Closed
Bug 903722
Opened 11 years ago
Closed 11 years ago
pdf.js crash in CGGStackRestore() from CanvasRenderingContext2D::Restore()
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
| Tracking | Status | |
|---|---|---|
| firefox25 | --- | unaffected |
| firefox26 | --- | affected |
People
(Reporter: cpeterson, Assigned: gw280)
References
()
Details
(Keywords: crash, regression, reproducible, Whiteboard: [Shumway:P1])
Attachments
(1 file, 1 obsolete file)
|
924 bytes,
patch
|
bjacob
:
review+
|
Details | Diff | Splinter Review |
STR:
1. Open http://www.ebmud.com/sites/default/files/pdfs/2013-lafayette-recreation-area-fees.pdf
RESULT:
CRASH!
creating 1!
[TabChild] SHOW (w,h)= (10, 10)
loading about:blank, 1
Assertion failed: (s->stack->next != NULL), function CGGStackRestore, file Context/CGGStack.c, line 77.
[Child 1203] ###!!! ABORT: ActorDestroy by IPC channel failure at LayerTransactionChild: file ../../../../gfx/layers/ipc/LayerTransactionChild.cpp, line 83
###!!! [Child][AsyncChannel] Error: Channel error: cannot send/recv
Abort trap: 6
|
Reporter | |
Comment 1•11 years ago
|
||
Jeff, could this crash be a regression from Azure bug 897532?
This crash is a regression in Nightly 26 build 2013-08-09. Here is the pushlog from 08-08 to 08-09:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd4cf30428b0&tochange=e33c2011643e
Flags: needinfo?(jmuizelaar)
|
||
Comment 2•11 years ago
|
||
Crash ID from about:crashes please
Severity: normal → critical
Flags: needinfo?(cpeterson)
Keywords: stackwanted
Version: unspecified → 26 Branch
|
||
Comment 3•11 years ago
|
||
(In reply to Chris Peterson (:cpeterson) from comment #1)
> Jeff, could this crash be a regression from Azure bug 897532?
>
> This crash is a regression in Nightly 26 build 2013-08-09. Here is the
> pushlog from 08-08 to 08-09:
>
> https://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=fd4cf30428b0&tochange=e33c2011643e
That bug has been backed out. So you should see if it still crashes.
Flags: needinfo?(jmuizelaar)
|
|
Reporter | |
Comment 4•11 years ago
|
||
I can still repro this crash in build 2013-08-09, so this crash is not a regression from bug 897532.
I don't have a Crash ID because this crash is caught by Apple's crash reporter, not Firefox's. But here is the stack trace from Apple's crash reporter:
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Application Specific Information:
Assertion failed: (s->stack->next != NULL), function CGGStackRestore, file Context/CGGStack.c, line 77.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff880bd212 __pthread_kill + 10
1 libsystem_c.dylib 0x00007fff8cc7db54 pthread_kill + 90
2 libsystem_c.dylib 0x00007fff8ccc1dce abort + 143
3 libsystem_c.dylib 0x00007fff8ccc2e2a __assert_rtn + 146
4 com.apple.CoreGraphics 0x00007fff86237b78 CGGStackRestore + 145
5 com.apple.CoreGraphics 0x00007fff86237abe CGContextRestoreGState + 32
6 XUL 0x0000000101a058f0 mozilla::dom::CanvasRenderingContext2D::Restore() + 176
7 XUL 0x0000000102586ad1 mozilla::dom::CanvasRenderingContext2DBinding::restore(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) + 17
8 XUL 0x0000000102580df5 mozilla::dom::CanvasRenderingContext2DBinding::genericMethod(JSContext*, unsigned int, JS::Value*) + 469
9 ??? 0x000000010f9e4705 0 + 4556998405
10 ??? 0x00000001389fb088 0 + 5244956808
11 ??? 0x00000001007cd5f9 0 + 4303148537
12 XUL 0x00000001033dc8fe EnterBaseline(JSContext*, js::ion::EnterJitData&) + 206
13 XUL 0x00000001033dc7db js::ion::EnterBaselineMethod(JSContext*, js::RunState&) + 171
14 XUL 0x00000001031aff92 js::RunScript(JSContext*, js::RunState&) + 178
15 XUL 0x00000001031b94d4 js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 1540
16 XUL 0x00000001032c133e js_fun_apply(JSContext*, unsigned int, JS::Value*) + 1358
17 ??? 0x0000000116ef235e 0 + 4679738206
Severity: critical → normal
Flags: needinfo?(cpeterson)
Version: 26 Branch → unspecified
|
|
||
Comment 6•11 years ago
|
||
The crash of comment 0 is a Graphics Layer bug, the one of comment 4 is a Canvas2D one.
