698391 - DrawTargetD2D::CreateGradientTexture crash EXCEPTION_ACCESS_VIOLATION_READ

Status: RESOLVED INCOMPLETE

(Core :: Graphics, defect)

Description

[Atte Kettunen]

Attachment: reprofile for crash.

EXCEPTION_ACCESS_VIOLATION_READ @ mozilla::gfx::DrawTargetD2D::CreateGradientTexture(mozilla::gfx::GradientStopsD2D const*)

So far have been able to reproduce only on Windows tested version 8.0 and 9.0a2. Open attached file to reproduce.

From the attached file editing last value into smaller one in command ctx.createRadialGradient will prevent the crash.

Related bug reports:
https://crash-stats.mozilla.com/report/index/bp-cf17252c-7945-47e5-9c26-e61b92111031(9.0a)
https://crash-stats.mozilla.com/report/index/bp-c6114ba8-4132-4b11-9471-500562111031(8.0)

Comment 1

[:aceman]

The URLs got wrong, here are working versions:
https://crash-stats.mozilla.com/report/index/bp-cf17252c-7945-47e5-9c26-e61b92111031
https://crash-stats.mozilla.com/report/index/bp-c6114ba8-4132-4b11-9471-500562111031

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	mozilla::gfx::DrawTargetD2D::CreateGradientTexture 	gfx/2d/DrawTargetD2D.cpp:1763
1 	xul.dll 	mozilla::gfx::DrawTargetD2D::SetupEffectForRadialGradient 	gfx/2d/DrawTargetD2D.cpp:1836
2 	xul.dll 	mozilla::gfx::DrawTargetD2D::FinalizeRTForOperation 	gfx/2d/DrawTargetD2D.cpp:1438
3 	xul.dll 	mozilla::gfx::DrawTargetD2D::FillRect 	gfx/2d/DrawTargetD2D.cpp:728
4 	xul.dll 	nsCanvasRenderingContext2DAzure::FillRect 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:2125
5 	xul.dll 	nsIDOMCanvasRenderingContext2D_FillRect 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:2438
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:660
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4036
8 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
11 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1929

Comment 2

[Jesse Ruderman]

From crash-stats:
* Several crashes per day with this signature
* Affects http://www.coloradovacationrentals.com/Vail-vacation-rentals.htm

Comment 3

[Bas Schouten (:bas.schouten)]

I suspect this is because the gradient cache passes in a none-D2D Gradient. We need to make sure the gradient cache checks a gradient's backend type.

Comment 4

[Bas Schouten (:bas.schouten)]

(In reply to Bas Schouten (:bas) from comment #3)
> I suspect this is because the gradient cache passes in a none-D2D Gradient.
> We need to make sure the gradient cache checks a gradient's backend type.

Argh, this is not the right crash or bug to mention this on. Let me make a correct one.

Comment 5

[Robert Kaiser]

This signature appears to have been introduced to Aurora by the uplift of 18 to that channel.

Comment 6

[Bas Schouten (:bas.schouten)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #5)
> This signature appears to have been introduced to Aurora by the uplift of 18
> to that channel.

That's bug 800319 I believe.

Comment 7

[Scoobidiver (away)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #5)
> This signature appears to have been introduced to Aurora by the uplift of 18
> to that channel.
It started spiking from 18.0a1/20120924. The regression range for the spike might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9d285bedbc1f&tochange=b2867d82dcad

Comment 8

[Saurabh Anand [:sawrubh]]

@Bas what you suggested seemed to have been fixed by bug 800319 but the crash is still there, ideas about possible solutions. I would like to work on this.

Comment 9

[u279076]

I am closing this as incomplete as this crash is no longer being reported with current Firefox versions.