Closed Bug 859718 Opened 12 years ago Closed 12 years ago

crash in mozilla::image::RasterImage::DecodePool::DecodeJob::Run @ mozilla::image::RasterImage::IsDecodeFinished

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
23 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox22 + verified
firefox23 --- verified

People

(Reporter: scoobidiver, Assigned: seth)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 1 obsolete file)

Don't assume we have mImageRequest in RasterImage::IsDecodeFinished.
1.56 KB, patch
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
It first showed up in 23.0a1/20130405 then in 23.0a1/20130408. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c232bec6974d&tochange=55f9e3e3dae7 It's likely a regression from bug 854803. Bug 856602 may have partially fixed it. Signature mozilla::image::RasterImage::IsDecodeFinished() More Reports Search UUID c768c4e6-55ea-4340-a0b9-21b5d2130409 Date Processed 2013-04-09 06:12:40 Uptime 220 Last Crash 26.1 minutes before submission Install Age 25.8 minutes since version was first installed. Install Time 2013-04-09 05:46:28 Product Firefox Version 23.0a1 Build ID 20130408030928 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 58 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x24 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0166, AdapterSubsysID: 056d1028, AdapterDriverVersion: 8.15.10.2696 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor06.phx1.mozilla.com_9594:2008 EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x0166 Total Virtual Memory 2147352576 Available Virtual Memory 1643831296 System Memory Use Percentage 45 Available Page File 4168970240 Available Physical Memory 1541476352 Frame Module Signature Source 0 xul.dll mozilla::image::RasterImage::IsDecodeFinished image/src/RasterImage.cpp:3295 1 xul.dll mozilla::image::RasterImage::DecodePool::DecodeJob::Run image/src/RasterImage.cpp:3691 2 xul.dll nsThreadPool::Run xpcom/threads/nsThreadPool.cpp:194 3 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:627 4 xul.dll nsThread::ThreadFunc xpcom/threads/nsThread.cpp:265 5 nss3.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:395 6 nss3.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:90 7 msvcr100.dll _callthreadstartex f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314 8 msvcr100.dll _threadstartex f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292 9 kernel32.dll BaseThreadInitThunk 10 ntdll.dll __RtlUserThreadStart 11 ntdll.dll _RtlUserThreadStart More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Aimage%3A%3ARasterImage%3A%3AIsDecodeFinished%28%29
Blocks: 854803
Proposed patch.
Attachment #737031 - Flags: review?(joe)
Assignee: nobody → seth
22 may be affected soon, since we're tracking bug 854803
status-firefox22: unaffected → ---
tracking-firefox22: --- → +
(In reply to Alex Keybl [:akeybl] from comment #2) > 22 may be affected soon, since we're tracking bug 854803 Just don't uplift it without this patch. It's already ready to go. If you need me to arrange for the review to be fast-tracked just let me know.
I crashed at this webcam URL: http://cryptogasm.com/webcams/webcam.php?id=20507 https://crash-stats.mozilla.com/report/index/bp-4bb73f6a-4782-46fb-a165-02a232130413 Looks like we can also crash [@ mozilla::image::RasterImage::DecodePool::DecodeSomeOfImage(mozilla::image::RasterImage*, mozilla::image::RasterImage::DecodePool::DecodeType, unsigned int) ] : https://crash-stats.mozilla.com/report/index/bp-8418ba45-7413-4b7f-850f-a20312130413 (I hit these two crashes on the same page.)
Crash Signature: [@ mozilla::image::RasterImage::IsDecodeFinished()] → [@ mozilla::image::RasterImage::IsDecodeFinished()] [@ mozilla::image::RasterImage::DecodePool::DecodeSomeOfImage(mozilla::image::RasterImage*, mozilla::image::RasterImage::DecodePool::DecodeType, unsigned int) ]
Comment on attachment 737031 [details] [diff] [review] Don't assume we have mImageRequest in RasterImage::IsDecodeFinished. Review of attachment 737031 [details] [diff] [review]: ----------------------------------------------------------------- I believe this is correct after having reviewed bug 854803 too. ::: image/src/RasterImage.cpp @@ +3286,5 @@ > } > } else if (mDecoder->GetDecodeDone()) { > return true; > } > can you remove this erroneous whitespace too please
Attachment #737031 - Flags: review?(joe) → review+
Thanks for the review, Joe. Will post an updated patch shortly.
