Closed Bug 795234 Opened 7 years ago Closed 7 years ago

crash in _pixman_implementation_fill

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla18

Tracking Flags:

Tracking

Status

firefox17

---

unaffected

firefox18

fixed

firefox-esr10

---

unaffected

People

(Reporter: scoobidiver, Assigned: blassey)

References

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

patch 7 years ago Brad Lassey [:blassey] (use needinfo?) 2.04 KB, patch	snorp : review+	Details \| Diff \| Splinter Review

Scoobidiver (away)

Reporter

Description

•

7 years ago

It's similar to bug 711852 that happened from time to time.
This one spiked from 18.0a1/20120927030539. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca4af4af5334&tochange=b038e9e2023f

Signature 	libxul.so@0xc8eee8 | arm_neon_fill More Reports Search
UUID	518be21b-a997-4ac1-8e68-e14142120928
Date Processed	2012-09-28 07:07:57
Uptime	15
Last Crash	23 seconds before submission
Install Age	15.7 hours since version was first installed.
Install Time	2012-09-27 15:26:20
Product	FennecAndroid
Version	18.0a1
Build ID	20120927030539
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 2.6.39.4-00003-gafee6c5 #1 SMP PREEMPT Mon Jun 4 19:59:08 CST 2012 armv7l asus/JP_epad/TF300T:4.0.3/IML74K/JP_epad-9.4.3.30-20120604:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x64311800
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra 3 -- OpenGL ES 2.0 14.01002 -- Model: ASUS Pad TF300T, Product: JP_epad, Manufacturer: asus, Hardware: cardhu'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
asus ASUS Pad TF300T
asus/JP_epad/TF300T:4.0.3/IML74K/JP_epad-9.4.3.30-20120604:user/release-keys
Processor Notes 	This dump is too long and has triggered the automatic truncation routine
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra 3
Device	asus ASUS Pad TF300T
Android API Version	15 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libxul.so 	libxul.so@0xc8eee8 	
1 	libxul.so 	arm_neon_fill 	pixman-arm-neon.c:226
2 	libxul.so 	_pixman_implementation_fill 	pixman-implementation.c:182
3 	libxul.so 	delegate_fill 	pixman-implementation.c:62
4 	libxul.so 	_pixman_implementation_fill 	pixman-implementation.c:182
5 	libxul.so 	_moz_pixman_fill 	pixman.c:772
6 	libxul.so 	_clip_and_composite_boxes 	cairo-image-surface.c:2938
7 	libxul.so 	_cairo_image_surface_paint 	cairo-image-surface.c:3290
8 	libxul.so 	_cairo_surface_paint 	cairo-surface.c:2109
9 	libxul.so 	_cairo_gstate_fill 	cairo-gstate.c:1285
10 	libxul.so 	_moz_cairo_fill_preserve 	cairo.c:2459
11 	libxul.so 	gfxContext::Fill 	gfxContext.cpp:308
12 	libxul.so 	nsRenderingContext::FillRect 	nsRenderingContext.cpp:332
13 	libxul.so 	nsDisplayCanvasBackground::Paint 	nsCanvasFrame.cpp:207
14 	libxul.so 	mozilla::FrameLayerBuilder::DrawThebesLayer 	FrameLayerBuilder.cpp:3020
15 	libxul.so 	mozilla::layers::BasicThebesLayer::PaintThebes 	BasicThebesLayer.cpp:139
16 	libxul.so 	mozilla::layers::BasicLayerManager::PaintSelfOrChildren 	BasicLayerManager.cpp:825
17 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	BasicLayerManager.cpp:944
18 	libxul.so 	mozilla::layers::BasicLayerManager::PaintSelfOrChildren 	BasicLayerManager.cpp:840
19 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	BasicLayerManager.cpp:944
20 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	BasicLayerManager.cpp:588
21 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransaction 	BasicLayerManager.cpp:509
22 	libxul.so 	nsDisplayList::PaintForFrame 	nsDisplayList.cpp:1068
23 	libxul.so 	nsDisplayList::PaintRoot 	nsDisplayList.cpp:956
24 	libxul.so 	nsLayoutUtils::PaintFrame 	nsLayoutUtils.cpp:1743
25 	libxul.so 	PresShell::RenderDocument 	nsPresShell.cpp:4361
26 	libxul.so 	mozilla::AndroidBridge::TakeScreenshot 	AndroidBridge.cpp:2495
27 	libxul.so 	ScreenshotRunnable::Run 	nsAppShell.cpp:89 
...

