Last Comment Bug 792903 - crash in DrawingContext::CreateLinearGradientBrush mainly with Location Bar Enhancer
: crash in DrawingContext::CreateLinearGradientBrush mainly with Location Bar E...
Status: RESOLVED FIXED
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 16 Branch
: x86 Windows 7
: -- critical (vote)
: mozilla18
Assigned To: Robert O'Callahan (:roc) (email my personal email if necessary)
: Ioana (away)
Mentors:
Depends on:
Blocks: 787947
  Show dependency treegraph
 
Reported: 2012-09-20 10:38 PDT by Marcia Knous [:marcia - use ni]
Modified: 2014-01-10 10:41 PST (History)
12 users (show)
ryanvm: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
verified


Attachments
fix (2.41 KB, patch)
2012-09-25 06:16 PDT, Robert O'Callahan (:roc) (email my personal email if necessary)
bas: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Marcia Knous [:marcia - use ni] 2012-09-20 10:38:57 PDT
This bug was filed from the Socorro interface and is 
report bp-c64bccc4-4047-463f-b3c8-d37da2120920 .
============================================================= 

Seen while looking at 16 beta data. Fairly low volume Windows crash that appears primarily in Firefox 16 betas. https://crash-stats.mozilla.com/report/list?signature=DrawingContext::CreateLinearGradientBrush%28D2D1_LINEAR_GRADIENT_BRUSH_PROPERTIES%20const*,%20D2D1_BRUSH_PROPERTIES%20const*,%20ID2D1GradientStopCollection*,%20ID2D1LinearGradientBrush**%29


Frame 	Module 	Signature 	Source
0 	d2d1.dll 	DrawingContext::CreateLinearGradientBrush 	
1 	d2d1.dll 	D2DRenderTargetBase<ID2D1BitmapRenderTarget>::CreateLinearGradientBrush 	
2 	gkmedias.dll 	_cairo_d2d_create_linear_gradient_brush 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1703
3 	gkmedias.dll 	_cairo_d2d_create_brush_for_pattern 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1750
4 	gkmedias.dll 	_cairo_d2d_fill 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:3637
5 	gkmedias.dll 	_cairo_surface_fill 	gfx/cairo/cairo/src/cairo-surface.c:2351
6 	d2d1.dll 	D2DRenderTargetBase<ID2D1DCRenderTarget>::GetPixelSize 	

Some comments:

Dragged a blank second window to a second screen and tried to use the link displayed there and the system crashed
I was trying to open a photo on facebook from a group and then it crashed.


Some URLs:

8 	http://www.mcnz.org.nz/
7 	https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=1
4 	http://dark-music.org/
3 	https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=2
3 	https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport.aspx?dvid=1&BugID=1044172
3 	https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport2_7.aspx?dvid=2&BugId=104679
2 	https://nvbugswb.nvidia.com/nvbugs/Main/vwBugReport2_7.aspx?dvid=2&BugID=1049132
2 	http://www.google.rs/
Comment 1 Scoobidiver (away) 2012-09-20 11:38:25 PDT
It started spiking in 17.0a1/20120726 and 16.0a2/20120821. The regression ranges might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ef20925bc2a5&tochange=20db7c6d82cc
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=95a9ef9dfc3d&tochange=d7b344615437
It's likely a regression from bug 768775.
Comment 2 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-20 16:04:32 PDT
Nothing obvious in the crash reports. STR would be really useful...
Comment 3 Scoobidiver (away) 2012-09-20 22:30:41 PDT
A manual check shows it's mostly correlated to Location Bar Enhancer (https://addons.mozilla.org/firefox/addon/ui-enhancer/).
Comment 4 Scoobidiver (away) 2012-09-21 23:43:08 PDT
It's #2 top browser crasher in the first hours of 16.0b4.

Correlations confirm my manual check:
     83% (59/71) vs.   0% (84/55717) UIEnhancer@girishsharma
Comment 5 Alice0775 White 2012-09-22 21:06:59 PDT
Build Identifier:
http://hg.mozilla.org/releases/mozilla-beta/rev/c3be659f6121
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 ID:20120919065210

bp-5fb9d795-a5a0-4cdf-9d71-15d352120923

Steps to Reproduce:
 1 . Start Firefox 16Beta4 with clean profile
 2. Open http://mlb.mlb.com/mlb/scoreboard/index.jsp
 3. Mouse over SCHEDULE at the top and wait to expand the menu
 4. Move mouse pointer to the left (i.e.Mouse over STANDINGS )

