923290 - Crashes [@ mozalloc_abort(char const*) | abort | mozilla::gfx::SourceSurfaceCGBitmapContext::SourceSurfaceCGBitmapContext(mozilla::gfx::DrawTargetCG*) ] on OS X

Status: VERIFIED FIXED

(Core :: Graphics, defect)

Description

[Steven Michaud [:smichaud] (Retired)]

There are lots of these, though only on OS X.

They started with the firefox-2013-10-01-03-02-04-mozilla-central build, which implies the following regression range:

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8f805d3ef377&tochange=6b92cb377496

I suspect the patch for bug 903296.

These crashes have *not* been fixed by the patch for bug 920571.

Comment 1

[Steven Michaud [:smichaud] (Retired)]

0 	libmozalloc.dylib 	mozalloc_abort(char const*) 	/builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/memory/mozalloc/../../../../memory/mozalloc/mozalloc_abort.cpp
1 	libmozalloc.dylib 	abort 	/builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/memory/mozalloc/../../../../memory/mozalloc/mozalloc_abort.cpp
2 	XUL 	mozilla::gfx::SourceSurfaceCGBitmapContext::SourceSurfaceCGBitmapContext(mozilla::gfx::DrawTargetCG*) 	/builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/gfx/2d/../../../../gfx/2d/SourceSurfaceCG.cpp
3 	XUL 	mozilla::gfx::DrawTargetCG::Snapshot() 	/builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/gfx/2d/../../../../gfx/2d/DrawTargetCG.cpp
4 	XUL 	gfxContext::PushGroupAndCopyBackground(gfxContentType) 	gfx/thebes/gfxContext.cpp
5 	XUL 	mozilla::layers::BasicLayerManager::PushGroupForLayer(gfxContext*, mozilla::layers::Layer*, nsIntRegion const&, bool*) 	gfx/layers/basic/BasicLayerManager.cpp
6 	XUL 	mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) 	gfx/layers/basic/BasicLayerManager.cpp
7 	XUL 	mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) 	gfx/layers/basic/BasicLayerManager.cpp
8 	XUL 	mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) 	gfx/layers/basic/BasicLayerManager.cpp
9 	XUL 	mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/basic/BasicLayerManager.cpp
10 	XUL 	mozilla::layers::BasicLayerManager::EndEmptyTransaction(mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/basic/BasicLayerManager.cpp
11 	XUL 	PresShell::Paint(nsView*, nsRegion const&, unsigned int) 	layout/base/nsPresShell.cpp
12 	XUL 	nsViewManager::Refresh(nsView*, nsIntRegion const&) 	view/src/nsViewManager.cpp
13 	XUL 	nsViewManager::PaintWindow(nsIWidget*, nsIntRegion) 	view/src/nsViewManager.cpp
14 	XUL 	nsView::PaintWindow(nsIWidget*, nsIntRegion) 	view/src/nsView.cpp
15 	XUL 	nsChildView::PaintWindow(nsIntRegion) 	widget/cocoa/nsChildView.mm
16 	XUL 	-[ChildView drawRect:inContext:] 	widget/cocoa/nsChildView.mm
17 	XUL 	-[ChildView drawRect:] 	widget/cocoa/nsChildView.mm
18 	AppKit 	AppKit@0x542ce 	
19 	AppKit 	AppKit@0x501ca 	
20 	CoreFoundation 	CoreFoundation@0x1257a 	
21 	AppKit 	AppKit@0x102f6 	
22 	Foundation 	Foundation@0x3d55f 	
23 	AppKit 	AppKit@0x8149b 	
24 	libobjc.A.dylib 	libobjc.A.dylib@0xd29a 	
