Closed Bug 972758 Opened 10 years ago Closed 10 years ago

crash in mozilla::gfx::GetRetainedImageFromSourceSurface with Skia canvas

Categories

(Core :: Graphics: Layers, defect)

All
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: the.decryptor, Unassigned)

References

Details

(Keywords: reproducible, Whiteboard: [STR in comment #4])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-6303bc85-3ca5-4e3a-a335-718d82140213.
=============================================================

Since updating to the latest nightly, opening Panorama crashes the browser nearly instantly, upon further investigation I tracked it down to having Skia canvas enabled, disabling it stopped any crashes from happening.

I think this is a regression from Bug 948765.
The function that causes the crash in this bug (mozilla::gfx::GetRetainedImageFromSourceSurface in DrawTargetCG.cpp) expects the SourceSurface parameter to be of type COREGRAPHICS_IMAGE or DATA.

My preliminary look at my patches from Bug 948765 turned up these lines from the diff (in CanvasClient.cpp):

  -  nsRefPtr<gfxASurface> surface = mBuffer->AsTextureClientSurface()->GetAsSurface();
  -  if (surface) {
  -    aLayer->UpdateSurface(surface);
  +  RefPtr<DrawTarget> drawTarget =
  +    mBuffer->AsTextureClientDrawTarget()->GetAsDrawTarget();
  +  if (drawTarget) {
  +    aLayer->UpdateTarget(drawTarget);

In UpdateTarget, I call drawTarget->Snapshot(). The SourceSurface that is returned will later be passed as an argument to the function that crashes.

This makes we uncertain whether I have caused this regression with my patches, or if I have unmasked an existing bug somewhere else. Nical, do you see the light?
Flags: needinfo?(nical.bugzilla)
Depends on: 973892
Bug 973892 has the light, with 3 different fixes for this bug.
Flags: needinfo?(nical.bugzilla)
Crash Signature: [@ mozilla::gfx::GetRetainedImageFromSourceSurface] → [@ mozilla::gfx::GetRetainedImageFromSourceSurface ]
> having Skia canvas enabled

How do you do this?  Is it a compile option, an about:config setting, or both?

And by "Panorama" do you mean what some people call "Tab Groups" (https://support.mozilla.org/en-US/kb/tab-groups-organize-tabs)?
Never mind.  I figured it out:

STR

1) Set the following in about:config and restart:
   gfx.canvas.azure.accelerated true
   gfx.canvas.azure.backends skia
2) Enter the "Tab Groups view" by pressing Cmd+Shift+E.
3) Crash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [STR in comment #4]
"Simpler" steps:

1. Set:
     user_pref("gfx.canvas.azure.accelerated", true);
     user_pref("gfx.canvas.azure.backends", "skia");

2. Load https://hg.mozilla.org/mozilla-central/raw-file/default/layout/reftests/image-element/canvas-outside-document.html
I can also reproduce on mac. I have the preference set in Comment 6. Loading an interacting with cleopatra is leading to this crash:

https://crash-stats.mozilla.com/report/index/fea7b5b2-349c-486a-8f63-b8a112140611
Same crash as /tests/layout/generic/test/test_bug449653.html?
(In reply to Milan Sreckovic [:milan] from comment #10)
> Same crash as layout/generic/test/test_bug449653.html?

Tracked in bug 1031525.  Could be a blocker or a dupe.
The fix for this was bug 1031525.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 1150944
You need to log in before you can comment on or make changes to this bug.