Closed Bug 1335827 Opened 3 years ago Closed 3 years ago

frequent crashes "ABORT: RenderFreePicture: RenderBadPicture" in Firefox 51

Categories

(Core :: Graphics: Layers, defect, P3, critical)

51 Branch
Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
thunderbird_esr45 --- unaffected
thunderbird_esr52 ? affected
firefox51 --- wontfix
firefox52 --- fixed
firefox-esr52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: mikulas, Assigned: lsalzman)

References

Details

(Keywords: crash, Whiteboard: [gfx-noted])

Crash Data

Attachments

(1 file, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux armv7l; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125172832

Steps to reproduce:

I run firefox over a remote X11 connection
export DISPLAY=host:0.0;firefox &

Firefox is being run on Ubuntu Trusty Tahr on ARM architecture.


Actual results:

Very often, I get a crash with these error messages. This is a new bug in firefox 51, it didn't happen in earlier versions.

[Parent 27000] ###!!! ABORT: RenderFreePicture: RenderBadPicture (invalid Picture parameter); 10 requests ago: file /build/firefox-roYnPF/firefox-51.0.1+build2/toolkit/xre/nsX11ErrorHandler.cpp, line 147
[Parent 27000] ###!!! ABORT: RenderFreePicture: RenderBadPicture (invalid Picture parameter); 10 requests ago: file /build/firefox-roYnPF/firefox-51.0.1+build2/toolkit/xre/nsX11ErrorHandler.cpp, line 147
ExceptionHandler::GenerateDump cloned child 5562
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[Child 27242] ###!!! ABORT: Aborting on channel error.: file /build/firefox-roYnPF/firefox-51.0.1+build2/ipc/glue/MessageChannel.cpp, line 2056
[Child 27242] ###!!! ABORT: Aborting on channel error.: file /build/firefox-roYnPF/firefox-51.0.1+build2/ipc/glue/MessageChannel.cpp, line 2056



Expected results:

Firefox should not crash.
OS: Unspecified → Linux
Hardware: Unspecified → ARM
Severity: normal → critical
Component: Untriaged → Graphics: Layers
Keywords: crash
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [gfx-noted]
I am experiencing this too on LTSP-based thin clients running Linux Mint 18.

