crash in mozilla::gfx::BaseRect

VERIFIED FIXED in Firefox 19

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: scoobidiver, Assigned: jdm)

Tracking

({crash, regression, topcrash})

19 Branch
mozilla19
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox19+ fixed)

Details

(crash signature)

Attachments

(1 attachment)

It started spiking in 19.0a1/20121016 and is currently #1 top crasher in today's build. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=942ed5747b63&tochange=8f145599e4bf
It might be a regression from bug 801405.

Signature 	mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::Union(nsIntRect const&) More Reports Search
UUID	16d3e13c-1f64-4c9b-9b94-86d5c2121016
Date Processed	2012-10-16 14:20:25
Uptime	252
Last Crash	4.5 minutes before submission
Install Age	4.2 minutes since version was first installed.
Install Time	2012-10-16 14:15:44
Product	Firefox
Version	19.0a1
Build ID	20121016030544
Release Channel	nightly
OS	Windows NT
OS Version	6.2.9200
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x28
App Notes 	
Cisco VPN
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0102, AdapterSubsysID: 1494103c, AdapterDriverVersion: 9.17.10.2828
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0102
Total Virtual Memory	4294836224
Available Virtual Memory	3397189632
System Memory Use Percentage	59
Available Page File	2225999872
Available Physical Memory	1699692544

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::gfx::BaseRect<int,nsIntRect,nsIntPoint,nsIntSize,nsIntMargin>::Union 	obj-firefox/dist/include/mozilla/gfx/BaseRect.h:132
1 	xul.dll 	mozilla::image::Decoder::FlushInvalidations 	image/src/Decoder.cpp:151
2 	xul.dll 	mozilla::image::Decoder::PostFrameStop 	image/src/Decoder.cpp:235
3 	xul.dll 	mozilla::image::nsBMPDecoder::FinishInternal 	image/decoders/nsBMPDecoder.cpp:136
4 	xul.dll 	mozilla::image::nsICODecoder::FinishInternal 	image/decoders/nsICODecoder.cpp:90
5 	xul.dll 	mozilla::image::Decoder::Finish 	image/src/Decoder.cpp:88
6 	xul.dll 	mozilla::image::RasterImage::ShutdownDecoder 	image/src/RasterImage.cpp:2427
7 	xul.dll 	mozilla::image::RasterImage::~RasterImage 	image/src/RasterImage.cpp:280
8 	xul.dll 	mozilla::image::RasterImage::Release 	image/src/RasterImage.cpp:206
9 	xul.dll 	imgRequest::~imgRequest 	image/src/imgRequest.cpp:107
10 	xul.dll 	imgRequest::`scalar deleting destructor' 	
11 	xul.dll 	imgRequest::Release 	image/src/imgRequest.cpp:78
12 	xul.dll 	imgRequestProxy::`scalar deleting destructor' 	
13 	xul.dll 	imgRequestProxy::Release 	image/src/imgRequestProxy.cpp:29
14 	xul.dll 	nsImageBoxFrame::`vector deleting destructor' 	
15 	xul.dll 	nsFrame::DestroyFrom 	layout/generic/nsFrame.cpp:668
16 	xul.dll 	nsImageBoxFrame::DestroyFrom 	layout/xul/base/src/nsImageBoxFrame.cpp:178
17 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
18 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
19 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
20 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
21 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
22 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
23 	xul.dll 	nsBoxFrame::RemoveFrame 	layout/xul/base/src/nsBoxFrame.cpp:1011
24 	xul.dll 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:497
25 	xul.dll 	nsCSSFrameConstructor::ContentRemoved 	layout/base/nsCSSFrameConstructor.cpp:7593
26 	xul.dll 	nsCSSFrameConstructor::RecreateFramesForContent 	layout/base/nsCSSFrameConstructor.cpp:9390
27 	xul.dll 	nsCSSFrameConstructor::ProcessRestyledFrames 	layout/base/nsCSSFrameConstructor.cpp:8138
28 	xul.dll 	mozilla::css::RestyleTracker::DoProcessRestyles 	layout/base/RestyleTracker.cpp:209
29 	xul.dll 	nsCSSFrameConstructor::ProcessPendingRestyles 	layout/base/nsCSSFrameConstructor.cpp:12120
30 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3828
31 	xul.dll 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:383
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3ABaseRect%3Cint%2C+nsIntRect%2C+nsIntPoint%2C+nsIntSize%2C+nsIntMargin%3E%3A%3AUnion%28nsIntRect+const%26%29
Sigh.
Assignee: nobody → josh
Blocks: 801405
I'm a bit afraid of whack-a-mole problems here. Joe, my first instinct is to add a check for mFinishing in RasterImage::FrameUpdate; do you see any problems with that?
It seems like you could just make RasterImage's dtor delete the frames and mAnim after calling ShutdownDecoder instead of before.
Yes, I have a patch that does that, and it avoids the crashes that I can reproduce without it applied. I'm not trying to write an automated test.
I give up on trying to write a test.
Attachment #672048 - Flags: review?(joe)
Blocks: 802168
Attachment #672048 - Flags: review?(joe) → review+
There are about 1000 crashes per build. It would be fine to land it in m-c ASAP and rebuild.
https://hg.mozilla.org/mozilla-central/rev/f8e886802231
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Should this have a crashtest?
Flags: in-testsuite?
Crash Signature: [@ mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::Union(nsIntRect const&)] → [@ mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::Union(nsIntRect const&)] [@ mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::Union(nsIntRect const&) const]
OS: Windows 7 → All
Duplicate of this bug: 802624
No crashes on FF > 18 based on crash stats. I guess we can call this verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.