Closed Bug 1241484 Opened 8 years ago Closed 8 years ago

crash in mozilla::layers::TextureChild::WaitForCompositorRecycle | mozilla::layers::CanvasClientSharedSurface::Updated

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- affected
firefox45 --- affected
firefox46 --- wontfix
firefox47 --- fixed
firefox-esr45 47+ fixed

People

(Reporter: adalucinet, Assigned: mattwoodrow)

References

Details

(Keywords: crash, regression, Whiteboard: [gfx-noted])

Crash Data

Attachments

(1 file)

Null check mActor
858 bytes, patch
nical
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-b47d4745-f19a-43aa-83dc-317a02160121.
=============================================================
Reproducible with 44.0RC build 2 (Build ID: 20160120154102), 44 beta 9 (Build ID: 20160114165817), latest Aurora 45.0a2 and Nightly 46.0a1 (from 2016-01-20) *only* with e10s disabled
Affected platforms: Mac OS X 10.9.5, Windows 8.1 64-bit and Windows 10 32-bit

Steps to reproduce:
1. Launch Firefox.
2. In a new tab, navigate to https://www.google.com/maps/
3. Drag the tab from step 2 in a new window
4. Drag it back to the main window.

Additional notes:
1. Reproduced also with a different signature: bp-ad2f8d08-350a-4d44-b6b5-9972e2160121
2. Unable to reproduce under Ubuntu 14.04 32-bit	
3. Crash signature for Mac OS X: bp-f2e8e462-e39e-40dd-b479-929032160121
4. Also reproducible with 43.0a1 from 2015-09-01 → bp-ce987fe8-ca42-4822-a700-1e32d2160121; will investigate further for the regression range.
5. More reports: https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3Alayers%3A%3ATextureChild%3A%3AWaitForCompositorRecycle+|+mozilla%3A%3Alayers%3A%3ACanvasClientSharedSurface%3A%3AUpdated&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1#reports
I think these are all different issues. The stacks are all very different and the data shows different starting points. Please confirm which of these you can reproduce these in Firefox 43.0.4 and file separate bug reports for each.
status-firefox44: --- → affected
status-firefox45: --- → affected
Keywords: regressionwindow-wanted
Whiteboard: [gfx-noted]
(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #1)
> I think these are all different issues. The stacks are all very different
> and the data shows different starting points. Please confirm which of these
> you can reproduce these in Firefox 43.0.4 and file separate bug reports for
> each.

Sure - filed separate reports as it follows:
* For the signature from Additional notes 1, logged bug 1241861
* For the Mac OS X crash - Additional notes 3 - there was already bug 1217128 - fixed by bug 1207220 on 45 and 46 branch and wontfix for 44; but with latest Aurora 45.0a2 and Nightly 46.0a1 encountered bug 1241875
* With latest Aurora 45.0a2, under Windows 7 64-bit, also encountered shutdown crash bug 1241876.

fyi: additional results are available via https://goo.gl/oKwWGM
Reproducible: 100% always with new profile (disabled e10s)

Steps to reproduce:
1. Launch Firefox with *newly* created profile and *disable* e10s and restart
2. In a new tab, open https://www.google.com/maps/
3. Drag the tab from step 2 in a new window
4. Drag it back to the main window.
(optionally)
5. Repeat Stap 3 and 4 if necessary
6. Quit browser

Actual Results:
Crash
41 bp-160edb50-24d3-44f7-893a-05ed22160123
42 bp-a2d5b1dc-2e8b-4240-8b6d-eeaec2160123
43 bp-6c3df9f0-c897-4d0f-bbbd-90e5a2160123
44.0rc build2 bp-addc241a-d86b-4cc0-94f9-38ec22160123
45.0a2 bp-9d676557-add7-4539-94fa-4e4072160123 (*crash when quit brower)
46.0a1 bp-bacc1bab-314f-4df1-b923-934652160123 (*crash when quit brower)

Expected Results:
Not crash

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c7720cbbe62e&tochange=c4d1692d88ee

Regressed by: c4d1692d88ee	Jeff Gilbert — Bug 1144906 - Add accel E10S backend for WebGL compositing. - r=jrmuizel,mattwoodrow,nical,sotaro
Blocks: 1144906
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(jgilbert)
This was a little non-obvious. LTCG has allowed the compiler to inline TextureClient::WaitForCompositorRecycle.

We null check mFront in CanvasClientSharedSurface::Updated(), but we don't null check mActor in TextureClient::WaitForCompositorRecycle.

This allows us to get into TextureChild::WaitForCompositorRecycle with this==nullptr.
Assignee: nobody → matt.woodrow
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(jgilbert)
Attachment #8712007 - Flags: review?(nical.bugzilla)
Comment on attachment 8712007 [details] [diff] [review]
Null check mActor

Review of attachment 8712007 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch
Attachment #8712007 - Flags: review?(nical.bugzilla) → review+
https://hg.mozilla.org/mozilla-central/rev/b5ce638ed18b
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Carryover regression triage: fixed in 47, too late for 46.
status-firefox46: affectedwontfix
Thanks Jeff. This should be in today's esr build and release next week.
tracking-firefox-esr45: --- → 47+
You need to log in before you can comment on or make changes to this bug.