AbortMessage: ###!!! ABORT: RenderFreePicture: RenderBadPicture (invalid Picture parameter); 4 requests ago: file /tmp/buildd/firefox-51.0.1+linuxmint1+serena
/toolkit/xre/nsX11ErrorHandler.cpp, line 147
Add-ons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:51.0.1,firefox%40getpocket.com:1.0.5,aushelper%40mozilla.org:1.0,e10srollout%40mozilla.org:1.7,webcompat%4
0mozilla.org:1.0,langpack-en-GB%40firefox.mozilla.org:51.0.1,langpack-en-ZA%40firefox.mozilla.org:51.0.1
AddonsShouldHaveBlockedE10s: 0
BuildID: 20170127014032
ContentSandboxCapabilities: 117
CrashTime: 1487017828
DOMIPCEnabled: 1
E10SCohort: test
EMCheckCompatibility: true
EventLoopNestingLevel: 1
FramePoisonBase: 7ffffffff0dea000
FramePoisonSize: 4096
InstallTime: 1487017663
Notes: Linux Mint 18 SarahFP(D00-L1100-W00000000-T0000) OpenGL: VMware, Inc. -- Gallium 0.4 on llvmpipe (LLVM 3.8, 128 bits) -- 3.0 Mesa 11.2.0 -- texture_fro
m_pixmap
RenderFreePicture: RenderBadPicture (invalid Picture parameter); 4 requests agoxpcom_runtime_abort(###!!! ABORT: RenderFreePicture: RenderBadPicture (invalid 
Picture parameter); 4 requests ago: file /tmp/buildd/firefox-51.0.1+linuxmint1+serena/toolkit/xre/nsX11ErrorHandler.cpp, line 147)
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
SafeMode: 0
SecondsSinceLastCrash: 63
ShutdownProgress: quit-application
StartupCrash: 0
StartupTime: 1487017770
TelemetryEnvironment: {"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"201701
27014032","version":"51.0.1","vendor":"Mozilla","platformVersion":"51.0.1","xpcomAbi":"x86_64-gcc3","hotfixVersion":"20160826.01"},"partner":{"distributionId"
:"mint","distributionVersion":"1.0","partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":["mint "]},"system":{"memoryMB":16111,"virtua
lMaxMB":null,"cpu":{"count":4,"cores":2,"vendor":"AuthenticAMD","family":15,"model":65,"stepping":2,"l2cacheKB":1024,"l3cacheKB":1024,"speedMHz":null,"extensi
ons":["hasMMX","hasSSE","hasSSE2","hasSSE3"]},"os":{"name":"Linux","version":"4.4.0-59-generic","locale":"en-US"},"hdd":{"profile":{"model":null,"revision":nu
ll},"binary":{"model":null,"revision":null},"system":{"model":null,"revision":null}},"gfx":{"D2DEnabled":null,"DWriteEnabled":null,"ContentBackend":"Skia","ad
apters":[{"description":"VMware, Inc. -- Gallium 0.4 on llvmpipe (LLVM 3.8, 128 bits)","vendorID":"VMware, Inc.","deviceID":"Gallium 0.4 on llvmpipe (LLVM 3.8
, 128 bits)","subsysID":null,"RAM":null,"driver":null,"driverVersion":"3.0 Mesa 11.2.0","driverDate":null,"GPUActive":true}],"monitors":[],"features":{"compos
itor":"none"}}},"settings":{"blocklistEnabled":true,"e10sEnabled":true,"e10sCohort":"test","telemetryEnabled":false,"locale":"en-US","update":{"channel":"rele
ase","enabled":true,"autoDownload":true},"userPrefs":{"browser.cache.disk.capacity":358400,"browser.newtabpage.enhanced":true,"browser.startup.homepage":"<use
r-set>","layers.acceleration.disabled":true,"network.proxy.http":"<user-set>","network.proxy.ssl":"<user-set>"},"addonCompatibilityCheckEnabled":true,"isDefau
ltBrowser":false},"profile":{"creationDate":17210},"addons":{"activeAddons":{"firefox@getpocket.com":{"blocklisted":false,"description":"When you find somethi
ng you want to view later, put it in Pocket.","name":"Pocket","userDisabled":false,"appDisabled":false,"version":"1.0.5","scope":1,"type":"extension","foreign
Install":false,"hasBinaryComponents":false,"installDay":17193,"updateDay":17193,"isSystem":true},"aushelper@mozilla.org":{"blocklisted":false,"description":"S
ets value(s) in the update url based on custom checks.","name":"Application Update Service Helper","userDisabled":false,"appDisabled":false,"version":"1.0","s
cope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17193,"updateDay":17193,"isSystem":true},"e10srollout@mozilla.org":
{"blocklisted":false,"description":"Staged rollout of Firefox multi-process feature.","name":"Multi-process staged rollout","userDisabled":false,"appDisabled"
:false,"version":"1.7","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17193,"updateDay":17193,"isSystem":true},"
webcompat@mozilla.org":{"blocklisted":false,"description":"Urgent post-release fixes for web compatibility.","name":"Web Compat","userDisabled":false,"appDisa
bled":false,"version":"1.0","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17193,"updateDay":17193,"isSystem":tr
ue}},"theme":{"id":"{972ce4c6-7e08-4474-a285-3208198ce6fd}","blocklisted":false,"description":"The default theme.","name":"Default","userDisabled":false,"appD
isabled":false,"version":"51.0.1","scope":4,"foreignInstall":false,"hasBinaryComponents":false,"installDay":17193,"updateDay":17193},"activePlugins":[{"name":
"IcedTea-Web Plugin (using IcedTea-Web 1.6.2 (1.6.2-3ubuntu1))","version":"","description":"The <a href=\"http://icedtea.classpath.org/wiki/IcedTea-Web\">Iced
Tea-Web Plugin</a> executes Java app","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/x-java-vm","application/x-java-applet"
,"application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;versio
n=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-apple
t;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java
-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-
java-applet;version=1.8","application/x-java-applet;jpi-version=1.8.0_50","application/x-java-bean","application/x-java-bean;version=1.1","application/x-java-
bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-
bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-
bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/x-java-be
an;version=1.6","application/x-java-bean;version=1.7","application/x-java-bean;version=1.8","application/x-java-bean;jpi-version=1.8.0_50","application/x-java
-vm-npruntime"],"updateDay":16907},{"name":"Windows Media Player Plug-in 10 (compatible; Videos)","version":"","description":"The <a href=\"https://github.com
/linuxmint/xplayer/\">Videos</a> 1.0.7 plugin handles video and audio ","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/x-mp
layer2","video/x-ms-asf-plugin","video/x-msvideo","video/x-ms-asf","video/x-ms-wmv","video/x-wmv","video/x-ms-wvx","video/x-ms-wm","video/x-ms-wmp","applicati
on/x-ms-wms","application/x-ms-wmp","application/asx","audio/x-ms-wma"],"updateDay":16977},{"name":"VLC Multimedia Plugin (compatible Videos 1.0.7)","version"
:"","description":"The <a href=\"https://github.com/linuxmint/xplayer/\">Videos</a> 1.0.7 plugin handles video and audio ","blocklisted":false,"disabled":fals
e,"clicktoplay":true,"mimeTypes":["application/x-vlc-plugin","application/vlc","video/x-google-vlc-plugin","application/x-ogg","application/ogg","audio/ogg","
audio/x-ogg","audio/x-vorbis+ogg","video/ogg","video/x-ogg","video/x-theora+ogg","application/annodex","audio/annodex","video/annodex","video/mpeg","audio/wav
","audio/x-wav","audio/mpeg","application/x-nsv-vp3-mp3","video/flv","video/webm","application/x-xplayer-plugin","audio/midi"],"updateDay":16977},{"name":"Div
X® Web Player","version":"","description":"DivX Web Player version 1.4.0.233","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["video/divx
"],"updateDay":16977},{"name":"QuickTime Plug-in 7.6.6","version":"","description":"The <a href=\"https://github.com/linuxmint/xplayer/\">Videos</a> 1.0.7 plu
gin handles video and audio ","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["video/quicktime","video/mp4","image/x-macpaint","image/x-q
uicktime","video/x-m4v","application/vnd.apple.mpegurl"],"updateDay":16977},{"name":"Shockwave Flash","version":"","description":"Shockwave Flash 24.0 r0","bl
ocklisted":false,"disabled":false,"clicktoplay":false,"mimeTypes":["application/x-shockwave-flash","application/futuresplash"],"updateDay":17151}],"activeGMPl
ugins":{"gmp-gmpopenh264":{"version":null,"userDisabled":false,"applyBackgroundUpdates":1}},"activeExperiment":{},"persona":null}}
Theme: classic/1.0
Throttleable: 1
URL: about:preferences#advanced
UptimeTS: 58.3774989
Vendor: Mozilla
Version: 51.0.1
useragent_locale: en-US
Duplicate of this bug: 1339866
This bug is marked as "Platform: ARM Linux", but my example in bug 1339866 is x86_64 Linux, so it does not seem architecture dependent, just X11 related.
Hardware: ARM → Unspecified
Duplicate of this bug: 1340647
CR from dupe:
https://crash-stats.mozilla.com/report/index/406e1427-ff39-42e4-b07f-370ab2170217
Crash Signature: [@ Abort | RenderFreePicture: RenderBadPicture (invalid Picture parameter) | mozalloc_abort | NS_DebugBreak | X11Error ]
Ok, I've tried to investigate this bug and found something about it.


