Last Comment Bug 698391 - DrawTargetD2D::CreateGradientTexture crash EXCEPTION_ACCESS_VIOLATION_READ
: DrawTargetD2D::CreateGradientTexture crash EXCEPTION_ACCESS_VIOLATION_READ
Status: NEW
: crash, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86 Windows 7
: -- critical with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-31 05:14 PDT by Atte Kettunen
Modified: 2015-10-13 07:28 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
reprofile for crash. (320 bytes, text/html)
2011-10-31 05:14 PDT, Atte Kettunen
no flags Details

Description Atte Kettunen 2011-10-31 05:14:56 PDT
Created attachment 570663 [details]
reprofile for crash.

EXCEPTION_ACCESS_VIOLATION_READ @ mozilla::gfx::DrawTargetD2D::CreateGradientTexture(mozilla::gfx::GradientStopsD2D const*)

So far have been able to reproduce only on Windows tested version 8.0 and 9.0a2. Open attached file to reproduce.

From the attached file editing last value into smaller one in command ctx.createRadialGradient will prevent the crash.

Related bug reports:
https://crash-stats.mozilla.com/report/index/bp-cf17252c-7945-47e5-9c26-e61b92111031(9.0a)
https://crash-stats.mozilla.com/report/index/bp-c6114ba8-4132-4b11-9471-500562111031(8.0)
Comment 1 :aceman 2011-11-02 09:35:07 PDT
The URLs got wrong, here are working versions:
https://crash-stats.mozilla.com/report/index/bp-cf17252c-7945-47e5-9c26-e61b92111031
https://crash-stats.mozilla.com/report/index/bp-c6114ba8-4132-4b11-9471-500562111031

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	mozilla::gfx::DrawTargetD2D::CreateGradientTexture 	gfx/2d/DrawTargetD2D.cpp:1763
1 	xul.dll 	mozilla::gfx::DrawTargetD2D::SetupEffectForRadialGradient 	gfx/2d/DrawTargetD2D.cpp:1836
2 	xul.dll 	mozilla::gfx::DrawTargetD2D::FinalizeRTForOperation 	gfx/2d/DrawTargetD2D.cpp:1438
3 	xul.dll 	mozilla::gfx::DrawTargetD2D::FillRect 	gfx/2d/DrawTargetD2D.cpp:728
4 	xul.dll 	nsCanvasRenderingContext2DAzure::FillRect 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:2125
5 	xul.dll 	nsIDOMCanvasRenderingContext2D_FillRect 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:2438
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:660
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4036
8 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
11 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1929
Comment 2 Jesse Ruderman 2012-04-20 00:34:17 PDT
From crash-stats:
* Several crashes per day with this signature
* Affects http://www.coloradovacationrentals.com/Vail-vacation-rentals.htm
Comment 3 Bas Schouten (:bas.schouten) 2012-10-10 08:33:41 PDT
I suspect this is because the gradient cache passes in a none-D2D Gradient. We need to make sure the gradient cache checks a gradient's backend type.
Comment 4 Bas Schouten (:bas.schouten) 2012-10-11 04:05:43 PDT
(In reply to Bas Schouten (:bas) from comment #3)
> I suspect this is because the gradient cache passes in a none-D2D Gradient.
> We need to make sure the gradient cache checks a gradient's backend type.

Argh, this is not the right crash or bug to mention this on. Let me make a correct one.
Comment 5 Robert Kaiser 2012-10-17 08:18:18 PDT
This signature appears to have been introduced to Aurora by the uplift of 18 to that channel.
Comment 6 Bas Schouten (:bas.schouten) 2012-10-17 09:58:22 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #5)
> This signature appears to have been introduced to Aurora by the uplift of 18
> to that channel.

That's bug 800319 I believe.
Comment 7 Scoobidiver (away) 2012-10-17 10:25:14 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #5)
> This signature appears to have been introduced to Aurora by the uplift of 18
> to that channel.
It started spiking from 18.0a1/20120924. The regression range for the spike might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9d285bedbc1f&tochange=b2867d82dcad
Comment 8 Saurabh Anand [:sawrubh] 2012-12-05 02:50:23 PST
@Bas what you suggested seemed to have been fixed by bug 800319 but the crash is still there, ideas about possible solutions. I would like to work on this.

Note You need to log in before you can comment on or make changes to this bug.