crash in nsExpirationTracker<mozilla::gfx::GradientCacheData, int>::RemoveObject(mozilla::gfx::GradientCacheData*)

RESOLVED INCOMPLETE

Status

()

Core
Graphics
--
critical
RESOLVED INCOMPLETE
3 years ago
2 years ago

People

(Reporter: lizzard, Unassigned)

Tracking

({crash, topcrash})

34 Branch
x86
Windows NT
crash, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

This bug was filed from the Socorro interface and is 
report bp-ed5c0545-5b80-465f-b33c-f46fe2141016.
=============================================================
This is the #9 topcrash for Firefox 34.0b1 with 1162/95927 crashes. 99% of these crashes are on Windows 7. 

Crashing thread:

0 	xul.dll 	nsExpirationTracker<mozilla::gfx::GradientCacheData, 4>::RemoveObject(mozilla::gfx::GradientCacheData*) 	xpcom/ds/nsExpirationTracker.h
1 	xul.dll 	BlurCache::Lookup(gfxRect const&, nsIntSize const&, gfxRect const&, mozilla::gfx::BackendType, gfxRect const*) 	gfx/thebes/gfxBlur.cpp
2 	xul.dll 	GetCachedBlur(mozilla::gfx::DrawTarget*, gfxRect const&, nsIntSize const&, gfxRect const&, gfxRect const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) 	gfx/thebes/gfxBlur.cpp
3 	xul.dll 	gfxAlphaBoxBlur::BlurRectangle(gfxContext*, gfxRect const&, gfxCornerSizes*, gfxPoint const&, gfxRGBA const&, gfxRect const&, gfxRect const&) 	gfx/thebes/gfxBlur.cpp
4 	xul.dll 	nsContextBoxBlur::BlurRectangle(gfxContext*, nsRect const&, int, gfxCornerSizes*, int, gfxRGBA const&, nsRect const&, gfxRect const&) 	layout/base/nsCSSRendering.cpp
5 		@0x40928bff
Do we have the dates when this started happening?  Month ago?  Sooner?
Some weird stuff here with the stack - I would not have expected to see GradientCacheData in there, with the BlurCache::Lookup.
> Do we have the dates when this started happening?  Month ago?  Sooner?

It goes back quite a ways... 31 or earlier.

> Some weird stuff here with the stack - I would not have expected to see
> GradientCacheData in there, with the BlurCache::Lookup.

Linker merging -- the top frame was originally:
    xul!nsExpirationTracker<BlurCacheData,4>::RemoveObject (struct BlurCacheData *)

> 99% of these crashes are on Windows 7. 

Interesting. And Intel driver 8.15.10.1749 is 92%. 
Among Intel adapters, the top devices are:
1 	0x2a42 	1089 	59.84 %
2 	0x2e32 	552 	30.33 %
3 	0x2e12 	104 	5.71 %
4 	0x2e22 	42 	2.31 %

The app are typically: D3D11 Layers? D3D11 Layers- D3D9 Layers? D3D9 Layers+
Crash Signature: [@ nsExpirationTracker<mozilla::gfx::GradientCacheData, int>::RemoveObject(mozilla::gfx::GradientCacheData*)] → [@ nsExpirationTracker<mozilla::gfx::GradientCacheData, int>::RemoveObject(mozilla::gfx::GradientCacheData*)] [@ nsExpirationTracker<BlurCacheData, int>::RemoveObject(BlurCacheData*)]
Lots of inlining happening, but I think |lastObj->GetExpirationState()| is null at: http://hg.mozilla.org/releases/mozilla-beta/annotate/7a12de89326b/xpcom/ds/nsExpirationTracker.h#l150
Hmm, that would mean that the BlurCacheData* |lastObj| is itself null...
> It goes back quite a ways... 31 or earlier.
But... the particular crashes associated with these Intel drivers really spiked on release candidate 33.0 build1 (but not build2) and 34.0b1 (but not b2 or later).

> And Intel driver 8.15.10.1749 is 92%. 
It seems this driver version was at the heart of bug 1074378 which was backed out for 33.0 build2.

Nical, am I interpreting this correctly, that these crashes only appear when the driver is blocklisted? Are you planning to re-land that blocklist patch?
Flags: needinfo?(nical.bugzilla)
(In reply to David Major [:dmajor] (UTC+13) from comment #6)
> Nical, am I interpreting this correctly, that these crashes only appear when
> the driver is blocklisted?

It would appear so. I am having a hard time making sense of the stack trace here and connecting it to D3D9 stuff, though.

> Are you planning to re-land that blocklist patch?

If we reland a blocklist patch for this driver, we'll disable acceleration entirely rather than falling back to D3D9, so we should be good here.
Flags: needinfo?(nical.bugzilla)
Resolving as incomplete since there are no reports of this crash anymore.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.