Closed Bug 1333056 Opened 7 years ago Closed 7 years ago

content process crash in mozilla::gfx::GfxPrefValue::AssertSanity

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Version:
52 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- disabled
firefox-esr52 --- disabled
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- fixed
firefox58 --- fixed

People

(Reporter: benjamin, Assigned: rhunt)

References

Details

(Keywords: crash, regression, Whiteboard: [gfx-noted])

Crash Data

Attachments

(2 files)

diagnostics
938 bytes, patch
mccr8
: review+
Details | Diff | Splinter Review
send-build-id.patch
1.19 KB, patch
dvander
: review+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-a358ca80-5de8-45de-af9c-b96852170123.

I experienced this crash on nightly this morning. I don't exactly understand what is asserting/aborting here; is this related to a particular pref I have set, or is this more a communication error between several processes? Is it likely that this is somehow related to the GPU process? (setting NI?anthony so he's aware and can hook up the dependencies appropriately).

I see 12 of these on nightly, so I'm not the only one but this isn't high volume yet.
Flags: needinfo?(anthony.s.hughes)
Going back further in the crash data this starts showing up with Firefox 52.0a1 20161103030205 which predates GPU Process so I think we can rule that out. That build ID correlates to https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e73fd638e687a4d7f46613586e5156b8e2af846&tochange=ade8d4a63e57560410de106450f37b50ed71cca5 which *might* implicate bug 1300678. Flagging Matt Woodrow for follow up.
status-firefox51: --- → unaffected
status-firefox52: --- → affected
status-firefox53: --- → affected
Flags: needinfo?(anthony.s.hughes) → needinfo?(matt.woodrow)
Keywords: regression
OS: Windows 10 → Windows
Hardware: Unspecified → All
Whiteboard: [gfx-noted]
Version: unspecified → 52 Branch
This crash is happening in the GPU process.

It looks like the indices from the gfxPrefs list don't match up between the UI process and the GPU process (the index references a bool pref, but the union serialized wasn't a bool).

I can't see how this might happen though, it looks like gfxPrefs should be initialized the same regardless of process. Any ideas David?
Flags: needinfo?(matt.woodrow) → needinfo?(dvander)
I'm at a loss as to how this could happen, unless we're somehow launching a very different firefox.exe. Unfortunately the code for MOZ_RELEASE_ASSERT is involved enough that registers are trashed, so I can't guess as to which pref is misaligned. If we start seeing this in volume I can add instrumentation.
Flags: needinfo?(dvander)
The GPU process is riding the 53 train (hopefully).
status-firefox52: affecteddisabled
status-firefox54: --- → affected
Too late for a fix for 53, as we are in the last week of the 53 beta cycle.
status-firefox53: affectedwontfix
There have been 23 Nightly crashes in the last week.  Can we try adding that instrumentation mentioned in comment 3?  I would think that our asserts for mismatched content and parent processes would catch this, but maybe the GPU process isn't going through those codepaths?
status-firefox55: --- → affected
Flags: needinfo?(dvander)
Heh. That assert is only used for the content process, not the GPU process.
Flags: needinfo?(dvander)
Assignee: nobody → dvander
Status: NEW → ASSIGNED
Attached patch diagnosticsSplinter Review 
This adds the build ID check to the GPU process. I'm not sure exactly how reliable this will be... AssertSanity will crash pretty soon after, and the parent might not get the message. But it's worth trying.
Attachment #8862959 - Flags: review?(continuation)
Comment on attachment 8862959 [details] [diff] [review]
diagnostics

Review of attachment 8862959 [details] [diff] [review]:
-----------------------------------------------------------------

Cool. Yeah I was idly wondering if this would be needed. I suppose it makes sense that the GPU process might restart and/or be started earlier than the content process.
Attachment #8862959 - Flags: review?(continuation) → review+
Pushed by danderson@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/50998e4fbb31
Assert that the GPU process build ID matches the UI process. (bug 1333056, r=mccr8)
Whiteboard: [gfx-noted] → [gfx-noted][keep-open]
Backed out for crashing in Windows xpcshell tests, e.g. test_console_filtering.js and test_gpuprocess.js:

https://hg.mozilla.org/integration/mozilla-inbound/rev/23c8fd3467f41344d8804fbf055f9850a72c16c7

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=50998e4fbb31abfdf8d4501edea7650436d54dc8&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=95304160&repo=mozilla-inbound

