Closed Bug 916704 Opened 6 years ago Closed 6 years ago

Intermittent layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | application crashed [@ mozilla::SVGTextContextPaint::Paint::GetPattern(float,nsStyleSVGPaint nsStyleSVG::*,gfxMatrix const &)]

Categories

(Core :: SVG, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla27
Tracking Status
firefox25 --- wontfix
firefox26 --- fixed
firefox27 --- fixed
firefox-esr24 --- wontfix

People

(Reporter: cbook, Assigned: heycam)

References

()

Details

(Keywords: crash, intermittent-failure)

Crash Data

Attachments

(1 file, 1 obsolete file)

Windows XP 32-bit fx-team opt test reftest on 2013-09-15 09:18:45 PDT for push de540bd0137e

slave: t-xp32-ix-039

https://tbpl.mozilla.org/php/getParsedLog.php?id=27902045&tree=Fx-Team

TEST-UNEXPECTED-FAIL | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | Exited with code -1073741819 during test run

WARNING -  PROCESS-CRASH | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | application crashed [@ mozilla::SVGTextContextPaint::Paint::GetPattern(float,nsStyleSVGPaint nsStyleSVG::*,gfxMatrix const &)]
09:34:01     INFO -  Crash dump filename: c:\docume~1\cltbld~1.t-x\locals~1\temp\tmpssrapg.mozrunner\minidumps\7368c061-16af-47a8-92e0-15c3f9449b3d.dmp
09:34:01     INFO -  Operating system: Windows NT
09:34:01     INFO -                    5.1.2600 Service Pack 3
09:34:01     INFO -  CPU: x86
09:34:01     INFO -       GenuineIntel family 6 model 30 stepping 5
09:34:01     INFO -       8 CPUs
09:34:01     INFO -  Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
09:34:01     INFO -  Crash address: 0xd
09:34:01     INFO -  Thread 0 (crashed)
09:34:01     INFO -   0  xul.dll!mozilla::SVGTextContextPaint::Paint::GetPattern(float,nsStyleSVGPaint nsStyleSVG::*,gfxMatrix const &) [nsSVGGlyphFrame.cpp:de540bd0137e : 1124 + 0x5]
09:34:01     INFO -      eip = 0x023eec88   esp = 0x0012c2b0   ebp = 0x0012c42c   ebx = 0x05f55490
09:34:01     INFO -      esi = 0x05f553e0   edi = 0x00000000   eax = 0x00000000   ecx = 0x0000000d
09:34:01     INFO -      edx = 0x0012c438   efl = 0x00210246
09:34:01     INFO -      Found by: given as instruction pointer in context
09:34:01     INFO -   1  xul.dll!mozilla::SVGTextContextPaint::GetStrokePattern(float,gfxMatrix const &) [nsSVGGlyphFrame.cpp:de540bd0137e : 1091 + 0x19]
09:34:01     INFO -      eip = 0x023eeed2   esp = 0x0012c434   ebp = 0x0012c444
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   2  xul.dll!nsSVGUtils::SetupContextPaint(gfxContext *,gfxTextContextPaint *,nsStyleSVGPaint const &,float) [nsSVGUtils.cpp:de540bd0137e : 1503 + 0x1e]
09:34:01     INFO -      eip = 0x02400298   esp = 0x0012c44c   ebp = 0x0012c4c4
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   3  xul.dll!nsSVGUtils::SetupCairoStrokePaint(nsIFrame *,gfxContext *,gfxTextContextPaint *) [nsSVGUtils.cpp:de540bd0137e : 1571 + 0x12]
09:34:01     INFO -      eip = 0x02400aca   esp = 0x0012c4cc   ebp = 0x0012c4e8
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   4  xul.dll!nsSVGPathGeometryFrame::Render(nsRenderingContext *,unsigned int,nsIFrame *) [nsSVGPathGeometryFrame.cpp:de540bd0137e : 622 + 0xd]
09:34:01     INFO -      eip = 0x023f6008   esp = 0x0012c4f0   ebp = 0x0012c538
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   5  xul.dll!nsSVGPathGeometryFrame::PaintSVG(nsRenderingContext *,nsIntRect const *,nsIFrame *) [nsSVGPathGeometryFrame.cpp:de540bd0137e : 199 + 0xe]
09:34:01     INFO -      eip = 0x023f6433   esp = 0x0012c540   ebp = 0x0012c554
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   6  xul.dll!nsSVGUtils::PaintSVGGlyph(mozilla::dom::Element *,gfxContext *,gfxFont::DrawMode,gfxTextContextPaint *) [nsSVGUtils.cpp:de540bd0137e : 1846 + 0xc]
09:34:01     INFO -      eip = 0x02400563   esp = 0x0012c55c   ebp = 0x0012c5a0
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   7  xul.dll!gfxSVGGlyphs::RenderGlyph(gfxContext *,unsigned int,gfxFont::DrawMode,gfxTextContextPaint *) [gfxSVGGlyphs.cpp:de540bd0137e : 233 + 0xc]
09:34:01     INFO -      eip = 0x02930e63   esp = 0x0012c5a8   ebp = 0x0012c5c4
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   8  xul.dll!gfxFont::RenderSVGGlyph(gfxContext *,gfxPoint,gfxFont::DrawMode,unsigned int,gfxTextContextPaint *) [gfxFont.cpp:de540bd0137e : 2865 + 0x14]
09:34:01     INFO -      eip = 0x0291e197   esp = 0x0012c5cc   ebp = 0x0012c638
09:34:01     INFO -      Found by: call frame info
09:34:01     INFO -   9  xul.dll!gfxFont::RenderSVGGlyph(gfxContext *,gfxPoint,gfxFont::DrawMode,unsigned int,gfxTextContextPaint *,gfxTextRunDrawCallbacks *,bool &) [gfxFont.cpp:de540bd0137e : 2882 + 0x1f]
Severity: normal → critical
Summary: Intermittent TEST-UNEXPECTED-FAIL |layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | Exited with code -1073741819 during test run | application crashed [@ mozilla::SVGTextContextPaint::Paint::GetPattern(float,nsStyleSVGPaint nsStyleSVG::*,gfxMat → Intermittent layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | application crashed [@ mozilla::SVGTextContextPaint::Paint::GetPattern(float,nsStyleSVGPaint nsStyleSVG::*,gfxMatrix const &)]
I stuck some debugging output in https://hg.mozilla.org/try/rev/59662dc736c9 and got this:

