Bug 20724

Summary: Mozilla Firefox 3.0.7 using Cairo 1.8.6 crashes on AIX
Product: cairo Reporter: Shailen <shailen.n.jain>
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED MOVED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: critical    
Priority: high    
Version: 1.8.6   
Hardware: All   
OS: AIX   
Whiteboard:
i915 platform: i915 features:

Description Shailen 2009-03-17 22:33:18 UTC 
Mozilla Firefox 3.0.7 using Cairo 1.8.6 crashes on AIX.

Below is the stacktrace details.

pthread_kill(??, ??) at 0x9000000004786bc
_p_raise(??) at 0x9000000004780d0
FatalSignalHandler__13nsProfileLockFi() at 0x100024420
cairo-surface._cairo_surface_clone_similar(surface = 0x0000000110f21510, src = 0x0000000110f21190, src_x = 0, src_y = 0, width = 2, height = 2, clone_offset_x = 0x0fffffffffffd7f0, clone_offset_y = 0x0fffffffffffd7f8, clone_out = 0x0fffffffffffdc88), line 1187 in "cairo-surface.c"
unnamed block in cairo-pattern._cairo_pattern_acquire_surface_for_surface(pattern = 0x0fffffffffffd998, dst = 0x0000000110f21510, x = 1, y = 0, width = 2, height = 2, out = 0x0fffffffffffdc88, attr = 0x0fffffffffffdce0), line 1959 in "cairo-pattern.c"
cairo-pattern._cairo_pattern_acquire_surface_for_surface(pattern = 0x0fffffffffffd998, dst = 0x0000000110f21510, x = 1, y = 0, width = 2, height = 2, out = 0x0fffffffffffdc88, attr = 0x0fffffffffffdce0), line 1959 in "cairo-pattern.c"
unnamed block in cairo-pattern._cairo_pattern_acquire_surface(pattern = 0x0fffffffffffd998, dst = 0x0000000110f21510, x = 0, y = 0, width = 2, height = 2, surface_out = 0x0fffffffffffdc88, attributes = 0x0fffffffffffdce0), line 2075 in "cairo-pattern.c"
cairo-pattern._cairo_pattern_acquire_surface(pattern = 0x0fffffffffffd998, dst = 0x0000000110f21510, x = 0, y = 0, width = 2, height = 2, surface_out = 0x0fffffffffffdc88, attributes = 0x0fffffffffffdce0), line 2075 in "cairo-pattern.c"
cairo-pattern._cairo_pattern_acquire_surfaces(src = 0x0000000110f21bd0, mask = (nil), dst = 0x0000000110f21510, src_x = 0, src_y = 0, mask_x = 0, mask_y = 0, width = 2, height = 2, src_out = 0x0fffffffffffdc88, mask_out = 0x0fffffffffffdc80, src_attributes = 0x0fffffffffffdce0, mask_attributes = 0x0fffffffffffdc90), line 2168 in "cairo-pattern.c"
cairo-image-surface._cairo_image_surface_composite() at 0x10034681c
cairo-surface._cairo_surface_composite(op = CAIRO_OPERATOR_SOURCE, src = 0x0000000110f21bd0, mask = (nil), dst = 0x0000000110f21510, src_x = 0, src_y = 0, mask_x = 0, mask_y = 0, dst_x = 0, dst_y = 0, width = 2, height = 2), line 1287 in "cairo-surface.c"
_composite_trap_region(clip = (nil), src = 0x0000000110f21bd0, op = CAIRO_OPERATOR_SOURCE, dst = 0x0000000110f21510, trap_region = 0x0fffffffffffe128, extents = 0x0fffffffffffe160), line 455 in "cairo-surface-fallback.c"
unnamed block in _clip_and_composite_trapezoids(src = 0x0000000110f21bd0, op = CAIRO_OPERATOR_SOURCE, dst = 0x0000000110f21510, traps = 0x0fffffffffffe278, clip = (nil), antialias = CAIRO_ANTIALIAS_NONE), line 644 in "cairo-surface-fallback.c"
_clip_and_composite_trapezoids(src = 0x0000000110f21bd0, op = CAIRO_OPERATOR_SOURCE, dst = 0x0000000110f21510, traps = 0x0fffffffffffe278, clip = (nil), antialias = CAIRO_ANTIALIAS_NONE), line 644 in "cairo-surface-fallback.c"
_cairo_surface_fallback_paint(surface = 0x0000000110f21510, op = CAIRO_OPERATOR_SOURCE, source = 0x0000000110f21bd0), line 705 in "cairo-surface-fallback.c"
cairo-surface._cairo_surface_paint(surface = 0x0000000110f21510, op = CAIRO_OPERATOR_SOURCE, source = 0x0fffffffffffe418), line 1492 in "cairo-surface.c"
cairo-gstate._cairo_gstate_paint(gstate = 0x0000000110f216e0), line 878 in "cairo-gstate.c"
_moz_cairo_paint@AF155_71() at 0x10036ec10
_moz_cairo_paint_with_alpha@AF156_70() at 0x10036ed14
Paint__10gfxContextFd() at 0x100336fb4
OptimizeImage__11gfxPlatformFP15gfxImageSurfaceQ2_11gfxASurface14gfxImageFormat() at 0x100381100
Optimize__13nsThebesImageFP16nsIDeviceContext() at 0x100383950
SetMutable__13gfxImageFrameFi@AF43_10() at 0x100e29aec
SetMutable__13gfxImageFrameFi() at 0x100e29160
DecodingComplete__12imgContainerFv() at 0x1003ceaa0
EndGIF__13nsGIFDecoder2Fv@AF36_15() at 0x100e2d854
EndGIF__13nsGIFDecoder2Fv() at 0x100e2bc68
Close__13nsGIFDecoder2Fv() at 0x100e2b718
OnStopRequest__10imgRequestFP10nsIRequestP11nsISupportsUi() at 0x1003cc0d8
OnStopRequest__13ProxyListenerFP10nsIRequestP11nsISupportsUi() at 0x1003c556c
OnStopRequest__12nsJARChannelFP10nsIRequestP11nsISupportsUi() at 0x9000000097b6358
OnStateStop__17nsInputStreamPumpFv() at 0x1000b34b8
OnInputStreamReady__17nsInputStreamPumpFP19nsIAsyncInputStream() at 0x1000b309c
Run__23nsInputStreamReadyEventFv() at 0x90000000969a07c
ProcessNextEvent__8nsThreadFiPi() at 0x9000000096a9374
NS_ProcessNextEvent_P__FP9nsIThreadi() at 0x900000009641220
Run__14nsBaseAppShellFv() at 0x100d2aac8
Run__12nsAppStartupFv() at 0x10122e568
XRE_main() at 0x10000dffc
main() at 0x10000a6a4
Comment 1 Chris Wilson 2009-03-18 03:55:34 UTC 
How reproducible is this crash? It would seem to indicate that the cloned surface was invalid, but we failed to report an error.

