Last Comment Bug 449111 - Crash [@ nsNativeThemeCocoa::DrawPushButton] with huge word-spacing
: Crash [@ nsNativeThemeCocoa::DrawPushButton] with huge word-spacing
Status: VERIFIED FIXED
: [sg:critical?] fixed by bug 444864
: crash, testcase, verified1.9.0.4, verified1.9.1
Product: Core
Classification: Components
Component: Widget: Cocoa
: Trunk
: x86 Mac OS X
: P1 critical (vote)
: ---
Assigned To: Steven Michaud
: cocoa
:
: 444864
: 306939
  Show dependency treegraph
 
Reported: 2008-08-04 15:50 PDT by Jesse Ruderman
Modified: 2008-12-30 11:26 PST (History)
8 users (show)
joshmoz: blocking1.9.1+
dveditz: blocking1.9.0.4+
dveditz: wanted1.8.1.x-
jruderman: in‑testsuite+
See Also:
Crash Signature:
[@ nsNativeThemeCocoa::DrawPushButton]


Attachments
testcase (crashes Firefox when loaded) (130 bytes, text/html)
2008-08-04 15:50 PDT, Jesse Ruderman
no flags Details
Gdb trace of crash (with console log and debug symbols) (8.94 KB, text/plain)
2008-08-21 08:26 PDT, Steven Michaud
no flags Details
Gdb trace that explains autorelease fault (17.36 KB, text/plain)
2008-08-21 13:29 PDT, Steven Michaud
no flags Details

Summon comment box

Description Jesse Ruderman 2008-08-04 15:50:40 PDT
Created attachment 332264 [details]
testcase (crashes Firefox when loaded)

With MallocScribble enabled, the testcase makes nsNativeThemeCocoa::DrawPushButton dereference 0x55555575.

This might be related to other sg:critical button-drawing bugs (bug 444864, bug 444260).  Or it might be related to bug 410415, which has a matching crash signature but comes from a real-world site and is not marked as sg:critical.

Before the crash, I see:

firefox-bin(81663,0xa0566fa0) malloc: *** mmap(size=2147487744) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
Mon Aug  4 15:39:44 firefox-bin[81663] <Error>: CGBitmapContextInfoCreate: unable to allocate 2147484480 bytes for bitmap data
Mon Aug  4 15:39:44 firefox-bin[81663] <Error>: CGContextTranslateCTM: invalid context
Comment 1 Steven Michaud 2008-08-21 08:26:40 PDT
Created attachment 334896 [details]
Gdb trace of crash (with console log and debug symbols)

Here's a gdb stack trace of this crash, made without MallocScribble on
a recent trunk build containing debug symbols.  The same crash happens
with a 1.9.0-branch build.

As you'll see, this trace includes an error message (logged to the
console) about an autorelease "message" having been sent to a freed
object -- which confirms Jesse's results with MallocScribble.

I tested on OS X 10.5.4.
Comment 2 Steven Michaud 2008-08-21 08:33:30 PDT
Forgot to mention that there's no crash (in FF 3.0.1) on Windows XP or Linux.
Comment 3 Steven Michaud 2008-08-21 09:01:02 PDT
My patch for bug 444864 (attachment 329570 [details] [review]) also fixes this crash.

Since the same patch fixes bug 444260, bug 444864 and this bug
(449111), these bugs must be related.  But I don't think they're dups.

For example, there's only very sketchy evidence that bug 444260 and
bug 444864 are triggered by referencing a deleted object.  But it
seems pretty clear for this bug (449111).

I'll try to identify the object that gets referenced after it's
deleted.
Comment 4 Steven Michaud 2008-08-21 09:11:25 PDT
> For example, there's only very sketchy evidence that bug 444260 and
> bug 444864 are triggered by referencing a deleted object.

Oops.  It's only bug 444864 that (I think) is unlikely to be triggered
by dereferencing a deleted object.  The evidence is pretty clear for
_both_ this bug (449111) and bug 444260.
Comment 5 Steven Michaud 2008-08-21 13:29:52 PDT
Created attachment 334946 [details]
Gdb trace that explains autorelease fault

(Following up comment #3)

> I'll try to identify the object that gets referenced after it's deleted.

If you set NSZombieEnabled before you run Firefox in gdb, you'll see that this
is an NSBitmapGraphicsContext object, and that the autorelease-after-deletion
is an Apple bug:  It occurs at the end of the call to +[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that method
releases its local autorelease pool.

When the NSGraphicsContext object is autoreleased, it's	already	been dealloced
in -[NSBitmapGraphicsContext _initWithGraphicsPort:flipped:carbonOffscreen:]
(called indirectly from	+[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES]).

The bug is presumably triggered by calling +[NSGraphicsContext
graphicsContextWithGraphicsPort:ctx flipped:YES] with 'ctx' set to NULL
(thanks to the previous failure of CGBitmapContextCreate(), which displayed
the "can't allocate region" message).

Exactly the same thing happens with bug 444260.
Comment 6 Steven Michaud 2008-08-22 08:33:59 PDT
(Following up comment #5)

> It occurs at the end of the call to +[NSGraphicsContext
> graphicsContextWithGraphicsPort:ctx flipped:YES], as (presumably) that
> method releases its local autorelease pool.

Actually, the autorelease-after-deletion probably occurs (at the end of the
call to +[NSGraphicsContext graphicsContextWithGraphicsPort:ctx flipped:YES])
as objects created locally get (automatically) autoreleased.

(The problem (of course) is that the NSGraphicsContext object has already been
explicitly released (and dealloced).)
Comment 7 Steven Michaud 2008-09-15 07:52:19 PDT
Fixed by patch for bug 444864, which was just landed on mozilla-central.
Comment 8 Steven Michaud 2008-09-15 11:27:00 PDT
Reopened because I've backed out my patch for bug 444864 (which
probably caused some reftest failures).
Comment 9 Steven Michaud 2008-09-17 08:24:24 PDT
Fixed by my new patch for bug 444864, which was just landed on mozilla-central.
Comment 10 Jesse Ruderman 2008-09-17 14:22:19 PDT
Crashtest is in (bug 444864 comment 26).
Comment 11 Steven Michaud 2008-10-13 09:33:13 PDT
Fixed on the 1.9.0 branch by the patch for bug 444864.
Comment 12 Marcia Knous [:marcia] 2008-10-13 16:23:28 PDT
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Comment 13 Al Billings [:abillings] 2008-10-21 15:36:13 PDT
Verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Comment 14 Marcia Knous [:marcia] 2008-12-30 11:26:03 PST
Verified fixed on the 1.9.1 branch using  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081230 Shiretoko/3.1b3pre. Testcase does not crash so updating the keyword.

Note You need to log in before you can comment on or make changes to this bug.