25 	libobjc.A.dylib 	libobjc.A.dylib@0xd255 	
26 	CoreFoundation 	CoreFoundation@0x309a9 	
27 	CoreFoundation 	CoreFoundation@0x4ca75 	
28 	CoreFoundation 	CoreFoundation@0x4f7c0 	
29 	CoreFoundation 	CoreFoundation@0x4f567 	
30 	AppKit 	AppKit@0x4de88 	
31 	AppKit 	AppKit@0x818c7 	
32 	libobjc.A.dylib 	libobjc.A.dylib@0xd29a 	
33 	libobjc.A.dylib 	libobjc.A.dylib@0xd255 	
34 	CoreFoundation 	CoreFoundation@0x309a9 	
35 	CoreFoundation 	CoreFoundation@0x4cb87 	
36 	CoreFoundation 	CoreFoundation@0x4ca75 	
37 	CoreFoundation 	CoreFoundation@0x4f7c0 	
38 	CoreFoundation 	CoreFoundation@0x167b98 	
39 	AppKit 	AppKit@0x818c7 	
40 	XUL 	NS_IsMainThread() 	/builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/xpcom/build/../../../../xpcom/glue/nsThreadUtils.cpp
41 	AppKit 	AppKit@0x518a9 	
42 	AppKit 	AppKit@0x94f732 	
43 	XUL 	nsWindowSH::GlobalResolve(nsGlobalWindow*, JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, bool*) 	obj-firefox/x86_64/dist/include/nsTSubstring.h
44 	AppKit 	AppKit@0x50da3 	
45 	libmozglue.dylib 	arena_dalloc 	memory/mozjemalloc/jemalloc.c
46 	AppKit 	AppKit@0x4c1bb 	
47 	CoreFoundation 	CoreFoundation@0x4d80e 	
48 	CoreFoundation 	CoreFoundation@0x167b98 	
49 	libmozglue.dylib 	arena_dalloc 	memory/mozjemalloc/jemalloc.c
50 	AppKit 	AppKit@0x44c35 	
51 	libsystem_c.dylib 	libsystem_c.dylib@0x4d470 	
52 	libsystem_c.dylib 	libsystem_c.dylib@0x3e1f0 	
53 	CoreFoundation 	CoreFoundation@0x4fd93 	
54 	AppKit 	AppKit@0x4162d 	
55 	AppKit 	AppKit@0x44375 	
56 	CoreFoundation 	CoreFoundation@0x638e7 	
57 	CoreFoundation 	CoreFoundation@0x63846 	
58 	CoreFoundation 	CoreFoundation@0x63730 	
59 	CoreFoundation 	CoreFoundation@0x38af9 	
60 	CarbonCore 	CarbonCore@0x18088 	
61 	AppKit 	AppKit@0x98f830 	
62 	Foundation 	Foundation@0xa4b7 	
63 	Foundation 	Foundation@0xa1f3 	
64 	XUL 	XPCWrappedNative::GetNewOrUsed(xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) 	js/xpconnect/src/XPCWrappedNative.cpp
65 	CoreFoundation 	CoreFoundation@0x38486 	
66 	HIToolbox 	HIToolbox@0x22bf 	
67 	HIToolbox 	HIToolbox@0x94bf 	
68 	CoreFoundation 	CoreFoundation@0x1257a 	
69 	HIToolbox 	HIToolbox@0x93fa 	
70 	AppKit 	AppKit@0x8779 	
71 	CoreFoundation 	CoreFoundation@0x218e 	
72 	libmozglue.dylib 	arena_dalloc 	memory/mozjemalloc/jemalloc.c
73 	AppKit 	AppKit@0x807d

Comment 2

[Matt Woodrow (:mattwoodrow)]

Do you have any links to crash reports, URL's, STR etc?

This is almost certainly a regression from Bug 921233.

Comment 3

[Steven Michaud [:smichaud] (Retired)]

https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort%28char+const*%29+|+abort+|+mozilla%3A%3Agfx%3A%3ASourceSurfaceCGBitmapContext%3A%3ASourceSurfaceCGBitmapContext%28mozilla%3A%3Agfx%3A%3ADrawTargetCG*%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&platform=mac&version=Firefox%3A27.0a1&hang_type=any&date=2013-10-02+23%3A00%3A00&range_value=1#reports

Comment 4

[Matt Woodrow (:mattwoodrow)]

Ok, I guess this is because we have a DrawTargetCG created for the window CG context.

