965914 - crash in mozilla::gfx::CopyRect mostly with Intel GPUs

Reporter

Description

•

11 years ago

This bug was filed from the Socorro interface and is report bp-13968dff-4df2-4874-b2e0-edb9d2140130. ============================================================= 0 gkmedias.dll mozilla::gfx::CopyRect gfx/2d/FilterNodeSoftware.cpp 1 gkmedias.dll mozilla::gfx::CloneAligned(mozilla::gfx::DataSourceSurface *) gfx/2d/FilterNodeSoftware.cpp 2 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::FilterNodeSoftware::FormatHint,mozilla::gfx::ConvolveMatrixEdgeMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) gfx/2d/FilterNodeSoftware.cpp 3 gkmedias.dll mozilla::gfx::FilterNodeTransformSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 4 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 5 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::FilterNodeSoftware::FormatHint,mozilla::gfx::ConvolveMatrixEdgeMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) gfx/2d/FilterNodeSoftware.cpp 6 gkmedias.dll mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 7 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 8 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::FilterNodeSoftware::FormatHint,mozilla::gfx::ConvolveMatrixEdgeMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) gfx/2d/FilterNodeSoftware.cpp 9 gkmedias.dll mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 10 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 11 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::FilterNodeSoftware::FormatHint,mozilla::gfx::ConvolveMatrixEdgeMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) gfx/2d/FilterNodeSoftware.cpp 12 gkmedias.dll mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 13 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 14 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::FilterNodeSoftware::FormatHint,mozilla::gfx::ConvolveMatrixEdgeMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) gfx/2d/FilterNodeSoftware.cpp 15 gkmedias.dll mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 16 gkmedias.dll mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &) gfx/2d/FilterNodeSoftware.cpp 17 gkmedias.dll mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::DrawOptions const &) gfx/2d/FilterNodeSoftware.cpp 18 gkmedias.dll mozilla::gfx::DrawTargetSkia::DrawFilter(mozilla::gfx::FilterNode *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::DrawOptions const &) gfx/2d/DrawTargetSkia.cpp 19 xul.dll mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget *,mozilla::gfx::FilterDescription const &,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::SourceSurface *,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::SourceSurface *,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::SourceSurface *,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> > &) gfx/src/FilterSupport.cpp 20 xul.dll nsSVGFilterInstance::Render(gfxContext *) layout/svg/nsSVGFilterInstance.cpp 21 xul.dll nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext *,nsIFrame *,nsSVGFilterPaintCallback *,nsRect const *,nsIFrame *) layout/svg/nsSVGFilterFrame.cpp 22 xul.dll nsSVGUtils::PaintFrameWithEffects(nsRenderingContext *,nsIntRect const *,nsIFrame *,nsIFrame *) layout/svg/nsSVGUtils.cpp 23 xul.dll nsSVGMaskFrame::ComputeMaskAlpha(nsRenderingContext *,nsIFrame *,gfxMatrix const &,float) layout/svg/nsSVGMaskFrame.cpp 24 xul.dll nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext *,nsIFrame *,nsRect const &,nsDisplayListBuilder *,mozilla::layers::LayerManager *) layout/svg/nsSVGIntegrationUtils.cpp 25 xul.dll mozilla::PaintInactiveLayer layout/base/FrameLayerBuilder.cpp 26 xul.dll mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem> &,nsIntRect const &,gfxContext *,nsRenderingContext *,nsDisplayListBuilder *,nsPresContext *,nsIntPoint const &,float,float,int) layout/base/FrameLayerBuilder.cpp 27 xul.dll mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer *,gfxContext *,nsIntRegion const &,mozilla::layers::DrawRegionClip,nsIntRegion const &,void *) layout/base/FrameLayerBuilder.cpp 28 xul.dll