Closed Bug 789933 Opened 7 years ago Closed 7 years ago

crash in mozilla::gfx::DrawTargetCairo::Stroke

Categories

(Core :: Canvas: 2D, defect, critical)

17 Branch
All
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla20
Tracking Status
firefox17 - ---
firefox18 - ---
firefox19 + verified
firefox20 + verified

People

(Reporter: marcia, Assigned: bas.schouten)

References

()

Details

(5 keywords)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is 
report bp-a51c4a2d-7f81-498d-add7-e50322120910 .
============================================================= 

Seen while looking at crash stats. Crashes started showing up using the 2012090103 build. One comment mentions "Error occured while printing one page of a pdf."

Possible regression range based on crash stats: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fcc533f691e9&tochange=a21fd4d085ad

More reports: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3ADrawTargetCairo%3A%3AStroke%28mozilla%3A%3Agfx%3A%3APath%20const*%2C%20mozilla%3A%3Agfx%3A%3APattern%20const%26%2C%20mozilla%3A%3Agfx%3A%3AStrokeOptions%20const%26%2C%20mozilla%3A%3Agfx%3A%3ADrawOptions%20const%26%29


Frame 	Module 	Signature 	Source
0 	gkmedias.dll 	mozilla::gfx::DrawTargetCairo::Stroke 	gfx/2d/DrawTargetCairo.cpp:604
1 	xul.dll 	nsCanvasRenderingContext2DAzure::UsedOperation 	content/canvas/src/nsCanvasRenderingContext2DAzure.h:763
2 	xul.dll 	nsCanvasBidiProcessorAzure::DrawText 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:3119
The stack trace in comment 0 is a 64-bit one. Here are the first frames of a 32-bit stack trace:
Frame 	Module 	Signature 	Source
0 	gkmedias.dll 	mozilla::gfx::DrawTargetCairo::Stroke 	gfx/2d/DrawTargetCairo.cpp:604
1 	xul.dll 	nsCanvasBidiProcessorAzure::DrawText 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:3119
2 	xul.dll 	nsBidiPresUtils::ProcessText 	layout/base/nsBidiPresUtils.cpp:1860
3 	xul.dll 	nsCanvasRenderingContext2DAzure::DrawOrMeasureText 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:3363
4 	xul.dll 	nsCanvasRenderingContext2DAzure::StrokeText 	content/canvas/src/nsCanvasRenderingContext2DAzure.cpp:2928
5 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::strokeText 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:1052
6 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::genericMethod 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2573
7 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:388

(In reply to Marcia Knous [:marcia] from comment #0)
> Possible regression range based on crash stats:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=fcc533f691e9&tochange=a21fd4d085ad
I disagree. Indeed, it first appeared in 17.0a1/20120808. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a
It might be a regression from bug 777292.
Component: Graphics → Canvas: 2D
Version: 18 Branch → 17 Branch
The only bug 777292 changesets I see in that range only touch security/manager/.  Also, neither of them should be a functional change.  Why do you think they'd cause a crash in gfx?
(In reply to :Aryeh Gregor from comment #2)
> The only bug 777292 changesets I see in that range only touch
> security/manager/.  Also, neither of them should be a functional change. 
> Why do you think they'd cause a crash in gfx?
Because of http://hg.mozilla.org/mozilla-central/annotate/1cb30394aa56/content/canvas/src/nsCanvasRenderingContext2DAzure.cpp#l2928 that says the code has been changed by this bug.
The changeset summary is actually wrong -- that changeset is for bug 626472.  There are no changesets from bug 626472 in the range.  The only change I made to that file was s/nsnull/nullptr/ (literally just using sed), and at the time nsnull was a #define for nullptr, so it was a no-op as far as the compiler saw.  You'll have to look elsewhere for the culprit, I'm afraid.

(I hope people don't start routinely CCing me on bugs because bug 626472 was the last thing to touch a line.)
It's #136 top browser crasher in 17.0a2 and #8 in 18.0a1 (without hangs to compare the same way the two channels).

