Closed Bug 397293 Opened 17 years ago Closed 17 years ago

Crash [@ CGBitmapContextCreateImage] with <xul:listbox>, opacity

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta1

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [dbaron-1.9:Rs])

Crash Data

Attachments

(3 files)

testcase (crashes Firefox 2 seconds after it is loaded)
(deleted), application/xhtml+xml
Details
stack
(deleted), text/plain
Details
Like so?
(deleted), patch
vlad
: review+
vlad
: superreview+
vlad
: approvalM9+
vlad
: approval1.9+
Details | Diff | Splinter Review
Steps to reproduce: 1. Load the testcase. 2. Wait 2 seconds. Result: crash [@ CGBitmapContextCreateImage] dereferencing 0x00000009. Tested with Mac trunk debug. I think this is a regression from within the last few days.
It might have to be the first page loaded in the session in order to trigger the crash.
Attached file stack (deleted) —
The error is that cairo_quartz_surface_to_quartz() returns a surface that isn't a quartz surface. The callers of this function expects it never fail to create a quartz surface. The testcase triggers calls with width/height == 0, which makes _cairo_malloc_ab() fail, which makes cairo_quartz_surface_create() fail, which causes cairo_quartz_surface_clone_similar() to fail, which makes cairo_surface_clone_similar() call cairo_surface_fallback_clone_similar() instead which succeeds and returns a CAIRO_SURFACE_TYPE_IMAGE which cairo_quartz_surface_to_quartz() then casts to a cairo_quartz_surface_t. I suppose we could prune calls with width/height == 0 at a higher level but we need to handle this type of error anyway (malloc fails due to OOM).
Attached patch Like so? (deleted) — Splinter Review
* make cairo_quartz_surface_to_quartz() return NULL if it's not a valid quartz surface and add null-checks to call sites. * fix a couple of leaks under OOM * fix a warning about missing initializers for cairo_quartz_surface_backend
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: review?(vladimir)
Flags: blocking1.9?
This is probably related, seeing Mats comment 2: for several days, I see randomly entries in console.log: > Sep 30 16:14:33 pikun /Applications/Camino.app/Contents/MacOS/Camino: CGBitmapContextCreateImage: invalid context With both Camino Trunk builds and Minefield builds (opt). I haven't found a way to trigger it manually. It doesn't seem to cause anything Bad, as far as I can tell.
Blocks: 328258
Assignee: nobody → mats.palmgren
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:Rs]
Blocks: 400865
Attachment #282152 - Flags: superreview?(vladimir)
Attachment #282152 - Flags: superreview+
Attachment #282152 - Flags: review?(vladimir)
Attachment #282152 - Flags: review+
Attachment #282152 - Flags: approvalM9?
I tried to make a mochitest of the attached testcase but failed. The crash still occurs (2007102504) although it seems harder to reproduce now, I had to open Preferences, Reload, Zoom etc to make it crash.
mozilla/gfx/cairo/cairo/src/cairo-quartz-surface.c 1.30 -> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102604 Minefield/3.0a9pre -> no crash on testcase -> Verified
Status: RESOLVED → VERIFIED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ CGBitmapContextCreateImage]
crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/4682b19996d8
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: