crash in _moz_pixman_image_set_transform if HWA disabled since Firefox12

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
6 years ago
3 years ago

People

(Reporter: alice0775, Unassigned)

Tracking

({crash, regression, testcase-wanted})

12 Branch
x86
Windows 7
crash, regression, testcase-wanted
Points:
---

Firefox Tracking Flags

(firefox16-, firefox17-, firefox18-)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 660089 [details]
sample

This bug was filed from the Socorro interface and is 
report bp-adfc59e5-dbd1-4b7f-b972-b595a2120911 .
============================================================= 
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/96287ad60bef
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120911030553

I noticed the crash when I test bug 790239.

Steps to reproduce:
1. Start Firefox without HWA
2. Open attached
3. Click Trapezoids several times

Actual results:
  Browser crashes

bp-adfc59e5-dbd1-4b7f-b972-b595a2120911 : Nightly18.0a2
bp-4d7d4137-1e5b-4f98-aae5-f2c632120911 : Aurora17.0a2
bp-b8818014-a5b5-4cf1-bdf8-3f1082120911 : 16.0Beta
bp-a7c45c7f-f9b2-4d56-93f2-ccdad2120911 : 15.0.1
bp-d161963e-f5ac-4633-8e17-8fab52120911 : 14.0.2
bp-207d5923-6e41-43dc-8ae9-164162120911 : 13.0.1
bp-9848dda4-afc3-48cd-a634-0f2cb2120911 : 12.0

Expected results:
  Not crash.
(Reporter)

Updated

6 years ago
Keywords: regression, reproducible
(Reporter)

Comment 1

6 years ago
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/1cdef0321abd
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120202 Firefox/13.0a1 ID:20120202010526
Bad:
http://hg.mozilla.org/mozilla-central/rev/005980552224
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120202 Firefox/13.0a1 ID:20120202022426
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1cdef0321abd&tochange=005980552224


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/587eea31cfa1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120131 Firefox/13.0a1 ID:20120131223139
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/de8e1de24f37
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120131 Firefox/13.0a1 ID:20120201021727
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=587eea31cfa1&tochange=de8e1de24f37

Suspected: 
a8b8c4489e4e	Chris Lord — Bug 722325 - Revert bug 720987 for transformed frames. r=roc The fix checked in for bug 720987 caused a major rendering regression with native fennec. Revert it for transformed frames until the correct fix is found.
Blocks: 722325
It's a low volume crash, only 96 crashes across all versions over the last week.
The suspected check-in was a partial back-out. Bug 725664 was filed to fix the problem for real (whereby this offending code could just be removed). Cc'ing mats.
Long standing, low volume regression. No need to track for upcoming releases.
tracking-firefox16: ? → -
tracking-firefox17: ? → -
tracking-firefox18: ? → -
http://tympanus.net/Development/3DGallery/index2.html
http://jifen.qq.com/html5/index.html?ADTAG=JIFEN.PIONEER.INDEX

on Windows XP and Windows 7 VMs. Both use the same css+js technique. Both crash opt with this signature and both 
ABORT: Failed to create pixman images?: 'src && dest' on Windows.

On Windows I see ASSERTION: gfxASurface::CairoSurface called with mSurface == nullptr!: 'mSurface != nullptr'

On OSX I see multiple Computed overflow area must contain frame bounds: 'aNewSize.width == 0 || aNewSize.height == 0 || r->width == nscoord_MAX || r->height == nscoord_MAX || (mState & NS_FRAME_SVG_LAYOUT) || r->Contains(nsRect(nsPoint(0,0), aNewSize))' but no crash.
Alice, can you check if this is reproducible for you? I'm only seeing one report recently with a current Firefox build.
Flags: needinfo?(alice0775)
(Reporter)

Comment 9

3 years ago
The sample html does not work as expected on Nightly50.0a1 even if disabled mixed protection.

Marked invalid, Unless new test cases is cumming.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(alice0775)
Resolution: --- → INVALID
(In reply to Alice0775 White from comment #9)
> The sample html does not work as expected on Nightly50.0a1 even if disabled
> mixed protection.

Thanks for checking, Alice. I'm amending the keywords based on this.
Keywords: reproducible → testcase-wanted
Resolution: INVALID → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.