Bug 54664

Summary: Firefox crashes after "xlib: Implement SHM fallbacks and fast upload paths"
Product: cairo Reporter: ojab <ojab>
Component: xlib backendAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: major    
Priority: medium    
Version: 1.12.2   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: gdb bt full

Description ojab 2012-09-08 09:36:07 UTC 
Created attachment 66830 [details]
gdb bt full

Firefox build with system cairo is broken right now, patch from https://bugzilla.mozilla.org/show_bug.cgi?id=722975 can be used to fix it.

I'm building Fx with system cairo and it crashes sometimes during browsing after: 

0bfd2acd35547fc2bd0de99cc67d153f0170697d is the first bad commit
commit 0bfd2acd35547fc2bd0de99cc67d153f0170697d
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Mon Aug 13 01:34:12 2012 +0100

    xlib: Implement SHM fallbacks and fast upload paths
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

:100644 100644 0067bfc91678ab6af013f89fca68e550b55737e2 3d668b6852bd67dbca71afe6e3206675aae15554 M	configure.ac
:040000 040000 0f0c60329019ef0fbb14221ac7a53dfa74467d2b 199d5653aae82ccddbba67d320375b05a31bde8d M	src


gdb `bt full` with cairo debug build can be found in the attached file. Unfortunately Firefox itself is Release build, so symbols from libxul.so are missing.

AFAIU Fx somehow set surface to _cairo_surface_nil, which set "backend = NULL" and then there is nullptr dereference in:

@@ -73,7 +73,7 @@ _cairo_image_surface_is_clone (cairo_image_surface_t *image)
 static inline cairo_bool_t
 _cairo_surface_is_image (const cairo_surface_t *surface)
 {
-    return surface->backend == &_cairo_image_surface_backend;
+    return surface->backend->type == CAIRO_SURFACE_TYPE_IMAGE;
 }
 
 /**


Please tell me if any additional info (such as backtrace of Fx Debug build) is needed for investigation.
Comment 1 Chris Wilson 2012-09-08 14:16:15 UTC 
Though do note that the caller is trying to use an error surface, which itself might be worth investigating.

commit 558f0a5ab4a88937b8c212c13309d11cb1a101af
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Sep 8 15:12:58 2012 +0100

    image: Check for an error surface before dereferencing the backend
    
    As the surface->backend will be NULL in such an error surface, and we
    may be legitimately doing boundary checks to reject the error surface.
    The alternative would be to set an explicit error surface backend.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54664
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.