12:55:23     INFO -  TEST-START | xpcshell-child-process.ini:dom/indexedDB/test/unit/test_index_object_cursors.js
12:55:24     INFO -  mozcrash Saved minidump as C:\slave\test\build\blobber_upload_dir\f572cf7c-d549-42b5-9d87-bd7af49cf33f.dmp
12:55:24     INFO -  mozcrash Saved app info as C:\slave\test\build\blobber_upload_dir\f572cf7c-d549-42b5-9d87-bd7af49cf33f.extra
12:55:24  WARNING -  PROCESS-CRASH | devtools/shared/tests/unit/test_console_filtering.js | application crashed [@ mozilla::ipc::MessageChannel::SendBuildID()]
12:55:24     INFO -  Crash dump filename: c:\users\cltbld~1.t-w\appdata\local\temp\xpc-other-ialrz5\f572cf7c-d549-42b5-9d87-bd7af49cf33f.dmp
12:55:24     INFO -  Operating system: Windows NT
12:55:24     INFO -                    6.2.9200
12:55:24     INFO -  CPU: amd64
12:55:24     INFO -       family 6 model 30 stepping 5
12:55:24     INFO -       8 CPUs
12:55:24     INFO -  GPU: UNKNOWN
12:55:24     INFO -  Crash reason:  EXCEPTION_BREAKPOINT
12:55:24     INFO -  Crash address: 0x7f901f41ac5
12:55:24     INFO -  Assertion: Unknown assertion type 0x00000000
12:55:24     INFO -  Process uptime: 3 seconds
12:55:24     INFO -  Thread 0 (crashed)
12:55:24     INFO -   0  xul.dll!mozilla::ipc::MessageChannel::SendBuildID() [MessageChannel.cpp:50998e4fbb31 : 961 + 0x1b]
12:55:24     INFO -      rax = 0x0000000000000000   rdx = 0x000000f563d3f938
12:55:24     INFO -      rcx = 0x00000000ffffffff   rbx = 0x00000000000003c1
12:55:24     INFO -      rsi = 0x000000f564281190   rdi = 0x000000f56420b230
12:55:24     INFO -      rbp = 0x000000f563d3f990   rsp = 0x000000f563d3f920
12:55:24     INFO -       r8 = 0x000000f563d3f930    r9 = 0x000000f563d3f928
12:55:24     INFO -      r10 = 0x0000000000000000   r11 = 0x000000f563d3ae60
12:55:24     INFO -      r12 = 0x0000000000000000   r13 = 0x0000000000000001
12:55:24     INFO -      r14 = 0x0000000000001740   r15 = 0x000007f9063faf50
12:55:24     INFO -      rip = 0x000007f901f41ac5
12:55:24     INFO -      Found by: given as instruction pointer in context
12:55:24     INFO -   1  xul.dll!mozilla::gfx::GPUParent::Init(unsigned long,MessageLoop *,IPC::Channel *) [GPUParent.cpp:50998e4fbb31 : 95 + 0x10]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3f9b0   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f9028eba78
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   2  xul.dll!XRE_InitChildProcess(int,char * * const,XREChildData const *) [nsEmbedFunctions.cpp:50998e4fbb31 : 677 + 0x38]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fa00   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f9054fcf5e
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   3  plugin-container.exe!content_process_main(mozilla::Bootstrap *,int,char * * const) [plugin-container.cpp:50998e4fbb31 : 64 + 0x13]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fc20   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f72b2e1283
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   4  plugin-container.exe!NS_internal_main(int,char * *) [MozillaRuntimeMain.cpp:50998e4fbb31 : 25 + 0xa]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fc60   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f72b2e10de
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   5  plugin-container.exe!wmain [nsWindowsWMain.cpp:50998e4fbb31 : 111 + 0xb]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fc90   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f72b2e1516
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   6  plugin-container.exe!__scrt_common_main_seh [exe_common.inl : 253 + 0x22]
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fcf0   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f72b3262f1
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   7  kernel32.dll!BaseThreadInitThunk + 0x1a
12:55:24     INFO -      rbx = 0x00000000000003c1   rbp = 0x000000f563d3f990
12:55:24     INFO -      rsp = 0x000000f563d3fd30   r12 = 0x0000000000000000
12:55:24     INFO -      r13 = 0x0000000000000001   r14 = 0x0000000000001740
12:55:24     INFO -      r15 = 0x000007f9063faf50   rip = 0x000007f920bc167e
12:55:24     INFO -      Found by: call frame info
12:55:24     INFO -   8  ntdll.dll!RtlUserThreadStart + 0x21
12:55:24     INFO -      rsp = 0x000000f563d3fd60   rip = 0x000007f9234fc3f1
12:55:24     INFO -      Found by: stack scanning
12:55:24     INFO -   9  KERNELBASE.dll!GetLegacyComposition + 0x1180
12:55:24     INFO -      rsp = 0x000000f563d3fd90   rip = 0x000007f9205609d0
12:55:24     INFO -      Found by: stack scanning
Flags: needinfo?(dvander)
The number of crashes is low. Mark 54 won't fix.
status-firefox54: affectedwontfix
It seems like crashes went way up in 56b6. Milan, could someone take a look again?
status-firefox55: affectedwontfix
status-firefox56: --- → affected
status-firefox57: --- → affected
Flags: needinfo?(milan)
Ryan, can you take a look?  Maybe redo the diagnostic?
Flags: needinfo?(rhunt)
Flags: needinfo?(milan)
Flags: needinfo?(dvander)
I will try and figure out why David's patch got backed out.
Assignee: dvander → rhunt
Flags: needinfo?(rhunt)
The problem here is from xpcshell creating and killing the GPU process faster than it can initialize. In some cases this can cause the channel to be in error or closed by the time SendBuildID happens.