mozilla::layers::ThebesLayerD3D10::DrawRegion(nsIntRegion &,mozilla::layers::Layer::SurfaceMode) gfx/layers/d3d10/ThebesLayerD3D10.cpp 29 xul.dll mozilla::layers::ThebesLayerD3D10::Validate(mozilla::layers::ReadbackProcessor *) gfx/layers/d3d10/ThebesLayerD3D10.cpp 30 xul.dll mozilla::layers::ContainerLayerD3D10::Validate() gfx/layers/d3d10/ContainerLayerD3D10.cpp 31 xul.dll mozilla::layers::ContainerLayerD3D10::Validate() gfx/layers/d3d10/ContainerLayerD3D10.cpp 32 xul.dll mozilla::layers::ContainerLayerD3D10::Validate() gfx/layers/d3d10/ContainerLayerD3D10.cpp 33 xul.dll mozilla::layers::LayerManagerD3D10::Render(mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/d3d10/LayerManagerD3D10.cpp 34 xul.dll mozilla::layers::LayerManagerD3D10::EndTransaction(void (*)(mozilla::layers::ThebesLayer *,gfxContext *,nsIntRegion const &,mozilla::layers::DrawRegionClip,nsIntRegion const &,void *),void *,mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/d3d10/LayerManagerD3D10.cpp 35 xul.dll nsDisplayList::PaintForFrame(nsDisplayListBuilder *,nsRenderingContext *,nsIFrame *,unsigned int) layout/base/nsDisplayList.cpp 36 xul.dll nsLayoutUtils::PaintFrame(nsRenderingContext *,nsIFrame *,nsRegion const &,unsigned int,unsigned int) layout/base/nsLayoutUtils.cpp 37 xul.dll PresShell::Paint(nsView *,nsRegion const &,unsigned int) layout/base/nsPresShell.cpp 38 xul.dll nsViewManager::ProcessPendingUpdatesForView(nsView *,bool) view/src/nsViewManager.cpp 39 xul.dll nsRefreshDriver::Tick(__int64,mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp 40 xul.dll mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp 41 xul.dll nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp 42 xul.dll nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp 43 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp 44 ntdll.dll EtwEventEnabled 45 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c 46 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp 47 xul.dll _SEH_epilog4 48 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 49 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 50 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 51 nss3.dll nss3.dll@0x79b0 52 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp 53 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 54 firefox.exe do_main browser/app/nsBrowserApp.cpp 55 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp 56 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 57 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c 58 kernel32.dll BaseThreadInitThunk 59 ntdll.dll __RtlUserThreadStart 60 ntdll.dll _RtlUserThreadStart More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Agfx%3A%3ACopyRect Platforms: Windows XP 58.41% Windows 7 34.11% Windows 8.* 6.54% Product: Firefox 28.0a2 64.95% Firefox 29.0a1 34.58% Crashes per Install: Firefox 28.0a2 139/106 -> 1.34 Firefox 29.0a1 74/64 -> 1.16 Top-10 Graphics Correlations: 0x8086 0x29c2 19 11.310 % 0x8086 0x2772 18 10.714 % 0x8086 0x2e32 15 8.929 % 0x8086 0x2992 9 5.357 % 0x8086 0x0116 9 5.357 % 0x8086 0x29b2 8 4.762 % 0x8086 0x0166 6 3.571 % 0x1002 0x68f9 6 3.571 % 0x8086 0x2572 5 2.976 % Top-10 URL Correlations: 41 about:blank 5 https://platform.twitter.com/widgets/hub.html 5 http://elshaab.org/ 4 http://www.dailymotion.com/video/x123ccs_%D8%A7%D9%84%D8%AD%D9%84%D9%82%D8%A9... 3 http://sout-elwatan.blogspot.com/2014/01/blog-post_5905.html 3 http://habbabi.com/aljazeera_misr.aspx 3 http://almogaz.com/tvchannels/Aljazeera-Mubasher-Masr 2 http://www.cago.ro/catalog-say 2 http://vtc.vn/the-thao/sieu-mau-di-dep-cao-got-tang-bong-kheo-nhu-messi-57322... 2 http://www.cago.ro/catalog-takko-fashion Current 7-day Rank: Firefox 28.0a2 #7 @ 1.3% (up 35 positions) Firefox 29.0a1 #26 @ 0.46% (new) ============================================================= This signature has spiked on Aurora starting 2014-01-28 as per https://crash-analysis.mozilla.com/rkaiser/2014-01-29/2014-01-29.firefox.28.explosiveness.html. I do not see any reports for Firefox 26 or 27 so I'm assuming this is something that was landed on Nightly and subsequently uplifted to Aurora.

