crash in DrawingContext::CreateLinearGradientBrush mainly with Location Bar Enhancer

RESOLVED FIXED in Firefox 16

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: marcia, Assigned: roc)

Tracking

(4 keywords)

16 Branch
mozilla18
x86
Windows 7
crash, regression, reproducible, topcrash
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox16+ fixed, firefox17 verified)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-c64bccc4-4047-463f-b3c8-d37da2120920 .
============================================================= 

Seen while looking at 16 beta data. Fairly low volume Windows crash that appears primarily in Firefox 16 betas. https://crash-stats.mozilla.com/report/list?signature=DrawingContext::CreateLinearGradientBrush%28D2D1_LINEAR_GRADIENT_BRUSH_PROPERTIES%20const*,%20D2D1_BRUSH_PROPERTIES%20const*,%20ID2D1GradientStopCollection*,%20ID2D1LinearGradientBrush**%29


Frame 	Module 	Signature 	Source
0 	d2d1.dll 	DrawingContext::CreateLinearGradientBrush 	
1 	d2d1.dll 	D2DRenderTargetBase<ID2D1BitmapRenderTarget>::CreateLinearGradientBrush 	
2 	gkmedias.dll 	_cairo_d2d_create_linear_gradient_brush 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1703
3 	gkmedias.dll 	_cairo_d2d_create_brush_for_pattern 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:1750
4 	gkmedias.dll 	_cairo_d2d_fill 	gfx/cairo/cairo/src/cairo-d2d-surface.cpp:3637
5 	gkmedias.dll 	_cairo_surface_fill 	gfx/cairo/cairo/src/cairo-surface.c:2351
6 	d2d1.dll 	D2DRenderTargetBase<ID2D1DCRenderTarget>::GetPixelSize 	

Some comments:

Dragged a blank second window to a second screen and tried to use the link displayed there and the system crashed
I was trying to open a photo on facebook from a group and then it crashed.


Some URLs:

8 	http://www.mcnz.org.nz/
7 	https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=1
4 	http://dark-music.org/
3 	https://nvbugswb.nvidia.com/nvbugs/AdvancedSearch/lstAdvancedSearch.aspx?dvid=2
3 	https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport.aspx?dvid=1&BugID=1044172
3 	https://nvbugswb.nvidia.com/nvbugs/Main/frmBugReport2_7.aspx?dvid=2&BugId=104679
2 	https://nvbugswb.nvidia.com/nvbugs/Main/vwBugReport2_7.aspx?dvid=2&BugID=1049132
2 	http://www.google.rs/

Comment 1

5 years ago
It started spiking in 17.0a1/20120726 and 16.0a2/20120821. The regression ranges might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ef20925bc2a5&tochange=20db7c6d82cc
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=95a9ef9dfc3d&tochange=d7b344615437
It's likely a regression from bug 768775.
Blocks: 768775
Keywords: regression
OS: Windows NT → Windows 7
Version: 18 Branch → 16 Branch
Nothing obvious in the crash reports. STR would be really useful...

Comment 3

5 years ago
A manual check shows it's mostly correlated to Location Bar Enhancer (https://addons.mozilla.org/firefox/addon/ui-enhancer/).
Summary: crash in DrawingContext::CreateLinearGradientBrush → crash in DrawingContext::CreateLinearGradientBrush mainly with Location Bar Enhancer

Comment 4

5 years ago
It's #2 top browser crasher in the first hours of 16.0b4.

Correlations confirm my manual check:
     83% (59/71) vs.   0% (84/55717) UIEnhancer@girishsharma
tracking-firefox16: --- → ?
Keywords: topcrash

Comment 5

5 years ago
Build Identifier:
http://hg.mozilla.org/releases/mozilla-beta/rev/c3be659f6121
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 ID:20120919065210

bp-5fb9d795-a5a0-4cdf-9d71-15d352120923

Steps to Reproduce:
 1 . Start Firefox 16Beta4 with clean profile
 2. Open http://mlb.mlb.com/mlb/scoreboard/index.jsp
 3. Mouse over SCHEDULE at the top and wait to expand the menu
 4. Move mouse pointer to the left (i.e.Mouse over STANDINGS )

Actual results:
 Browser crashes
Keywords: reproducible

Comment 6

5 years ago
Regression window(mozilla-beta tinderbox build)
Good:
http://hg.mozilla.org/releases/mozilla-beta/rev/cdd04249a313
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120911 Firefox/16.0 ID:20120918100658
Crashes:
http://hg.mozilla.org/releases/mozilla-beta/rev/fc24961171a3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20120912 Firefox/16.0 ID:20120918105357
Pushlog:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=cdd04249a313&tochange=fc24961171a3

Triggered by:
c24961171a3	Benoit Girard — Backout 461c9816a3be (bug 779399) for bug 787947 graphics corruption regression. r=backout a=akeybl
Blocks: 787947

Updated

5 years ago
No longer blocks: 768775

Comment 7

5 years ago
Hey Benoit - can you look at this given the fact that your backout appears to be the regressing bug? It'd be good to understand why we didn't see this topcrash previously, when bug 779399 originally landed.
Assignee: nobody → bgirard
tracking-firefox16: ? → +
Unfortunately I can't reproduce the crash following those instructions, in a debug build I made.

