16116 – Firefox crash [@ _de_casteljau] due to infinite recursion of [@ _cairo_spline_decompose_into]

Bug 16116 - Firefox crash [@ _de_casteljau] due to infinite recursion of [@ _cairo_spline_decompose_into]

Summary: Firefox crash [@ _de_casteljau] due to infinite recursion of [@ _cairo_spline...

Status:	RESOLVED FIXED

Alias:	None

Product:	cairo
Classification:	Unclassified
Component:	general (show other bugs)
Version:	1.6.5
Hardware:	x86 (IA32) Windows (All)

Importance:	medium critical
Assignee:	Carl Worth
QA Contact:	cairo-bugs mailing list

URL:
Whiteboard:
Keywords:

Duplicates (1):	23209 (view as bug list)
Depends on:
Blocks:

Reported:	2008-05-27 08:16 UTC by Mats Palmgren
Modified:	2009-12-07 01:46 UTC (History)
CC List:	5 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Mats Palmgren 2008-05-27 08:16:07 UTC

We have multiple reports of Firefox 3.0 RC1 crashing on Windows
due to infinite recursion of _cairo_spline_decompose_into().
Is it a Cairo bug?

Originally filed in b.m.o.
https://bugzilla.mozilla.org/show_bug.cgi?id=435756


Example crash reports:
bp-e902c5b8-2769-11dd-a5b8-0013211cbf8a
bp-0cb6bee3-25ba-11dd-bca0-0013211cbf8a
bp-6fda3d66-2a4a-11dd-93ee-001a4bd46e84
bp-2a222bc7-25b3-11dd-9514-0013211cbf8a

Stack:
_de_casteljau                 mozilla/gfx/cairo/cairo/src/cairo-spline.c:167
_cairo_spline_decompose_into  mozilla/gfx/cairo/cairo/src/cairo-spline.c:255 
_cairo_spline_decompose_into  mozilla/gfx/cairo/cairo/src/cairo-spline.c:257
          ... repeat a few thousand times ...
_cairo_spline_decompose_into  mozilla/gfx/cairo/cairo/src/cairo-spline.c:257
_cairo_spline_decompose_into  mozilla/gfx/cairo/cairo/src/cairo-spline.c:261
_cairo_spline_decompose       mozilla/gfx/cairo/cairo/src/cairo-spline.c:278
_cairo_filler_curve_to        mozilla/gfx/cairo/cairo/src/cairo-path-fill.c:132
_cairo_path_fixed_interpret  
mozilla/gfx/cairo/cairo/src/cairo-path-fixed.c:524
_cairo_path_fixed_fill_to_traps
mozilla/gfx/cairo/cairo/src/cairo-path-fill.c:185
_cairo_surface_fallback_fill 
mozilla/gfx/cairo/cairo/src/cairo-surface-fallback.c:898
_cairo_surface_fill           mozilla/gfx/cairo/cairo/src/cairo-surface.c:1626
_cairo_gstate_fill            mozilla/gfx/cairo/cairo/src/cairo-gstate.c:1015
_moz_cairo_fill_preserve      mozilla/gfx/cairo/cairo/src/cairo.c:2177
gfxContext::Fill              mozilla/gfx/thebes/src/gfxContext.cpp:136
FillFastBorderPath            mozilla/layout/base/nsCSSRendering.cpp:1574
DrawBorderSides               mozilla/layout/base/nsCSSRendering.cpp:2209
DrawBorders                   mozilla/layout/base/nsCSSRendering.cpp:2629
nsCSSRendering::PaintBorder   mozilla/layout/base/nsCSSRendering.cpp:2836 
...


http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-spline.c&rev=1.14&mark=255,257,261#261

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/gfx/cairo/cairo/src/cairo-spline.c&rev=1.14&root=/cvsroot&mark=154,161#153

Comment 1 Chris Wilson 2008-10-08 06:20:20 UTC

I believe I've fixed this for 1.8 - the problem was that MIN_TOLERANCE was smaller than CAIRO_FIXED_TO_DOUBLE(1) and thus setting an impossible termination criterion for _spline_decompose().

Comment 2 Chris Wilson 2009-08-07 14:50:37 UTC

*** Bug 23209 has been marked as a duplicate of this bug. ***

Comment 3 Troy Spicer 2009-08-07 16:10:53 UTC

So are you saying this fix hasn't been integrated into Firefox yet?

The crashes just in the last week.

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=cairo&date=&range_value=1&range_unit=weeks&do_query=1&signature=_cairo_spline_decompose_into

Thanks


----- Original Message ----- 
From: <bugzilla-daemon@freedesktop.org>
To: <stores@zkosn.com>
Sent: Friday, August 07, 2009 4:50 PM
Subject: [Bug 16116] Firefox crash [@ _de_casteljau] due to infinite 
recursion of [@ _cairo_spline_decompose_into]


> http://bugs.freedesktop.org/show_bug.cgi?id=16116
>
>
> Chris Wilson <chris@chris-wilson.co.uk> changed:
>
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                 CC|                            |stores@zkosn.com
>
>
>
>
> --- Comment #2 from Chris Wilson <chris@chris-wilson.co.uk>  2009-08-07 
> 14:50:37 PST ---
> *** Bug 23209 has been marked as a duplicate of this bug. ***
>
>
> -- 
> Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug.
>

Comment 4 Mats Palmgren 2009-09-08 09:53:07 UTC

We're still getting crash reports with this signature for
Firefox 3.5(.x) which includes cairo 1.8.2.
See https://bugzilla.mozilla.org/show_bug.cgi?id=435756#c24

Comment 5 Chris Wilson 2009-12-07 01:46:37 UTC

As the firefox bug seems to be related to interaction with an external piece of software -- I'm pretty certain the original cairo bug is fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.