u279076

Reporter

Updated

•

11 years ago

status-firefox26: affected → unaffected

u279076

Reporter

Comment 1

•

11 years ago

Looking at the pushlog nothing stands out to me: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=c40099a42c1f&tochange=4936f09590a0

Jeff Muizelaar [:jrmuizel]

Comment 2

•

11 years ago

Bug 941887 seems like it could be related.

Markus Stange [:mstange]

Assignee

Comment 3

•

11 years ago

(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #0) > 18 gkmedias.dll > mozilla::gfx::DrawTargetSkia::DrawFilter(mozilla::gfx::FilterNode > *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const > &,mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const > &,mozilla::gfx::DrawOptions const &) gfx/2d/DrawTargetSkia.cpp Do we use DrawTargetSkia nowadays on some Windows configurations?

Markus Stange [:mstange]

Assignee

Comment 4

•

11 years ago

I don't see how bug 941887 could have caused this, but since this happens in FilterNodeSoftware it's for me to fix either way.

Assignee: nobody → mstange

Status: NEW → ASSIGNED

Benjamin Kerensa [:bkerensa]

Comment 5

•

11 years ago

This is number #12 top crash on Nightly going to track this for now due to impact to our users.

Benjamin Kerensa [:bkerensa]

Updated

•

11 years ago

tracking-firefox28: ? → +

tracking-firefox29: ? → +

Markus Stange [:mstange]

Assignee

Comment 6

•

11 years ago

Attached patch null check — Details — Splinter Review

We don't null-check this particular invocation of Factory::CreateDataSourceSurface. (In reply to Markus Stange [:mstange] from comment #3) > (In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #0) > > 18 gkmedias.dll > > mozilla::gfx::DrawTargetSkia::DrawFilter(mozilla::gfx::FilterNode > > *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const > > &,mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const > > &,mozilla::gfx::DrawOptions const &) gfx/2d/DrawTargetSkia.cpp > > Do we use DrawTargetSkia nowadays on some Windows configurations? This is actually DrawTargetCairo::DrawFilter, but since it's the same code as DrawTargetSkia, the linker seems to fold the two together into one.

Attachment #8369087 - Flags: review?(bas)

Bas Schouten (:bas.schouten)

Updated

•

11 years ago

Attachment #8369087 - Flags: review?(bas) → review+

Markus Stange [:mstange]

Assignee

Comment 7

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/51e86840de9b

Carsten Book [:Tomcat]

Comment 8

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/51e86840de9b

Status: ASSIGNED → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla30

u279076

Reporter

Updated

•

11 years ago

status-firefox30: --- → fixed

u279076

Reporter

Comment 9

•

11 years ago

I don't see any reports of this crash for 2014-02-06 or later. We should probably give this a few more days before calling this verified fixed though.

u279076

Reporter

Comment 10

•

11 years ago

(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #9) > I don't see any reports of this crash for 2014-02-06 or later. We should > probably give this a few more days before calling this verified fixed though. Sorry, forgot to specify that this is looking at Firefox 30.0a1 data: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3ACopyRect&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&version=Firefox%3A30.0a1&hang_type=any&date=2014-02-07+22%3A00%3A00&range_value=1#tab-reports

Markus Stange [:mstange]

Assignee

Comment 11

•

11 years ago

Comment on attachment 8369087 [details] [diff] [review] null check [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 924102 / bug 924103 User impact if declined: crash on some pages that use SVG filters under low memory conditions Testing completed (on m-c, etc.): 5 days on mozilla-central Risk to taking this patch (and alternatives if risky): extremely low String or IDL/UUID changes made by this patch: none

Attachment #8369087 - Flags: approval-mozilla-beta?

Attachment #8369087 - Flags: approval-mozilla-aurora?

Robert Kaiser

Comment 12

•

11 years ago

This is the #1 crash on 28.0b1, so we'd really like an uplift here. ;-)

Sylvestre Ledru [:Sylvestre]

Comment 13

•

11 years ago

Comment on attachment 8369087 [details] [diff] [review] null check Sure! :)

Attachment #8369087 - Flags: approval-mozilla-beta?

Attachment #8369087 - Flags: approval-mozilla-beta+

Attachment #8369087 - Flags: approval-mozilla-aurora?

Attachment #8369087 - Flags: approval-mozilla-aurora+

Ryan VanderMeulen [:RyanVM]

Comment 14

•

11 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/1c0e2c4fb67f https://hg.mozilla.org/releases/mozilla-beta/rev/0347798cdf37

status-firefox28: affected → fixed

status-firefox29: affected → fixed

Ryan VanderMeulen [:RyanVM]

Comment 15

•

11 years ago

https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/0347798cdf37

Ryan VanderMeulen [:RyanVM]

Updated

•

11 years ago

status-b2g-v1.3: --- → fixed

Ioana (away)

Updated

•

11 years ago

Keywords: verifyme

u279076

Reporter

Comment 16

•

11 years ago

I see no more crashes reported for any branch with a build ID more recent than 2014-02-10. In terms of rank this is down to #196 on Nightly, #5 on Aurora (down 4%), and #2 on Beta (down 11%). Given this information I believe we can call this verified fixed.

Status: RESOLVED → VERIFIED

status-firefox28: fixed → verified

status-firefox29: fixed → verified

status-firefox30: fixed → verified

Keywords: verifyme

Ryan VanderMeulen [:RyanVM]

Updated

•

11 years ago

status-b2g-v1.3T: --- → fixed

status-b2g-v1.4: --- → fixed