Knowing the contents of *clone_out, src and the various locals might help. Also the real bug is likely in either the backend or the surface fallback, so we may need to dig a little deeper to find the mistake.

Thank you for your help.
Comment 2 Shailen 2009-03-19 05:49:41 UTC 
This crash is consistently reproducible and it is crashing at the same place.

File : cairo-surface.c

Function :_cairo_surface_clone_similar

Line :  (*clone_out)->device_transform = src->device_transform;

I tried printing the 'device_transform' structure elements of *clone_out and src with '%f' format just before the line where it crashes. As you can see below, some of the structure values (like device_transform::xx, device_transform::xy) of *clone_out are very large numbers.

The device_transform structure values for src
---------------------------------------------
src:device_transform::xx
=1.000000
src:device_transform::xy
=0.000000
src:device_transform::yx 
=0.000000 
src:device_transform::yy
=1.000000
src:device_transform::x0 
=0.000000 
src:device_transform::y0 
=0.000000

The device_transform structure values for *clone_out
---------------------------------------------------
*clone_out:device_transform::xx 
=351531681203464524010636727616000000000000000000000000000000.000000    *clone_out:device_transform::xy
=352950744217554670056361252370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000   *clone_out:device_transform::yx 
=295043486840638093569370430875000000.000000    
clone_out:device_transform::yy
=216053491769879882552292080688000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000      clone_out:device_transform::x0
=0.000000
clone_out:device_transform::y0
=0.000000 

Please let me know if you need any further details. I appreciate your help to investigate the root cause for the coredump.
Comment 3 Shailen 2009-03-20 23:41:48 UTC 
I am still investigating the issue. Any information that you provide would be very helpfull.

Thanks,
Shailendra
Comment 4 GitLab Migration User 2018-08-25 13:45:18 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/177.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.