Actual results:
 Browser crashes
Comment 6 Alice0775 White 2012-09-22 21:33:09 PDT
Regression window(mozilla-beta tinderbox build)
Good:
http://hg.mozilla.org/releases/mozilla-beta/rev/cdd04249a313
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120911 Firefox/16.0 ID:20120918100658
Crashes:
http://hg.mozilla.org/releases/mozilla-beta/rev/fc24961171a3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120912 Firefox/16.0 ID:20120918105357
Pushlog:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=cdd04249a313&tochange=fc24961171a3

Triggered by:
c24961171a3	Benoit Girard — Backout 461c9816a3be (bug 779399) for bug 787947 graphics corruption regression. r=backout a=akeybl
Comment 7 Alex Keybl [:akeybl] 2012-09-24 10:16:31 PDT
Hey Benoit - can you look at this given the fact that your backout appears to be the regressing bug? It'd be good to understand why we didn't see this topcrash previously, when bug 779399 originally landed.
Comment 8 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-24 15:00:50 PDT
Unfortunately I can't reproduce the crash following those instructions, in a debug build I made.

Alice, can you reproduce this in a debug build? If so, are you able to attach a Visual C++ debugger and get information out of the crashing process? If so, it would be great if you could get a complete crash stack from the debugger, and if possible the values of parameters and local variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of 'num_stops' and the contents of the 'stops' array (obtained by Quick Evaluate "stops,6") and p1 and p2 would be extra valuable.
Comment 9 Alice0775 White 2012-09-24 15:46:06 PDT
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #8)
> Unfortunately I can't reproduce the crash following those instructions, in a
> debug build I made.
> 
> Alice, can you reproduce this in a debug build? If so, are you able to
> attach a Visual C++ debugger and get information out of the crashing
> process? If so, it would be great if you could get a complete crash stack
> from the debugger, and if possible the values of parameters and local
> variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of
> 'num_stops' and the contents of the 'stops' array (obtained by Quick
> Evaluate "stops,6") and p1 and p2 would be extra valuable.

I cannot reproduce in the following debug build yet, because the debug build is too slooooooow in some reason. 
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-09-24-mozilla-beta-debug/firefox-16.0.en-US.debug-win32.installer.exe

FYI, It is slightly difficult to reproduce in 16Beta4 than 16Beta3
bp-955d9a41-d2d0-410f-bdf3-207f72120924
After step 4 in comment#5, move around mouse pointer over top menus[SCOREBOAD .....TEAMS]for a while
Comment 10 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-25 05:36:01 PDT
Great, I can reproduce in an opt build. Thanks a ton.
Comment 11 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-25 06:16:22 PDT
Created attachment 664470 [details] [diff] [review]
fix

This affects all branches but is less important where Azure is enabled (i.e. everything except beta)
Comment 12 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-25 06:16:43 PDT
This patch is really safe. We just back off an optimization slightly.
Comment 13 Bas Schouten (:bas.schouten) 2012-09-25 07:49:39 PDT
Comment on attachment 664470 [details] [diff] [review]
fix

Review of attachment 664470 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/cairo/cairo/src/cairo-d2d-surface.cpp
@@ +1,4 @@
>  /* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */
>  /* Cairo - a vector graphics library with display and print output
>   *
> + * Copyright � 2010 Mozilla Foundation

Bugzilla seems to think something weird happened to the copyright character..

@@ +1632,5 @@
>  	num_stops *= (after_repeat + before_repeat);
> +    if (num_stops == 0) {
> +      fprintf(stderr, "num_stops == 0: max_dist=%f, min_dist=%f, after_repeat=%d, before_repeat=%d\n",
> +              max_dist, min_dist, after_repeat, before_repeat);
> +    }

nit: Indent here is off, also, shouldn't this be unreachable now?
Comment 14 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-25 08:20:20 PDT
I'll take those hunks out.
Comment 15 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-25 17:25:48 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/7c0af9b7ed61
https://hg.mozilla.org/releases/mozilla-aurora/rev/1ae0273dc1d2

I'll check in on inbound tonight when it's quieter.
Comment 16 Girish Sharma [:Optimizer] 2012-09-26 00:03:25 PDT
Oh my, Its not my add-ons fault, right ?
Can I do something to prevent it?
Comment 17 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-26 02:21:52 PDT
(In reply to Girish Sharma [:Optimizer] from comment #16)
> Oh my, Its not my add-ons fault, right ?
> Can I do something to prevent it?

It's not your fault.

This bug should not end up in any shipping Firefox release; we caught it in time.
Comment 18 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-09-26 02:29:59 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/55ccbc8d52e6
Comment 21 Ioana (away) 2012-10-17 06:58:28 PDT
(In reply to Ioana Budnar [QA] from comment #20)
> This crash only appears once in Socorro in the last 4 weeks, but there it
> has a different stack trace.

In builds post-fix.
Comment 22 Tracy Walker [:tracy] 2014-01-10 10:41:39 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.