15:37:46     INFO -  REFTEST TEST-START | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg
15:37:46     INFO -  REFTEST TEST-LOAD | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | 9402 / 9933 (94%)
15:37:46     INFO -  aContextPaint = 05E87140
15:37:46     INFO -  aContext->CurrentMatrix() = 00159D38
15:37:46     INFO -  REFTEST TEST-LOAD | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server-ref.svg | 9402 / 9933 (94%)
15:37:46     INFO -  aContextPaint = 05E873E0
15:37:46     INFO -  aContext->CurrentMatrix() = 0015BF18
15:37:46     INFO -  mPaintDefinition.mPaintServerFrame = 0000000D
15:37:46     INFO -  mFrame = 000D0001
15:37:48  WARNING -  TEST-UNEXPECTED-FAIL | file:///C:/slave/test/build/tests/reftest/tests/layout/reftests/text-svgglyphs/svg-glyph-paint-server.svg | Exited with code -1073741819 during test run

https://tbpl.mozilla.org/php/getParsedLog.php?id=28248486&tree=Try&full=1#error0

Not sure yet whether the mozilla::SVGTextContextPaint::Paint* we're calling GetStrokePattern on is a bad pointer, we haven't initialized the object, or what.
Not sure if it's the issue yet, but sometimes we don't initialize SVGTextContextPaint::Paint::mPaintType, e.g. we can create a new SVGTextContextPaint object in https://hg.mozilla.org/mozilla-central/file/1fda74e33e06/layout/svg/nsSVGTextFrame2.cpp#l5389 and https://hg.mozilla.org/mozilla-central/file/1fda74e33e06/layout/svg/nsSVGGlyphFrame.cpp#l930 but if SetupCairo{Fill,Stroke} don't do anything, we still set the uninitialized SVGTextContextPaint object on the gfxContext.
Attached patch patch (obsolete) — Splinter Review
I think this might have solved it.  I couldn't get a failure after 20 runs: https://tbpl.mozilla.org/?tree=Try&rev=3503abe1c417
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #809134 - Flags: review?(longsonr)
Isn't the issue actually this line?

http://mxr.mozilla.org/mozilla-central/source/layout/svg/nsSVGTextFrame2.cpp#3534

where the caller should check the return value and then only do something if it's non zero.

Here's the old equivalent...

http://mxr.mozilla.org/mozilla-central/source/layout/svg/nsSVGGlyphFrame.cpp#423
I think you're right that we should be checking the DrawMode result there and skipping painting.  Still, I tried this change:

  https://hg.mozilla.org/try/rev/51efa8c8c68f

and still got the assertion:

  https://tbpl.mozilla.org/?tree=Try&rev=34cefb205039
Attached patch patch v2Splinter Review
So I think we should do both.  I'll trigger another bunch of try runs with this patch.
Attachment #809134 - Attachment is obsolete: true
Attachment #809134 - Flags: review?(longsonr)
Attachment #809631 - Flags: review?(longsonr)
Attachment #809631 - Flags: review?(longsonr) → review+
https://hg.mozilla.org/mozilla-central/rev/28c74ba68af3
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Should this be uplifted to any of the release branches (I'm thinking Aurora maybe)? If so, please request :)
Flags: needinfo?(cam)
Comment on attachment 809631 [details] [diff] [review]
patch v2

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 655877 part 46
User impact if declined: occasional crashes when painting SVG text
Testing completed (on m-c, etc.): patched been on m-c for a couple of weeks, and random orange crashes have gone away
Risk to taking this patch (and alternatives if risky): low
String or IDL/UUID changes made by this patch: N/A
Attachment #809631 - Flags: approval-mozilla-aurora?
Flags: needinfo?(cam)
Attachment #809631 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.