Closed Bug 1270232 Opened 9 years ago Closed 3 years ago

Startup crash in mozilla::FrameLayerBuilder::PaintItems

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Version:
49 Branch
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected

People

(Reporter: u279076, Unassigned)

Details

(Keywords: crash, Whiteboard: gfx-noted)

Crash Data

This bug was filed from the Socorro interface and is report bp-2e08b5e2-68e2-43f0-9add-aeafe2160502. ============================================================= 0 xul.dll mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) layout/base/FrameLayerBuilder.cpp:5576 1 xul.dll mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) layout/base/FrameLayerBuilder.cpp:5725 2 xul.dll mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp:95 3 xul.dll mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp:149 4 xul.dll mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:65 5 xul.dll mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:299 6 xul.dll mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:342 7 xul.dll nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1844 8 xul.dll nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3572 9 xul.dll PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6366 10 xul.dll nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:467 11 xul.dll nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:398 12 xul.dll nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1100 13 xul.dll nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1900 14 xul.dll mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, __int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:274 15 xul.dll mozilla::RefreshDriverTimer::TickRefreshDrivers(__int64, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:246 16 xul.dll mozilla::RefreshDriverTimer::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:265 17 xul.dll mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:588 18 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:508 19 xul.dll nsRunnableMethodImpl<void ( mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), 1, mozilla::TimeStamp>::Run() obj-firefox/dist/include/nsThreadUtils.h:709 20 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:989 21 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290 22 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:98 23 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:226 24 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:206 25 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 26 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:262 27 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:284 28 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4347 29 xul.dll XREMain::XRE_main(int, char** const, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4451 30 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4559 31 firefox.exe do_main browser/app/nsBrowserApp.cpp:220 32 firefox.exe NS_internal_main(int, char**, char**) browser/app/nsBrowserApp.cpp:360 33 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:135 34 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:255 Ø 35 kernel32.dll kernel32.dll@0xa553 Ø 36 ntdll.dll ntdll.dll@0x4f720 Ø 37 kernelbase.dll kernelbase.dll@0x514f ============================================================= More reports: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3AFrameLayerBuilder%3A%3APaintItems&date=2016-05-04+18%3A35%3A48&product=Firefox&version=Firefox%3A49.0a1&range_unit=hours&range_value=168#tab-reports This crash has been reported 48 times in a couple of days, apparently all by a single Nightly user. The user is on Windows 10 with an NVIDIA GeForce 9500 GT using the latest driver (9.18.13.4195). The reports start with the Nightly from May 2nd, I'm not sure if anything stands out as a regression: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1461a4071341c282afcf7b72e33036412d2251d4&tochange=77cead2cd20300623eea2416bc9bce4d5021df09 It is intriguing that this seems isolated to a single person, however. As a startup crash this likely means the user is stranded, although the last report was from 2016-05-02T18:52:28+00:00 so I suspect the user did something on their end to work around it or we've lost them altogether. I'm not sure what we can do in this situation but I'm filing it nonetheless.
Flags: needinfo?(milan)
Matt, any ideas?
Component: Graphics: Layers → Layout
Flags: needinfo?(milan) → needinfo?(matt.woodrow)
Yes, it looks like this user got a corrupt DLL somehow. We're crashing due to an invalid instruction. The minidump has the memory for the instructions it's trying to run, and I compared those to what were in the dll downloaded from the symbol server. We have a single byte that changed from 0x4D in the symbol server dll, to 0xCD in the users memory (byte 7 changed from 0 to 1). That's no longer a valid instruction, and we crash every time this function runs (it's painting, so basically as soon as we start up). I have no useful guesses as to how this user ended up with a corrupt DLL on their drive.
Flags: needinfo?(matt.woodrow)
This definitely isn't a layout bug, but I don't know where it belongs either. I suspect we only caught this because the user was persistent enough to try 48 times before finally giving up. If random binary corruption happens to other users they'd likely give up (and abandon firefox) much earlier than this, and the crash volume would be too low to register on any analysis. I would assume each corruption would be for a random bit (so an entirely different crash stack), and the only correlation between them would be the EXCEPTION_ILLEGAL_INSTRUCTION crash reason. It seems plausible that this happens to a lot of users (see bug 1034706 comment 44 for another example of corrupted memory), and we're failing to spot the correlation and thus volume. Anthony, do you know who would be the best person to look into this further?
Flags: needinfo?(anthony.s.hughes)
(In reply to Matt Woodrow (:mattwoodrow) from comment #3) > Anthony, do you know who would be the best person to look into this further? Unfortunately not.
Flags: needinfo?(anthony.s.hughes)
Nicholas, anything "Uptime" can do about figuring out a home for weird crashes like this one? See comment 2 and bug 1034706 comment 44, for example. The volume is low here, but if there is randomness involved, there may be a lot lurking.
Flags: needinfo?(n.nethercote)
In bug 1034706 and bug 1270554 we've been having discussions about JIT crashes that appear to be caused by bad hardware -- bit flips probably caused by faulty memory. One idea for dealing with it is to perform some kind of checksum on JITted code to make sure that this hasn't happened. Corrupted binaries are a similar sort of problem. Maybe we could do a checksum of our code, such as libxul? I'll add a note to the Uptime wiki about this idea.
Flags: needinfo?(n.nethercote)
Crash volume for signature 'mozilla::FrameLayerBuilder::PaintItems': - nightly(version 50):0 crashes from 2016-06-06. - aurora (version 49):3 crashes from 2016-06-07. - beta (version 48):102 crashes from 2016-06-06. - release(version 47):422 crashes from 2016-05-31. - esr (version 45):31 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 1 0 1 0 0 0 1 - beta 5 28 8 12 15 15 14 - release 63 51 47 57 64 61 57 - esr 0 2 1 3 12 5 0 Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'mozilla::FrameLayerBuilder::PaintItems': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 1 crash from 2016-08-01. - beta (version 49): 16 crashes from 2016-08-02. - release (version 48): 88 crashes from 2016-07-25. - esr (version 45): 33 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 0 1 0 - beta 5 6 4 - release 24 26 12 - esr 1 1 1 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #5767 #1187 - release #701 - esr #4858
status-firefox50: --- → affected
Component: Layout → Layout: View Rendering
Component: Layout: View Rendering → Layout: Web Painting
QA Whiteboard: qa-not-actionable

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: critical → S3

The crashing code no longer exists.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.