More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&query_search=signature&query_type=contains&query=arm_neon_fill&do_query=1

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Scoobidiver (away)

Reporter

Comment 1

•

7 years ago

More reports also at: https://crash-stats.mozilla.com/report/list?signature=fast_path_fill

It might be a regression from bug 794200.

Summary: crash in arm_neon_fill → crash in _pixman_implementation_fill

Scoobidiver (away)

Reporter

Comment 2

•

7 years ago

With combined signatures, it's #3 top crasher over the last 3 days.

tracking-fennec: --- → ?

tracking-firefox18: --- → ?

Keywords: topcrash

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Blocks: 711852

Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.so@0xc8af7c | fast_composite_scaled_bilin…

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Duplicate of this bug: 796175

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Crash Signature: arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.so@0xc8af7c | fast_composite_scaled_bilin… → arm_neon_fill] [@ libxul.so@0xc9dbc4 | arm_neon_fill] [@ libxul.so@0xc9fc70 | arm_neon_fill] [@ libxul.so@0xca2030 | arm_neon_fill] [@ libxul.so@0xc9eee4 | neon_composite_over_n_8_0565] [@ libxul.so@0xc8b1f8 | neon_composite_over_n_0565] [@ libxul.s…

Aaron Train [:aaronmt]

Updated

•

7 years ago

status-firefox18: --- → affected

Scoobidiver (away)

Reporter

Comment 4

•

7 years ago

STR are in bug 796175.

Keywords: reproducible

Mark Finkle (:mfinkle) (use needinfo?)

Comment 5

•

7 years ago

Joe - Got anyone to take a look?

Brad Lassey [:blassey] (use needinfo?)

Assignee

Comment 6

•

7 years ago

Attached patch patch — Details — Splinter Review

Looks like we're crashing because we're trying to draw the screenshot to a buffer that's already been freed

Assignee: nobody → blassey.bugs

Attachment #667338 - Flags: review?(snorp)

Scoobidiver (away)

Reporter

Updated

•

7 years ago

James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)

Updated

•

7 years ago

Attachment #667338 - Flags: review?(snorp) → review+

bhavana bajaj [:bajaj]

Updated

•

7 years ago

tracking-firefox18: ? → +

Ryan VanderMeulen [:RyanVM]

Comment 7

•

7 years ago

https://hg.mozilla.org/mozilla-central/rev/28d3d693e8ba

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox18: affected → fixed

Flags: in-testsuite?

Resolution: --- → FIXED

Target Milestone: --- → mozilla18

Scoobidiver (away)

Reporter

Updated

•

7 years ago

Naoki Hirata :nhirata (please use needinfo instead of cc)

Comment 8

•

7 years ago

Looks like a 18 only crash.

Daniel Veditz [:dveditz] OOO until Sept 23

Updated

•

7 years ago

status-firefox-esr10: --- → unaffected

status-firefox17: --- → unaffected

Keywords: sec-critical

Nobody; OK to take it and work on it

Updated

•

6 years ago

tracking-fennec: ? → ---

You need to log in before you can comment on or make changes to this bug.

Bugzilla

crash in _pixman_implementation_fill

Categories

(Core :: Graphics, defect, critical)

Tracking

()

People

(Reporter: scoobidiver, Assigned: blassey)

References

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Updated

Updated

Updated

Updated

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Updated

Comment 7

Updated

Comment 8

Updated

Updated