802144 - crash in mozilla::gfx::BaseRect

Status: VERIFIED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Scoobidiver (away)]

It started spiking in 19.0a1/20121016 and is currently #1 top crasher in today's build. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=942ed5747b63&tochange=8f145599e4bf
It might be a regression from bug 801405.

Signature 	mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::Union(nsIntRect const&) More Reports Search
UUID	16d3e13c-1f64-4c9b-9b94-86d5c2121016
Date Processed	2012-10-16 14:20:25
Uptime	252
Last Crash	4.5 minutes before submission
Install Age	4.2 minutes since version was first installed.
Install Time	2012-10-16 14:15:44
Product	Firefox
Version	19.0a1
Build ID	20121016030544
Release Channel	nightly
OS	Windows NT
OS Version	6.2.9200
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x28
App Notes 	
Cisco VPN
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0102, AdapterSubsysID: 1494103c, AdapterDriverVersion: 9.17.10.2828
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0102
Total Virtual Memory	4294836224
Available Virtual Memory	3397189632
System Memory Use Percentage	59
Available Page File	2225999872
Available Physical Memory	1699692544

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::gfx::BaseRect<int,nsIntRect,nsIntPoint,nsIntSize,nsIntMargin>::Union 	obj-firefox/dist/include/mozilla/gfx/BaseRect.h:132
1 	xul.dll 	mozilla::image::Decoder::FlushInvalidations 	image/src/Decoder.cpp:151
2 	xul.dll 	mozilla::image::Decoder::PostFrameStop 	image/src/Decoder.cpp:235
3 	xul.dll 	mozilla::image::nsBMPDecoder::FinishInternal 	image/decoders/nsBMPDecoder.cpp:136
4 	xul.dll 	mozilla::image::nsICODecoder::FinishInternal 	image/decoders/nsICODecoder.cpp:90
5 	xul.dll 	mozilla::image::Decoder::Finish 	image/src/Decoder.cpp:88
6 	xul.dll 	mozilla::image::RasterImage::ShutdownDecoder 	image/src/RasterImage.cpp:2427
7 	xul.dll 	mozilla::image::RasterImage::~RasterImage 	image/src/RasterImage.cpp:280
8 	xul.dll 	mozilla::image::RasterImage::Release 	image/src/RasterImage.cpp:206
9 	xul.dll 	imgRequest::~imgRequest 	image/src/imgRequest.cpp:107
10 	xul.dll 	imgRequest::`scalar deleting destructor' 	
11 	xul.dll 	imgRequest::Release 	image/src/imgRequest.cpp:78
12 	xul.dll 	imgRequestProxy::`scalar deleting destructor' 	
13 	xul.dll 	imgRequestProxy::Release 	image/src/imgRequestProxy.cpp:29
14 	xul.dll 	nsImageBoxFrame::`vector deleting destructor' 	
15 	xul.dll 	nsFrame::DestroyFrom 	layout/generic/nsFrame.cpp:668
16 	xul.dll 	nsImageBoxFrame::DestroyFrom 	layout/xul/base/src/nsImageBoxFrame.cpp:178
17 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
18 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
19 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
20 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
21 	xul.dll 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:217
22 	xul.dll 	nsBoxFrame::DestroyFrom 	layout/xul/base/src/nsBoxFrame.cpp:948
23 	xul.dll 	nsBoxFrame::RemoveFrame 	layout/xul/base/src/nsBoxFrame.cpp:1011
24 	xul.dll 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:497
25 	xul.dll 	nsCSSFrameConstructor::ContentRemoved 	layout/base/nsCSSFrameConstructor.cpp:7593
26 	xul.dll 	nsCSSFrameConstructor::RecreateFramesForContent 	layout/base/nsCSSFrameConstructor.cpp:9390
27 	xul.dll 	nsCSSFrameConstructor::ProcessRestyledFrames 	layout/base/nsCSSFrameConstructor.cpp:8138
28 	xul.dll 	mozilla::css::RestyleTracker::DoProcessRestyles 	layout/base/RestyleTracker.cpp:209
29 	xul.dll 	nsCSSFrameConstructor::ProcessPendingRestyles 	layout/base/nsCSSFrameConstructor.cpp:12120
30 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3828
31 	xul.dll 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:383
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3ABaseRect%3Cint%2C+nsIntRect%2C+nsIntPoint%2C+nsIntSize%2C+nsIntMargin%3E%3A%3AUnion%28nsIntRect+const%26%29

Comment 1

[Josh Matthews [:jdm]]

Sigh.

Comment 2

[Josh Matthews [:jdm]]

I'm a bit afraid of whack-a-mole problems here. Joe, my first instinct is to add a check for mFinishing in RasterImage::FrameUpdate; do you see any problems with that?

Comment 3

[Robert Lickenbrock [:rclick]]

It seems like you could just make RasterImage's dtor delete the frames and mAnim after calling ShutdownDecoder instead of before.

Comment 4

[Josh Matthews [:jdm]]

Yes, I have a patch that does that, and it avoids the crashes that I can reproduce without it applied. I'm not trying to write an automated test.

Comment 5

[Josh Matthews [:jdm]]

Attachment: Don't delete memory used for image frames while the decoder could still try to use it.

I give up on trying to write a test.

Comment 6

[Josh Matthews [:jdm]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f8e886802231

Comment 7

[Scoobidiver (away)]

There are about 1000 crashes per build. It would be fine to land it in m-c ASAP and rebuild.

Comment 8

[(no longer active)]

https://hg.mozilla.org/mozilla-central/rev/f8e886802231

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Should this have a crashtest?

Comment 11

[Paul Silaghi, QA [:pauly]]

No crashes on FF > 18 based on crash stats. I guess we can call this verified fixed.

Comment 12

[Paul Silaghi, QA [:pauly]]

Actually there is 1 crash on FF 19b2 - https://crash-stats.mozilla.com/report/index/954d4cb5-d453-45fc-a09b-3a5932130119
Any thoughts?