Removed the erroneous whitespace, making the world a tiny bit better. =)
Attachment #737031 - Attachment is obsolete: true
Try looks OK so we're just waiting on inbound to open.
https://hg.mozilla.org/mozilla-central/rev/eee1831a1094
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
This seems to have led to some Ts Paint regressions?
(In reply to Boris Zbarsky (:bz) from comment #12) > This seems to have led to some Ts Paint regressions? Pretty difficult for me to understand how since this patch just adds a null check. I notice that bug 861731 is also in the regression range. It seems like a more likely candidate to me.
Ack, hmm, I see there's another email where the regression range is narrowed down to this commit. I am puzzled as to how this could have any significant effect, since whenever behavior before and after this patch would differ, we should crash or assert.
I suspect that Bug 857876's patch makes the null check here unnecessary, although I haven't investigated deeply enough to be certain yet. My reasoning for asserting mDecodeRequest instead of explicitly null checking it is that decode requests should outlive their decoder. InitDecoder() creates a DecodeRequest if there isn't one, and the only places that mDecodeRequest is set to null (Discard() and OnNewSourceData()) assert !mDecoder. Assuming these invariants hold, it should be impossible to have a decoder but no decode request. My understanding is that this invariant was broken in the multipart stream case due to Bug 857876. I need to do some debugging to make sure my assumptions reflect reality; however, I won't have cycles to do that until this weekend.
That sounds reasonable. I'd prefer caution w.r.t. Aurora, so what I'm going to do is nominate this for uplift, and then we can remove the null check again on m-c once we confirm it's safe. (Note that it was confirmed elsewhere that the regression range mentioned above is wrong; this patch doesn't cause any performance regressions.)
Comment on attachment 737674 [details] [diff] [review] Don't assume we have mImageRequest in RasterImage::IsDecodeFinished. [Approval Request Comment] Bug caused by (feature/regressing bug #): 854803 User impact if declined: Potential crashes. Testing completed (on m-c, etc.): On m-c since 2013-04-16 with no issues. Risk to taking this patch (and alternatives if risky): Zero risk. Just adds a null check. String or IDL/UUID changes made by this patch: None.
Attachment #737674 - Flags: approval-mozilla-aurora?
Attachment #737674 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Keywords: verifyme
Not able to reproduce this issue on FF 23b1 on: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0 Build ID: 20130625125232 Here are the current stats for these signatures from Soccoro for last 2 weeks: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=mozilla%3A%3Aimage%3A%3ARasterImage%3A%3AIsDecodeFinished%28%29&reason_type=contains&date=06%2F26%2F2013%2009%3A17%3A48&range_value=2&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=mozilla%3A%3Aimage%3A%3ARasterImage%3A%3AIsDecodeFinished%28%29 https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=mozilla%3A%3Aimage%3A%3ARasterImage%3A%3ADecodePool%3A%3ADecodeSomeOfImage%28mozilla%3A%3Aimage%3A%3ARasterImage%2A%2C%20mozilla%3A%3Aimage%3A%3ARasterImage%3A%3ADecodePool%3A%3ADecodeType%2C%20unsigned%20int%29&reason_type=contains&date=06%2F26%2F2013%2009%3A18%3A32&range_value=2&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=mozilla%3A%3Aimage%3A%3ARasterImage%3A%3ADecodePool%3A%3ADecodeSomeOfImage%28mozilla%3A%3Aimage%3A%3ARasterImage%2A%2C%20mozilla%3A%3Aimage%3A%3ARasterImage%3A%3ADecodePool%3A%3ADecodeType%2C%20unsigned%20int%29 Not sure this is fix even if I was not able to reproduce this crash, as long there are still crashes on FF 22b5 and 22b6 on Soccoro.
Keywords: verifyme
Scoobidiver, can you please check to see if this is still a concern for Firefox 22 and 23?
Flags: needinfo?(scoobidiver)
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #20) > Scoobidiver, can you please check to see if this is still a concern for > Firefox 22 and 23? There have been 21 crashes for the last four weeks in fixed versions. It's likely some edge cases not handled by the patch but let's consider it as fixed according to the pre-patch crash volume.
Status: RESOLVED → VERIFIED
status-firefox22: fixedverified
status-firefox23: fixedverified
Flags: needinfo?(scoobidiver)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: