crash in _moz_pixman_image_set_transform if HWA disabled since Firefox12

RESOLVED INCOMPLETE

Status

()

Core
Graphics
--
critical
RESOLVED INCOMPLETE
6 years ago
2 years ago

People

(Reporter: Alice0775 White, Unassigned)

Tracking

({crash, regression, testcase-wanted})

12 Branch
x86
Windows 7
crash, regression, testcase-wanted
Points:
---

Firefox Tracking Flags

(firefox16-, firefox17-, firefox18-)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 660089 [details]
sample

This bug was filed from the Socorro interface and is 
report bp-adfc59e5-dbd1-4b7f-b972-b595a2120911 .
============================================================= 
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/96287ad60bef
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120911030553

I noticed the crash when I test bug 790239.

Steps to reproduce:
1. Start Firefox without HWA
2. Open attached
3. Click Trapezoids several times

Actual results:
  Browser crashes

bp-adfc59e5-dbd1-4b7f-b972-b595a2120911 : Nightly18.0a2
bp-4d7d4137-1e5b-4f98-aae5-f2c632120911 : Aurora17.0a2
bp-b8818014-a5b5-4cf1-bdf8-3f1082120911 : 16.0Beta
bp-a7c45c7f-f9b2-4d56-93f2-ccdad2120911 : 15.0.1
bp-d161963e-f5ac-4633-8e17-8fab52120911 : 14.0.2
bp-207d5923-6e41-43dc-8ae9-164162120911 : 13.0.1
bp-9848dda4-afc3-48cd-a634-0f2cb2120911 : 12.0

Expected results:
  Not crash.
(Reporter)

Updated

6 years ago
Keywords: regression, reproducible
(Reporter)

Comment 1

6 years ago
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/1cdef0321abd
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120202 Firefox/13.0a1 ID:20120202010526
Bad:
http://hg.mozilla.org/mozilla-central/rev/005980552224
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120202 Firefox/13.0a1 ID:20120202022426
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1cdef0321abd&tochange=005980552224


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/587eea31cfa1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120131 Firefox/13.0a1 ID:20120131223139
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/de8e1de24f37
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0a1) Gecko/20120131 Firefox/13.0a1 ID:20120201021727
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=587eea31cfa1&tochange=de8e1de24f37

Suspected: 
a8b8c4489e4e	Chris Lord — Bug 722325 - Revert bug 720987 for transformed frames. r=roc The fix checked in for bug 720987 caused a major rendering regression with native fennec. Revert it for transformed frames until the correct fix is found.
Blocks: 722325

Comment 2

6 years ago
It's a low volume crash, only 96 crashes across all versions over the last week.

Comment 3

6 years ago
The suspected check-in was a partial back-out. Bug 725664 was filed to fix the problem for real (whereby this offending code could just be removed). Cc'ing mats.

Comment 4

6 years ago
Long standing, low volume regression. No need to track for upcoming releases.
tracking-firefox16: ? → -
tracking-firefox17: ? → -
tracking-firefox18: ? → -

Comment 6

6 years ago
http://tympanus.net/Development/3DGallery/index2.html
http://jifen.qq.com/html5/index.html?ADTAG=JIFEN.PIONEER.INDEX

on Windows XP and Windows 7 VMs. Both use the same css+js technique. Both crash opt with this signature and both 
ABORT: Failed to create pixman images?: 'src && dest' on Windows.

On Windows I see ASSERTION: gfxASurface::CairoSurface called with mSurface == nullptr!: 'mSurface != nullptr'

On OSX I see multiple Computed overflow area must contain frame bounds: 'aNewSize.width == 0 || aNewSize.height == 0 || r->width == nscoord_MAX || r->height == nscoord_MAX || (mState & NS_FRAME_SVG_LAYOUT) || r->Contains(nsRect(nsPoint(0,0), aNewSize))' but no crash.
Alice, can you check if this is reproducible for you? I'm only seeing one report recently with a current Firefox build.
Flags: needinfo?(alice0775)
(Reporter)

Comment 9

2 years ago
The sample html does not work as expected on Nightly50.0a1 even if disabled mixed protection.

Marked invalid, Unless new test cases is cumming.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(alice0775)
Resolution: --- → INVALID
(In reply to Alice0775 White from comment #9)
> The sample html does not work as expected on Nightly50.0a1 even if disabled
> mixed protection.

Thanks for checking, Alice. I'm amending the keywords based on this.
Keywords: reproducible → testcase-wanted
Resolution: INVALID → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.