STR:
1. Load the ref. URL
2. Print the document
=> bp-38bbf224-679e-46ac-8c39-4bbba2120929
Since this is already reproducible, sending over to Joe to investigate. Feel free to re-assign if you don't have the time to help out.
Assignee: nobody → joe
Assignee: joe → ajones
Looks like scaledFont->GetPathForGlyphs() is returning nullptr. It is possibly caused by scaledFont being the wrong font type for the DrawTarget, that is not a Cairo font. This is the code segment from nsCanvasBidiProcessorAzure::DrawText()

        RefPtr<Path> path = scaledFont->GetPathForGlyphs(buffer, mCtx->mTarget);

        const ContextState& state = *mState;
        AdjustedTarget(mCtx, &bounds)->
          Stroke(path, CanvasGeneralPattern().
                   ForStyle(mCtx, nsCanvasRenderingContext2DAzure::STYLE_STROKE, mCtx->mTarget),
                 StrokeOptions(state.lineWidth, state.lineJoin,
                               state.lineCap, state.miterLimit,
                               state.dash.Length(),
                               state.dash.Elements(),
                               state.dashOffset),
                 DrawOptions(state.globalAlpha, mCtx->UsedOperation()));
Assignee: ajones → ncameron
This is pretty low volume on beta or aurora, not happening at all on 16 and older, but it is appearing with constant volume on trunk, be it 18 or 19.
Keywords: topcrash
It's a top crash in the trunk because of 64-bit builds that are more impacted, but indeed it's now a low volume on Beta and Aurora.
I just tried to reproduce this and couldn't - do I need to set any prefs? I tried opening the URL and printing one page. Do I need to do anything else?
Marcia of Scoobidiver: is this bug still appearing in our crash stats?

Can anyone reproduce this?
Flags: needinfo?
(In reply to Nick Cameron [:nrc] from comment #11)
> Marcia of Scoobidiver: is this bug still appearing in our crash stats?
Yes. See the link in comment 0.

> Can anyone reproduce this?
Yes with the STR in comment 5: bp-4445f7d5-e644-45b9-821e-fbc7f2121129.
Flags: needinfo?
It's #6 top browser crasher in 19.0a2.
Keywords: topcrash
And it's the #5 topcrash over builds of the last 3 days on 20.a1 trunk. Nick, any chance of progress here?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #14)
> And it's the #5 topcrash over builds of the last 3 days on 20.a1 trunk.
> Nick, any chance of progress here?

Hi, yep just rolled a build for this yesterday and will try to do a bit of investigation today. My issue has been that I haven't been able to reproduce before, but I'll see what I can do today.
This should fix the bug.
Assignee: ncameron → bas
Status: NEW → ASSIGNED
Attachment #688477 - Flags: review?(ncameron)
Comment on attachment 688477 [details] [diff] [review]
Support non-D2D targets for getting a Path off ScaledFontDWrite

Review of attachment 688477 [details] [diff] [review]:
-----------------------------------------------------------------

Fixes the bug (which I finally managed to reproduce)
Attachment #688477 - Flags: review?(ncameron) → review+
leave open for crashtest coming soon...
Whiteboard: [leave open]
Attached patch testSplinter Review
Attachment #688648 - Flags: review?(bas)
Comment on attachment 688648 [details] [diff] [review]
test

Review of attachment 688648 [details] [diff] [review]:
-----------------------------------------------------------------

We'll soon support 16384 on some platforms. Might want to size up the width or height to 20000, it's fine to half the other dimension to conserve memory.
Attachment #688648 - Flags: review?(bas) → review+
Comment on attachment 688648 [details] [diff] [review]
test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: crash on printing large documents
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
Attachment #688648 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/6400692c072e
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Attachment #688648 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Umm, landing the test for Aurora only seems sensible if we also land the bugfix :).
Comment on attachment 688477 [details] [diff] [review]
Support non-D2D targets for getting a Path off ScaledFontDWrite

see above ^^^
Attachment #688477 - Flags: approval-mozilla-aurora?
(In reply to Bas Schouten (:bas.schouten) from comment #26)
> Umm, landing the test for Aurora only seems sensible if we also land the
> bugfix :).

Yeah, may have a? the wrong patch there, d'oh.
Attachment #688477 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
It looks like we had no crashes with this signature with Aurora builds from the 10th, but we need to keep watching this.
Flagging for verification using the steps in comment 5.
Keywords: verifyme
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130109111322

Verified as fixed on Firefox 19.0b1
Status: RESOLVED → VERIFIED
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

Also verified as fixed on Firefox 20 beta 1.
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.