[cairo-bugs] [Bug 54664] New: Firefox crashes after "xlib: Implement SHM fallbacks and fast upload paths"

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Sep 8 02:36:07 PDT 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=54664

             Bug #: 54664
           Summary: Firefox crashes after "xlib: Implement SHM fallbacks
                    and fast upload paths"
    Classification: Unclassified
           Product: cairo
           Version: 1.12.2
          Platform: x86-64 (AMD64)
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: xlib backend
        AssignedTo: cworth at cworth.org
        ReportedBy: ojab at ojab.ru
         QAContact: cairo-bugs at cairographics.org


Created attachment 66830
  --> https://bugs.freedesktop.org/attachment.cgi?id=66830
gdb bt full

Firefox build with system cairo is broken right now, patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=722975 can be used to fix it.

I'm building Fx with system cairo and it crashes sometimes during browsing
after: 

0bfd2acd35547fc2bd0de99cc67d153f0170697d is the first bad commit
commit 0bfd2acd35547fc2bd0de99cc67d153f0170697d
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Mon Aug 13 01:34:12 2012 +0100

    xlib: Implement SHM fallbacks and fast upload paths

    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

:100644 100644 0067bfc91678ab6af013f89fca68e550b55737e2
3d668b6852bd67dbca71afe6e3206675aae15554 M    configure.ac
:040000 040000 0f0c60329019ef0fbb14221ac7a53dfa74467d2b
199d5653aae82ccddbba67d320375b05a31bde8d M    src


gdb `bt full` with cairo debug build can be found in the attached file.
Unfortunately Firefox itself is Release build, so symbols from libxul.so are
missing.

AFAIU Fx somehow set surface to _cairo_surface_nil, which set "backend = NULL"
and then there is nullptr dereference in:

@@ -73,7 +73,7 @@ _cairo_image_surface_is_clone (cairo_image_surface_t *image)
 static inline cairo_bool_t
 _cairo_surface_is_image (const cairo_surface_t *surface)
 {
-    return surface->backend == &_cairo_image_surface_backend;
+    return surface->backend->type == CAIRO_SURFACE_TYPE_IMAGE;
 }

 /**


Please tell me if any additional info (such as backtrace of Fx Debug build) is
needed for investigation.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.

More information about the cairo-bugs mailing list