I found how to reproduce it. I don't sure it will work for everybody but for me it works in 100% of cases. You just need to place the cursor over link with title (e.g. "Bugzilla@Mozilla" in the top of this page) then close the browser. It causes the crash which I can see if run Firefox from terminal emulator:

> This probably reflects a bug in the program.
> The error was 'RenderBadPicture (invalid Picture parameter)'.
>   (Details: serial 6073 error_code 143 request_code 139 (RENDER) minor_code 7)

Or you can open the history (Ctrl+Shift+H), place the cursor over cutted long name and then close "Library" window. Firefox will immediately crash.


I decided to bisect this bug and I found that it was caused by this commit: https://hg.mozilla.org/integration/mozilla-inbound/rev/47e2650093d5
I tried to revert it and the bug disappeared.


I tried to inspect the code. I commented the line with
> dt->DrawSurface(surf, rect, rect);
in WindowSurfaceX11Image.cpp and the bug disappeared again. I even tried to replace it with
> dt->DrawSurface(surf, rect, rect, gfx::DrawSurfaceOptions(), gfx::DrawOptions(1.0f, gfx::CompositionOp::OP_SOURCE));
and it worked great. It seems that it crashes with CompositionOp::OP_OVER which is default value.


I set the "gfx.xrender.enabled" option in about:config to "true" and it worked too (because with this option Firefox doesn't use WindowSurfaceX11Image). So I think it might be a temporal solution.


