 Bas Schouten (:bas.schouten) 2011-08-16 07:24:36 PDT
Comment on attachment 553455 [details] [diff] [review]
Handle bad strides in acquire_source_surface

Review of attachment 553455 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/cairo/cairo/src/cairo-d2d-surface.cpp
@@ +2510,5 @@
>      return CAIRO_STATUS_SUCCESS;
>  }
>  
> +static
> +copy_data_to_different_stride(unsigned char *dst, int dst_stride, void *src, UINT src_stride, int width, int height)

nit: In cairo this should probably be _copy<etc>

@@ +2514,5 @@
> +copy_data_to_different_stride(unsigned char *dst, int dst_stride, void *src, UINT src_stride, int width, int height)
> +{
> +    unsigned char *src_p = (unsigned char *)src;
> +    while (height) {
> +        memcpy(dst, src_p, width);

width * Bpp - at this time we could hit this with non-A8 I think.

@@ +2565,5 @@
>      if (FAILED(hr)) {
>  	return _cairo_error(CAIRO_STATUS_NO_DEVICE);
>      }
> +
> +    if (data.RowPitch == cairo_format_stride_for_width(d2dsurf->format, size.width)) {

Is this really needed? This would quite commonly be untrue (GPU's regularly pad a little bit on the side, just usually multiples of 4). I know this is what the documentation says but could we get away with doing the copy only if the stride % 4 != 0?
Comment 36 Jeff Muizelaar [:jrmuizel] 2011-08-16 09:16:08 PDT
Created attachment 553501 [details] [diff] [review]
Handle bad strides in acquire_source_surface v2

This is a much better version of the previous
Comment 37 Jeff Muizelaar [:jrmuizel] 2011-08-16 09:37:59 PDT
Created attachment 553506 [details] [diff] [review]
Handle bad strides in acquire_source_surface v2

Correct patch.
Comment 38 Bas Schouten (:bas.schouten) 2011-08-16 11:14:08 PDT
Comment on attachment 553506 [details] [diff] [review]
Handle bad strides in acquire_source_surface v2

Review of attachment 553506 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/cairo/cairo/src/cairo-d2d-surface.cpp
@@ +2518,5 @@
> +
> +    unsigned char *src_p = (unsigned char *)src;
> +    int min_stride = MIN(dst_stride, src_stride);
> +    while (height) {
> +        memcpy(dst, src_p, minimum_stride);

In theory this could cause excessive copying (i.e. the padding on an A8 surface) but I don't think I care.

::: gfx/cairo/cairo/src/cairoint.h
@@ +1910,5 @@
>  
> +static inline cairo_bool_t
> +_cairo_valid_stride_alignment(int stride)
> +{
> +    return !!(stride & (CAIRO_STRIDE_ALIGNMENT-1));

As per IRC discussion this should be a single !.
Comment 39 jgbittar 2011-08-17 07:36:08 PDT
Just verified that this is still not fixed on version 6.0, it still does not display the search screen but at least it does not crash like in aurora and nightly.
Comment 40 Marco Bonardo [::mak] 2011-08-18 03:46:31 PDT
http://hg.mozilla.org/mozilla-central/rev/be62b6c4392a
Comment 41 christian 2011-08-22 16:54:20 PDT
Comment on attachment 553506 [details] [diff] [review]
Handle bad strides in acquire_source_surface v2

Approved for beta and aurora
Comment 42 jgbittar 2011-08-24 07:54:22 PDT
This issue seems to havebeen fixed on nightly it does not crash, you can search and the search returns a result set, however aurora still a crash, and the official release of FF (6.0) still does not display the search portion on the website.  Below is the crash for aurora.  bp-b3682539-3b33-4694-ae60-9d0a72110824.  thanks jorge
Comment 44 Vlad [QA] 2011-09-09 07:32:38 PDT
Hi guys.
I've tested realtor.com from comment25 and I got no crash.
It is enough to verify this bug?
Thanks
Comment 45 jgbittar 2011-09-10 18:24:52 PDT
Version 6.02 of firefox now displays everything correctly when going to realtor.com.
Comment 46 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 16:05:54 PDT
qa+ for verification on Firefox 7, 8, and 9. Verify by using the test URLs in this bug and by checking crashstats.
Comment 47 Vlad [QA] 2011-09-26 08:30:29 PDT
I have verified this by loading the sites from comment8 and I got no crash.
The build were:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110925 Firefox/8.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110925 Firefox/9.0a1

Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Windows NT 5.1; rv:8.0a2) Gecko/20110926 Firefox/8.0a2
Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110926 Firefox/9.0a1

Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Windows NT 6.1; rv:8.0a2) Gecko/20110925 Firefox/8.0a2
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110925 Firefox/9.0a1

Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a2) Gecko/20110926 Firefox/8.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110926 Firefox/9.0a1

Note You need to log in before you can comment on or make changes to this bug.