Alice, can you reproduce this in a debug build? If so, are you able to attach a Visual C++ debugger and get information out of the crashing process? If so, it would be great if you could get a complete crash stack from the debugger, and if possible the values of parameters and local variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of 'num_stops' and the contents of the 'stops' array (obtained by Quick Evaluate "stops,6") and p1 and p2 would be extra valuable.

Comment 9

5 years ago
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #8)
> Unfortunately I can't reproduce the crash following those instructions, in a
> debug build I made.
> 
> Alice, can you reproduce this in a debug build? If so, are you able to
> attach a Visual C++ debugger and get information out of the crashing
> process? If so, it would be great if you could get a complete crash stack
> from the debugger, and if possible the values of parameters and local
> variables in cairo. In _cairo_d2d_create_linear_gradient_brush, the value of
> 'num_stops' and the contents of the 'stops' array (obtained by Quick
> Evaluate "stops,6") and p1 and p2 would be extra valuable.

I cannot reproduce in the following debug build yet, because the debug build is too slooooooow in some reason. 
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-09-24-mozilla-beta-debug/firefox-16.0.en-US.debug-win32.installer.exe

FYI, It is slightly difficult to reproduce in 16Beta4 than 16Beta3
bp-955d9a41-d2d0-410f-bdf3-207f72120924
After step 4 in comment#5, move around mouse pointer over top menus[SCOREBOAD .....TEAMS]for a while
Great, I can reproduce in an opt build. Thanks a ton.
Created attachment 664470 [details] [diff] [review]
fix

This affects all branches but is less important where Azure is enabled (i.e. everything except beta)
Assignee: bgirard → roc
Attachment #664470 - Flags: review?(bas.schouten)
This patch is really safe. We just back off an optimization slightly.
Comment on attachment 664470 [details] [diff] [review]
fix

Review of attachment 664470 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/cairo/cairo/src/cairo-d2d-surface.cpp
@@ +1,4 @@
>  /* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */
>  /* Cairo - a vector graphics library with display and print output
>   *
> + * Copyright � 2010 Mozilla Foundation

Bugzilla seems to think something weird happened to the copyright character..

@@ +1632,5 @@
>  	num_stops *= (after_repeat + before_repeat);
> +    if (num_stops == 0) {
> +      fprintf(stderr, "num_stops == 0: max_dist=%f, min_dist=%f, after_repeat=%d, before_repeat=%d\n",
> +              max_dist, min_dist, after_repeat, before_repeat);
> +    }

nit: Indent here is off, also, shouldn't this be unreachable now?
Attachment #664470 - Flags: review?(bas.schouten) → review+
I'll take those hunks out.
https://hg.mozilla.org/releases/mozilla-beta/rev/7c0af9b7ed61
https://hg.mozilla.org/releases/mozilla-aurora/rev/1ae0273dc1d2

I'll check in on inbound tonight when it's quieter.
status-firefox16: --- → fixed
status-firefox17: --- → fixed
Oh my, Its not my add-ons fault, right ?
Can I do something to prevent it?
(In reply to Girish Sharma [:Optimizer] from comment #16)
> Oh my, Its not my add-ons fault, right ?
> Can I do something to prevent it?

It's not your fault.

This bug should not end up in any shipping Firefox release; we caught it in time.
https://hg.mozilla.org/integration/mozilla-inbound/rev/55ccbc8d52e6
https://hg.mozilla.org/mozilla-central/rev/55ccbc8d52e6
https://hg.mozilla.org/mozilla-central/rev/71192a9431a7
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

Updated

5 years ago
Attachment #664470 - Flags: approval-mozilla-beta+
Attachment #664470 - Flags: approval-mozilla-aurora+
Keywords: verifyme

Comment 20

5 years ago
https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=DrawingContext%3A%3ACreateLinearGradientBrush%28D2D1_LINEAR_GRADIENT_BRUSH_PROPERTIES%20const%2A%2C%20D2D1_BRUSH_PROPERTIES%20const%2A%2C%20ID2D1GradientStopCollection%2A%2C%20ID2D1LinearGradientBrush%2A%2A%29

This crash only appears once in Socorro in the last 4 weeks, but there it has a different stack trace.
status-firefox17: fixed → verified

Updated

5 years ago
QA Contact: ioana.budnar

Comment 21

5 years ago
(In reply to Ioana Budnar [QA] from comment #20)
> This crash only appears once in Socorro in the last 4 weeks, but there it
> has a different stack trace.

In builds post-fix.
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.