We try Snapshot it for PushGroupAndCopyBackground, and the SourceSurfaceCGBitmapContext constructor calls GetNativeSurface.

That then fails here (since it's not a bitmap context): http://mxr.mozilla.org/mozilla-central/source/gfx/2d/DrawTargetCG.cpp#1341

Jeff, do you any problems with allowing us to snapshot the window context?

Comment 5

[Chris Peterson [:cpeterson]]

I hit this crash when loading the test case from WebGL bug 924375 in a background tab.

Comment 6

[mario garbi]

Happened for us too on a OS X 10.6.8 while running Mozmill 2.0 automated tests.

Comment 7

[mario garbi]

Steps to reproduce using Mozmill 2.0 on a Mac with Nightly 27:
1. Get a mozmill-env from http://mozqa.com/mozmill-env/   (You need "2.0-mac.zip")
2. Unzip mozmill-env
3. open a terminal
4. navigated using the terminal to the mozmill-env directory
5. enter " . bin/activate " from the mozmill-env folder (you should get a (mozmill-env) tag)
6. enter " mozmill -t tests/functional/testSearch/testSearchSelection.js -b <PATH_TO_FIREFOX_BINARY> "
  *change <PATH_TO_FIREFOX_BINARY> with your actual path to the Nightly firefox binary

We manage to reproduce this on a Mac 10.6.8 CI machine 4/5 times using the steps above. I am unable to reproduce it on a local 10.6.8 mac for yet unknown reasons.

Comment 8

[mario garbi]

To add to the steps:
- In order to get mozmill-tests add another step after 5:
  - 5.1 " hg clone http://hg.mozilla.org/qa/mozmill-tests " (do this from the mozmill-env folder)
     * this will get a repository with our mozmill automated tests that you will use at step 6.
  - 5.2 cd mozmill-tests  
     * we need to trigger step 6 from inside the mozmill-tests folder

Comment 9

[Chris Peterson [:cpeterson]]

btw, my STR in comment 5 hit this crash with 100% reproducibility on my MBP without needing to install Mozmill.

Comment 10

[Matt Woodrow (:mattwoodrow)]

Attachment: Don't use the window CGContext as a source with azure

Comment 11

[Bas Schouten (:bas.schouten)]

Comment on attachment 815214 [details] [diff] [review]
Don't use the window CGContext as a source with azure

Review of attachment 815214 [details] [diff] [review]:
-----------------------------------------------------------------

Sadface ...

Comment 13

[Matt Woodrow (:mattwoodrow)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/64b24d431280

Comment 14

[mario garbi]

I am also able to manually reproduce it with yesterdays Nightly build.

Steps to reproduce:
1. Open a Nightly build browser
2. Open about:config
3. Set browser.search.context.loadInBackground to "true"
4. Open https://www.mozqa.com/data/firefox/search/mozsearch.html
5. Click the <a> here </a> link to install the engine
6. Select a piece of text and right click it
7. From the context menu click the "Search <ENGINE_NAME> <STRING>" option 

This causes a crash every few tries, around 2/10 times.

Comment 15

[mario garbi]

I can confirm that with the build specified in comment 13 we no longer have crashed neither manually or with mozmill tests. I have tested this by running over 20 tests with no failures with the new build and managed to reproduce it with 2 runs of the old build right after that.

Comment 16

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/64b24d431280

Comment 17

[Tracy Walker [:tracy]]

Verified per comment #15 and no new reports in crash stats.

Comment 18

[Jeff Muizelaar [:jrmuizel]]

(In reply to Matt Woodrow (:mattwoodrow) from comment #4)
> Jeff, do you any problems with allowing us to snapshot the window context?

Does that work?