Closed Bug 795234 Opened 7 years ago Closed 7 years ago

crash in _pixman_implementation_fill

Categories

(Core :: Graphics, defect, critical)

18 Branch
ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla18
Tracking Status
firefox17 --- unaffected
firefox18 + fixed
firefox-esr10 --- unaffected

People

(Reporter: scoobidiver, Assigned: blassey)

References

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

It's similar to bug 711852 that happened from time to time.
This one spiked from 18.0a1/20120927030539. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca4af4af5334&tochange=b038e9e2023f

Signature 	libxul.so@0xc8eee8 | arm_neon_fill More Reports Search
UUID	518be21b-a997-4ac1-8e68-e14142120928
Date Processed	2012-09-28 07:07:57
Uptime	15
Last Crash	23 seconds before submission
Install Age	15.7 hours since version was first installed.
Install Time	2012-09-27 15:26:20
Product	FennecAndroid
Version	18.0a1
Build ID	20120927030539
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 2.6.39.4-00003-gafee6c5 #1 SMP PREEMPT Mon Jun 4 19:59:08 CST 2012 armv7l asus/JP_epad/TF300T:4.0.3/IML74K/JP_epad-9.4.3.30-20120604:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x64311800
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra 3 -- OpenGL ES 2.0 14.01002 -- Model: ASUS Pad TF300T, Product: JP_epad, Manufacturer: asus, Hardware: cardhu'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
asus ASUS Pad TF300T
asus/JP_epad/TF300T:4.0.3/IML74K/JP_epad-9.4.3.30-20120604:user/release-keys
Processor Notes 	This dump is too long and has triggered the automatic truncation routine
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra 3
Device	asus ASUS Pad TF300T
Android API Version	15 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libxul.so 	libxul.so@0xc8eee8 	
1 	libxul.so 	arm_neon_fill 	pixman-arm-neon.c:226
2 	libxul.so 	_pixman_implementation_fill 	pixman-implementation.c:182
3 	libxul.so 	delegate_fill 	pixman-implementation.c:62
4 	libxul.so 	_pixman_implementation_fill 	pixman-implementation.c:182
5 	libxul.so 	_moz_pixman_fill 	pixman.c:772
6 	libxul.so 	_clip_and_composite_boxes 	cairo-image-surface.c:2938
7 	libxul.so 	_cairo_image_surface_paint 	cairo-image-surface.c:3290
8 	libxul.so 	_cairo_surface_paint 	cairo-surface.c:2109
9 	libxul.so 	_cairo_gstate_fill 	cairo-gstate.c:1285
10 	libxul.so 	_moz_cairo_fill_preserve 	cairo.c:2459
11 	libxul.so 	gfxContext::Fill 	gfxContext.cpp:308
12 	libxul.so 	nsRenderingContext::FillRect 	nsRenderingContext.cpp:332
13 	libxul.so 	nsDisplayCanvasBackground::Paint 	nsCanvasFrame.cpp:207
14 	libxul.so 	mozilla::FrameLayerBuilder::DrawThebesLayer 	FrameLayerBuilder.cpp:3020
15 	libxul.so 	mozilla::layers::BasicThebesLayer::PaintThebes 	BasicThebesLayer.cpp:139
16 	libxul.so 	mozilla::layers::BasicLayerManager::PaintSelfOrChildren 	BasicLayerManager.cpp:825
17 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	BasicLayerManager.cpp:944
18 	libxul.so 	mozilla::layers::BasicLayerManager::PaintSelfOrChildren 	BasicLayerManager.cpp:840
19 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	BasicLayerManager.cpp:944
20 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	BasicLayerManager.cpp:588
21 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransaction 	BasicLayerManager.cpp:509
22 	libxul.so 	nsDisplayList::PaintForFrame 	nsDisplayList.cpp:1068
23 	libxul.so 	nsDisplayList::PaintRoot 	nsDisplayList.cpp:956
24 	libxul.so 	nsLayoutUtils::PaintFrame 	nsLayoutUtils.cpp:1743
25 	libxul.so 	PresShell::RenderDocument 	nsPresShell.cpp:4361
26 	libxul.so 	mozilla::AndroidBridge::TakeScreenshot 	AndroidBridge.cpp:2495
27 	libxul.so 	ScreenshotRunnable::Run 	nsAppShell.cpp:89 
...

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&query_search=signature&query_type=contains&query=arm_neon_fill&do_query=1
Crash Signature: [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] → [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] [@ libxul.so@0xc90ce8 | arm_neon_fill]
More reports also at: https://crash-stats.mozilla.com/report/list?signature=fast_path_fill

It might be a regression from bug 794200.
Crash Signature: [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] [@ libxul.so@0xc90ce8 | arm_neon_fill] → [@ fast_path_fill ] [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] [@ libxul.so@0xc90ce8 | arm_neon_fill]
Summary: crash in arm_neon_fill → crash in _pixman_implementation_fill
With combined signatures, it's #3 top crasher over the last 3 days.
tracking-fennec: --- → ?
Keywords: topcrash
Crash Signature: [@ fast_path_fill ] [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] [@ libxul.so@0xc90ce8 | arm_neon_fill] → [@ fast_path_fill ] [@ libxul.so@0xc8eee8 | arm_neon_fill] [@ libxul.so@0xc8ece8 | arm_neon_fill] [@ libxul.so@0xc8edac | arm_neon_fill] [@ libxul.so@0xc8eec8 | arm_neon_fill] [@ libxul.so@0xc90ce8 | arm_neon_fill] [@ libxul.so@0xc9dbf0 | arm_neon_…
Blocks: 711852
Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.so@0xc8af7c | fast_composite_scaled_bilin…
Duplicate of this bug: 796175
Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.so@0xc8af7c | fast_composite_scaled_bilin… → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.s…
STR are in bug 796175.
Keywords: reproducible
Joe - Got anyone to take a look?
Attached patch patchSplinter Review
Looks like we're crashing because we're trying to draw the screenshot to a buffer that's already been freed
Assignee: nobody → blassey.bugs
Attachment #667338 - Flags: review?(snorp)
Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.s… → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xca3d70 | arm_neon_fill] [@ libxul.so@0xca3d44 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_…
Attachment #667338 - Flags: review?(snorp) → review+
https://hg.mozilla.org/mozilla-central/rev/28d3d693e8ba
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xca3d70 | arm_neon_fill] [@ libxul.so@0xca3d44 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_… → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xca3d70 | arm_neon_fill ] [@ libxul.so@0xca3d44 | arm_neon_fill ] [@ libxul.so@0xca3970 | arm_neon_fill…
Looks like a 18 only crash.
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.