I hope this information will be useful.
Fwiw, experiencing this bug a lot on OpenBSD be it with fx 51, 52 beta or thunderbird 52 beta - for the latter, it happens most of the times when sending an e-mail, when the 'progressbar' window (ie 'saving mail in send folder') is closed.
Blocks: 1319554
The full trace generated on OpenBSD is:

#0  0x000004e10587abc0 in gdk_x_error () from /usr/local/lib/libgdk-3.so.2200.2                                                       [1/289]
#1  0x000004e0e0faa034 in _XError () from /usr/X11R6/lib/libX11.so.16.1                                                                      
#2  0x000004e0e0fa7c72 in handle_error () from /usr/X11R6/lib/libX11.so.16.1                                                                 
#3  0x000004e0e0fa7cba in handle_response () from /usr/X11R6/lib/libX11.so.16.1
#4  0x000004e0e0fa8270 in _XReply () from /usr/X11R6/lib/libX11.so.16.1
#5  0x000004e0e0fa402b in XSync () from /usr/X11R6/lib/libX11.so.16.1
#6  0x000004e0e0fa41db in _XSyncFunction () from /usr/X11R6/lib/libX11.so.16.1
#7  0x000004e10176adea in _cairo_xlib_surface_finish () from /usr/local/lib/libcairo.so.12.3
#8  0x000004e101726373 in _cairo_surface_finish () from /usr/local/lib/libcairo.so.12.3
#9  0x000004e1017261f8 in cairo_surface_destroy () from /usr/local/lib/libcairo.so.12.3
#10 0x000004e0a78dfa15 in gfxASurface::Release (this=0x4e02272d100) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/gfx/thebes/gfxASurface.cpp:101
#11 0x000004e0a8e849df in mozilla::widget::WindowSurfaceX11Image::~WindowSurfaceX11Image() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#12 0x000004e0a8e6aab7 in nsWindow::~nsWindow() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#13 0x000004e0a8e77c1e in nsChildWindow::~nsChildWindow() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#14 0x000004e0a8e3b832 in nsBaseWidget::Release() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#15 0x000004e0a77a8e8e in nsDeviceContext::~nsDeviceContext() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#16 0x000004e0a9110825 in nsPresContext::~nsPresContext() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#17 0x000004e0a9110aee in nsPresContext::~nsPresContext() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#18 0x000004e0a6ee4527 in SnowWhiteKiller::~SnowWhiteKiller() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#19 0x000004e0a6ee4408 in nsCycleCollector::FreeSnowWhite(bool) () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#20 0x000004e0a7525f5f in AsyncFreeSnowWhite::Run() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#21 0x000004e0a6f3d380 in nsThread::ProcessNextEvent (this=0x4e0dcc1cc00, aMayWait=<optimized out>, aResult=0x7f7fffff2bdf) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/xpcom/threads/nsThread.cpp:1067
#22 0x000004e0a6f648cd in NS_ProcessNextEvent(nsIThread*, bool) () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#23 0x000004e0a724fc08 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#24 0x000004e0a7228646 in MessageLoop::Run() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#25 0x000004e0a8e58c19 in nsBaseAppShell::Run() () from /usr/local/lib/firefox-51.0/libxul.so.69.0
#26 0x000004e0a974433e in nsAppStartup::Run (this=0x4e0c0b47d80) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/toolkit/components/startup/nsAppStartup.cpp:283
#27 0x000004e0a97aa914 in XREMain::XRE_mainRun (this=<optimized out>) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/toolkit/xre/nsAppRunner.cpp:4401
#28 0x000004e0a97aaed6 in XREMain::XRE_main (this=0x7f7fffff2e60, argc=<optimized out>, argv=<optimized out>, aAppData=<optimized out>) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/toolkit/xre/nsAppRunner.cpp:4534
#29 0x000004e0a97ab2e9 in XRE_main (argc=-55808, argv=0x4e0a55e0260 <_initial_thread>, aAppData=0x4e0317f7e80, aFlags=<optimized out>) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/toolkit/xre/nsAppRunner.cpp:4625
#30 0x000004de0ab00d42 in do_main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>, xreDirectory=<optimized out>) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/browser/app/nsBrowserApp.cpp:281
#31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /data/semarie/repos/openbsd/ports/pobj/firefox-51.0-debug/firefox-51.0/browser/app/nsBrowserApp.cpp:414
I'm trying the solution proposed by kitsunyan (nice analysis!) in comment #6, will report back.