I suspect bug 902103.
Severity: normal → critical
Keywords: regressionwindow-wanted,
stackwanted
Version: unspecified → 26 Branch
|
|
Reporter | |
Comment 7•11 years ago
|
||
Matt, I bisected archived mozilla-inbound builds and I believe this OSX crash is regression from these SkiaGL changes:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7abe5be6f8d2&tochange=5e519aedb9d1
Severity: critical → normal
Flags: needinfo?(matt.woodrow)
Version: 26 Branch → unspecified
|
|
Reporter | |
Updated•11 years ago
|
Summary: pdf.js crash: ABORT: ActorDestroy by IPC channel failure at gfx/layers/ipc/LayerTransactionChild.cpp → pdf.js crash in CGGStackRestore() from CanvasRenderingContext2D::Restore()
|
||
Comment 8•11 years ago
|
||
I think we're calling Demote() even without SkiaGL enabled. We only have the check inside an ifdef (which should be hit, because we're compiling with SkiaGL support), and don't have a runtime backend check.
This still shouldn't crash though, so I guess there's two bugs to be fixed here.
Flags: needinfo?(matt.woodrow) → needinfo?(snorp)
|
||
Comment 9•11 years ago
|
||
(In reply to Chris Peterson (:cpeterson) from comment #4)
> I don't have a Crash ID because this crash is caught by Apple's crash
> reporter, not Firefox's.
Breakpad misses this because of bug 717758.
|
|
||
Comment 10•11 years ago
|
||
I hit this reliably by loading
http://www.blackhat.com/docs/bh-us-12/sponsors/bh-us-13-recap12.pdf
|
||
Comment 12•11 years ago
|
||
This is making Shumway development close to impossible in Nightly: the browser crashes very quickly no matter what content I'm looking at in Shumway. (Note: I'm not sure, but it might have gotten worse recently, so there might be something aggravating it.)
Whiteboard: [Shumway:P1]
|
|
Reporter | |
Comment 13•11 years ago
|
||
snorp, needinfo poke! Your SkiaGL changes may have caused a 100% reproducible OSX crash for pdf.js:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7abe5be6f8d2&tochange=5e519aedb9d1
Flags: needinfo?(snorp)
|
||
Comment 14•11 years ago
|
||
The first bad revision is:
changeset: 141698:cf17bd948e44
user: George Wright <gw@gwright.org.uk>
date: Wed Jul 24 15:14:27 2013 -0400
files: content/canvas/src/CanvasRenderingContext2D.cpp
description:
Bug 897635 - Demote to software canvas if we use a non-standard composite mode r=mattwoodrow
|
||
Updated•11 years ago
|
Flags: needinfo?(gwright)
|
Assignee | |
Comment 15•11 years ago
|
||
We should look into why Demote() is causing it to crash, but we definitely only want to Demote() in the case of a Skia/GL canvas anyway. Doing it in any other case is a lot of wasted work.
Attachment #797954 -
Flags: review?(snorp)
Flags: needinfo?(gwright)
|
||
Updated•11 years ago
|
Attachment #797954 -
Flags: review?(snorp) → review+
|
|
Assignee | |
Comment 16•11 years ago
|
||
That last patch was complete rubbish. Let's try that again.
Attachment #797954 -
Attachment is obsolete: true
Attachment #799209 -
Flags: review?(bjacob)
|
||
Updated•11 years ago
|
Attachment #799209 -
Flags: review?(bjacob) → review+
|
|
Assignee | |
Comment 17•11 years ago
|
||
|
||
Comment 18•11 years ago
|
||
Assignee: nobody → gwright
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
|
|
||
Updated•11 years ago
|
Flags: needinfo?(snorp)
You need to log in
before you can comment on or make changes to this bug.
Description
•