1107930 - crash in @0x0 | mozilla::layers::ContentHostIncremental::Composite(mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4 const&, mozilla::gfx::Filter const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, nsIntRegion const*)

Status: RESOLVED DUPLICATE of bug 1098227

(Core :: Graphics: Layers, defect)

Description

[Aaron Train [:aaronmt]]

This bug was filed from the Socorro interface and is 
report bp-335a193e-4b68-423d-a7cb-abb7d2141204.
=============================================================

Comment 1

[Catalin Suciu [:csuciu]]

I'm able to reproduce this crash on the latest Nightly

Steps:
1. go to http://www.flightradar24.com/data/flights/ua931/
2. scroll/zoom in the map area

Result: https://crash-stats.mozilla.com/report/index/de49b438-76fb-4fd6-9d3e-200762141209

Device:Samsung Galaxy Note 3 (4.4.2)

Comment 2

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

I can reproduce this locally with the STR in comment #1. Looking into it.

Comment 3

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

Stack from gdb:

#0  0x7dd77d04 in ConsumerAcquire (this=0x8c5a9890) at ../../dist/include/SharedSurface.h:106
#1  mozilla::layers::SharedSurfaceTextureHost::Lock (this=0x8c014280) at /Users/snorp/source/gecko-dev/gfx/layers/composite/TextureHost.cpp:981
#2  0x7dd5ea7e in mozilla::layers::ImageHost::Lock (this=0x8a60ff40) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ImageHost.cpp:253
#3  0x7dd3fa5c in mozilla::layers::AutoLockCompositableHost::AutoLockCompositableHost (this=0x8adfd4a0, aHost=0x8a60ff40) at ../../dist/include/CompositableHost.h:283
#4  0x7dd63772 in mozilla::layers::ImageHost::Composite (this=0x8a60ff40, aEffectChain=..., aOpacity=1, aTransform=..., aFilter=@0x8adfd533: mozilla::gfx::GOOD, aClipRect=..., aVisibleRegion=0x0) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ImageHost.cpp:88
#5  0x7dd66c50 in mozilla::layers::CanvasLayerComposite::RenderLayer (this=0x906f1000, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/CanvasLayerComposite.cpp:109
#6  0x7dd6ff52 in mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite> (aContainer=aContainer@entry=0x8b051800, aManager=aManager@entry=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:371
#7  0x7dd70cb8 in mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite> (aContainer=0x8b051800, aManager=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:531
#8  0x7dd6ff52 in mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite> (aContainer=aContainer@entry=0x8dc3e800, aManager=aManager@entry=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:371
#9  0x7dd70cb8 in mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite> (aContainer=0x8dc3e800, aManager=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:531
#10 0x7dd6ff52 in mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite> (aContainer=aContainer@entry=0x8c591000, aManager=aManager@entry=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:371
#11 0x7dd70cb8 in mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite> (aContainer=0x8c591000, aManager=0x8afb7240, aClipRect=...) at /Users/snorp/source/gecko-dev/gfx/layers/composite/ContainerLayerComposite.cpp:531
#12 0x7dd6b038 in mozilla::layers::LayerManagerComposite::Render (this=this@entry=0x8afb7240) at /Users/snorp/source/gecko-dev/gfx/layers/composite/LayerManagerComposite.cpp:723
#13 0x7dd6b32c in mozilla::layers::LayerManagerComposite::EndTransaction (this=0x8afb7240, aCallback=<optimized out>, aCallbackData=<optimized out>, aFlags=<optimized out>) at /Users/snorp/source/gecko-dev/gfx/layers/composite/LayerManagerComposite.cpp:309
#14 0x7dd6b400 in mozilla::layers::LayerManagerComposite::EndEmptyTransaction (this=0x8afb7240, aFlags=<optimized out>) at /Users/snorp/source/gecko-dev/gfx/layers/composite/LayerManagerComposite.cpp:256
#15 0x7dd7e5da in mozilla::layers::CompositorParent::CompositeToTarget (this=0x8a3f1000, aTarget=0x0, aRect=<optimized out>) at /Users/snorp/source/gecko-dev/gfx/layers/ipc/CompositorParent.cpp:905
#16 0x7d99fc4a in MessageLoop::RunTask (this=0x8adfdcb8, task=0x8a1027f0) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:361
#17 0x7d9a3ba8 in MessageLoop::DeferOrRunPendingTask (this=<optimized out>, pending_task=...) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:369
#18 0x7d9a4e90 in MessageLoop::DoWork (this=0x8adfdcb8) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:447
#19 0x7d99fd36 in base::MessagePumpDefault::Run (this=0x8acc3680, delegate=0x8adfdcb8) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_pump_default.cc:34
#20 0x7d9a1388 in MessageLoop::RunInternal (this=this@entry=0x8adfdcb8) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:233
#21 0x7d9a13a4 in RunHandler (this=0x8adfdcb8) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:226
#22 MessageLoop::Run (this=0x8adfdcb8) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:200
#23 0x7d9abf44 in base::Thread::ThreadMain (this=0x8ac8ceb0) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/thread.cc:170
#24 0x7d996f5c in ThreadFunc (closure=<optimized out>) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/platform_thread_posix.cc:39
#25 0x40060174 in __thread_entry () from /Users/snorp/source/jimdb-arm/lib/00850937d791b9ee/system/lib/libc.so
#26 0x4006030c in pthread_create () from /Users/snorp/source/jimdb-arm/lib/00850937d791b9ee/system/lib/libc.so
#27 0x00000000 in ?? ()

It looks like the SharedSurface has been freed, as inspecting it yields:

(gdb) p *this
$4 = {_vptr.SharedSurface = 0x5a5a5a5a, mType = 90, mAttachType = 90, mGL = 0x5a5a5a5a, mSize = {<mozilla::gfx::BaseSize<int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> >> = {width = 1515870810, height = 1515870810}, <mozilla::gfx::UnknownUnits> = {<No data fields>}, <No data fields>}, mHasAlpha = 90, 
  mIsLocked = 90, mIsProducerAcquired = 90, mIsConsumerAcquired = 90, mOwningThread = {value = 0x5a5a5a5a}}

Comment 4

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

Jeff, it looks like something is yanking the SharedSurface out from under SharedSurfaceTextureHost/Client, can you look into this? It's easily reproducible with the STR in comment #1.

Comment 5

[Sylvestre Ledru [:Sylvestre]]

Kairo mentioned that 36 is affected too.

Comment 6

[alex_mayorga]

Nightly on a Kindle Fire crashes like

Report ID

Comment 7

[alex_mayorga]

Report ID 	Date Submitted
bp-2c133268-7172-46f8-8ab8-11fbb2150102	01/01/15	18:19

Subscribing...

Comment 8

[Kevin Brosnan [Ex-Mozilla]]

This is the number 1 top crash in Firefox for Android 36 beta 1. This represents 12% of all crashes.

Comment 9

[Kevin Brosnan [Ex-Mozilla]]

Er number 1 and 2 top crash and represents 18% of all crashes.

Comment 10

[Sylvestre Ledru [:Sylvestre]]

Milan, could you help on this? Thanks

Comment 11

[Milan Sreckovic [:milan] (needinfo for best results)]

Nicolas, any ideas on this one?  Do you have a device to reproduce?

I'm still nervous about AutoLockCompositableHost & ImageHost interplay, probably for no good reason...

Comment 12

[Nicolas Silva [:nical]]

This is a lifetime issue with SurfaceStream dupe of bug 1098227 and a few other bugs.

Comment 13

[Lawrence Mandel [:lmandel] (use needinfo)]

Clearing status and tracking. Dup bug 1098227 has the correct flags set.