I don't think it makes sense to crash in this case, because if the channel isn't connected the parent doesn't care what the build ID is. I'll add a patch that changes the assert.

        Attachment #8911367 -
        Flags: review?(dvander)

    
    

    
  
(In reply to Ryan Hunt [:rhunt] from comment #16)
> The problem here is from xpcshell creating and killing the GPU process

That sounds all kinds scary to me.  Can we not do that?

    
    

    
  
(In reply to Milan Sreckovic [:milan] from comment #18)
> (In reply to Ryan Hunt [:rhunt] from comment #16)
> > The problem here is from xpcshell creating and killing the GPU process
> 
> That sounds all kinds scary to me.  Can we not do that?

I found one case we could mitigate: bug 1402500.

But in the general case, the GPU process is created when gfxPlatform is accessed, and that can happen randomly in gecko. If it happens near the end of the test (or if the test is really short because they spawn separate processes), it seems like it can trigger this.

We could disable the GPU process for most xpcshell tests. Or we could explicitly initialize it at the beginning of each test, which would probably also prevent this. I don't know what's better.

    
    

    
  
(In reply to Milan Sreckovic [:milan] from comment #18)
> (In reply to Ryan Hunt [:rhunt] from comment #16)
> > The problem here is from xpcshell creating and killing the GPU process
> 
> That sounds all kinds scary to me.  Can we not do that?

Why is it scary?

        Attachment #8911367 -
        Flags: review?(dvander) → review+

    
    

    
  
Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ad52ca20b048
Don't crash in SendBuildID when MessageChannel isn't connected. (bug 1333056, r=dvander)
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0673fb534d0
Assert that the GPU process build ID matches the UI process. (bug 1333056, r=mccr8)

    
    

    
  
Comment on attachment 8911367 [details] [diff] [review]
send-build-id.patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 1345978 
[User impact if declined]: bug 1352458, which has a lot of crashes, but with not a lot of different users.
[Is this code covered by automated tests?]: This particular error path is not.
[Has the fix been verified in Nightly?]: This crash is not present in Nightly any more.
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: I don't think it should be.
[Why is the change risky/not risky?]:  It just removes a crash that I added not really knowing what I was doing. It should be okay to just keep going instead, as if we hit this state it is probably going to shut down nicely anyways.
[String changes made/needed]: none

There are two patches in this bug but only this one is needed to fix the crash.

        Attachment #8911367 -
        Flags: approval-mozilla-beta?

    
    

    
  
This patch has been in Nightly for a few weeks without any obvious regressions, which I think reduces the risk.

    
    

    
  
Comment on attachment 8911367 [details] [diff] [review]
send-build-id.patch

Crash fix, Bet57+

        Attachment #8911367 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Seems like the keep-open was a leftover from a long time ago and this is actually fixed now?
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox58:
          --- → fixed
Resolution: --- → FIXED
Whiteboard: [gfx-noted][keep-open] → [gfx-noted]
Target Milestone: --- → mozilla58

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: