Closed Bug 1114976 Opened 5 years ago Closed 5 years ago

crash in mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureClient>::Release()

Categories

(Core :: Canvas: WebGL, defect, critical)

35 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla38
Tracking Status
firefox36 + verified
firefox37 --- verified
firefox38 --- verified

People

(Reporter: adalucinet, Assigned: mattwoodrow)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-fdd22aea-6823-47b6-9ecf-8670e2141223.
=============================================================
More reports:
https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3AAtomicRefCountedWithFinalize%3Cmozilla%3A%3Alayers%3A%3ATextureClient%3E%3A%3ARelease%28%29&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1

Steps to reproduce:
1. Navigate to http://www.ebizmba.com/articles/best-html5-websites
2. In new tabs, open Three Dreams of Black and The Wilderness Downtown

Notes:
1. Reproduced on Windows 7 64-bit with Firefox 35 beta 6 (Build ID: 20141222200458); not reproducible on Mac OS X 10.9.5.
Can you reproduce this with older versions of Firefox as well?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #1)
> Can you reproduce this with older versions of Firefox as well?

Yes, reproduced with 31 beta 1 on Windows 7 32-bit: bp-7c961905-598c-40a1-bc13-a37e22141224
Thanks, this not being a regression makes it less crucial for release tracking.
Also effects Nightly
This signature showed up on today's beta explosive report: https://crash-analysis.mozilla.com/rkaiser/2015-01-29/2015-01-29.firefox.36.explosiveness.html with 30 crashes.
Yes, this exploded on 36 beta and most of the URLs are on youtube. Should this block the MSE bug?

It looks like this==0x4 in the Release frame. The cause of this may be pretty distant from the point of crash so it's hard to say who should look at it.

Matt, as someone who's worked in both gfx and media, maybe you can route this to an owner.
Crash Signature: [@ mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureClient>::Release()] → [@ mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureClient>::Release()] [@ xul.dll@0x2571d5 | xul.dll@0x407471 | xul.dll@0x4df94e | xul.dll@0x152654 | xul.dll@0x152a83 | xul.dll@0x774fcb | xul.dll@0x1ae0b13 ]
Flags: needinfo?(matt.woodrow)
This may be the aftereffects of an OOM allocation failure. The reports are all very low on available address space.
Blocks: MSE
I'm having real trouble figuring out where the 0x4 comes from.

The origin of this value is an nsRefPtr<> that we only ever assign with the result of new, or nullptr.

I've also confirmed with a debugger that mRecycleCallback is at |this+0|.

Other than that it just looks like an allocation failure.
Flags: needinfo?(matt.woodrow)
Nevermind, AtomicRefCountedWithFinalize<> is located at |this+4| in TextureClient (though I'm not entirely sure why).

So, ImageBridgeChild::DispatchReleaseTextureClient is getting called with aClient == nullptr.
Assignee: nobody → matt.woodrow
Attachment #8558771 - Flags: review?(nical.bugzilla)
Attachment #8558771 - Flags: review?(nical.bugzilla) → review+
https://hg.mozilla.org/mozilla-central/rev/29495c25a811
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment on attachment 8558771 [details] [diff] [review]
Don't try to release null TextureClients

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: Crashes.
[Describe test coverage new/current, TreeHerder]: None.
[Risks and why]: Not risky at all, just early-return in a case where we'd crash.
[String/UUID change made/needed]: None.
Attachment #8558771 - Flags: approval-mozilla-beta?
Attachment #8558771 - Flags: approval-mozilla-aurora?
Attachment #8558771 - Flags: approval-mozilla-beta?
Attachment #8558771 - Flags: approval-mozilla-beta+
Attachment #8558771 - Flags: approval-mozilla-aurora?
Attachment #8558771 - Flags: approval-mozilla-aurora+
Flags: qe-verify+
Duplicate of this bug: 1130053
Crash Signature: [@ mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureClient>::Release()] [@ xul.dll@0x2571d5 | xul.dll@0x407471 | xul.dll@0x4df94e | xul.dll@0x152654 | xul.dll@0x152a83 | xul.dll@0x774fcb | xul.dll@0x1ae0b13 ] → [@ mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureClient>::Release()] [@ xul.dll@0x2571d5 | xul.dll@0x407471 | xul.dll@0x4df94e | xul.dll@0x152654 | xul.dll@0x152a83 | xul.dll@0x774fcb | xul.dll@0x1ae0b13 ] [@ xul.dll@0x3e6f24 | xul.dll@0…
Verified as fixed with 36 beta 7 (Build ID: 20150205114429), Aurora 37.0a2 (Build ID: 20150208004039) and Nightly 38.0a1 (Build ID: 20150208030206) on Windows 7 64-bit (2 different machines - AMD 760G and nVIDIA GeForce 620 video cards) and Windows 8.1 64-bit (AMD Radeon HD 6450 video card).

No crashes present in Socorro after this fix landed.
Status: RESOLVED → VERIFIED
QA Contact: cornel.ionce
You need to log in before you can comment on or make changes to this bug.