  2 --- widget/gtk/WindowSurfaceX11Image.cpp.orig>--Sun Feb 19 14:48:01 2017
  3 +++ widget/gtk/WindowSurfaceX11Image.cpp>-------Sun Feb 19 14:48:43 2017 
  4 @@ -108,7 +108,7 @@ WindowSurfaceX11Image::Commit(const LayoutDeviceIntReg
  5      dt->PushDeviceSpaceClipRects(rects.Elements(), rects.Length());
  6    }
  7 -
  8 -  dt->DrawSurface(surf, rect, rect);
  9 +  dt->DrawSurface(surf, rect, rect, gfx::DrawSurfaceOptions(), gfx::DrawOptions(1.0f, gfx::CompositionOp::OP_SOURCE));
I had tested the diff proposed by landry@ (on 51 et 52beta): with it the crash disappeared. But it introduces bad visual effects on widgets: they become black and blink on mouse move.
oh, and the trick with "gfx.xrender.enabled=true" works as workaround.
Same thing here w/ 52.0b7 (still on OpenBSD), gfx.xrender.enabled=true works, without it and with the aforementioned patch the browser is unusable, repainted in black following mouse moves.
The backtrace pasted by Landry would indicate you are compiling with system Cairo enabled instead of tree Cairo, given the fact that thebes' gfxASurface::Release is calling into /usr/lib/libcairo's cairo_surface_destroy. We don't really support that configuration anymore, and it is expected to be very buggy, if at all working.
But I compiled it without system Cairo. At least I don't see this option in mozconfig. And Firefox still crashes.

#0  0x00007f4b9fa90ff1 in  () at /usr/lib/libglib-2.0.so.0
#1  0x00007f4b9fa93731 in g_log_writer_default () at /usr/lib/libglib-2.0.so.0
#2  0x00007f4b9fa91b8c in g_log_structured_array () at /usr/lib/libglib-2.0.so.0
#3  0x00007f4b9fa91e89 in g_log_structured () at /usr/lib/libglib-2.0.so.0
#4  0x00007f4ba245a6fe in  () at /usr/lib/libgdk-3.so.0
#5  0x00007f4ba24678d3 in  () at /usr/lib/libgdk-3.so.0
#6  0x00007f4ba1cee6fd in _XError () at /usr/lib/libX11.so.6
#7  0x00007f4ba1ceb627 in  () at /usr/lib/libX11.so.6
#8  0x00007f4ba1ceb6e5 in  () at /usr/lib/libX11.so.6
#9  0x00007f4ba1cebfe5 in _XEventsQueued () at /usr/lib/libX11.so.6
#10 0x00007f4ba1cddcb7 in XPending () at /usr/lib/libX11.so.6
#11 0x00007f4ba2461e4e in  () at /usr/lib/libgdk-3.so.0
#12 0x00007f4b9fa8ac89 in g_main_context_prepare () at /usr/lib/libglib-2.0.so.0
#13 0x00007f4b9fa8b6ab in  () at /usr/lib/libglib-2.0.so.0
#14 0x00007f4b9fa8b89c in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
#15 0x00007f4b95f95ec5 in  () at /usr/lib/firefox/libxul.so
#16 0x00007f4b95f7d907 in  () at /usr/lib/firefox/libxul.so
#17 0x00007f4b95f7da66 in  () at /usr/lib/firefox/libxul.so
#18 0x00007f4b94c59d09 in  () at /usr/lib/firefox/libxul.so
#19 0x00007f4b94c74597 in  () at /usr/lib/firefox/libxul.so
#20 0x00007f4b94e7a954 in  () at /usr/lib/firefox/libxul.so
#21 0x00007f4b94e6a73e in  () at /usr/lib/firefox/libxul.so
#22 0x00007f4b95f7bafe in  () at /usr/lib/firefox/libxul.so
#23 0x00007f4b965d469e in  () at /usr/lib/firefox/libxul.so
#24 0x00007f4b9661bd1a in  () at /usr/lib/firefox/libxul.so
#25 0x00007f4b9661bfe1 in  () at /usr/lib/firefox/libxul.so
#26 0x00007f4b9661c222 in XRE_main () at /usr/lib/firefox/libxul.so
#27 0x000055d2d205655f in  ()
#28 0x000055d2d2055b17 in  ()
#29 0x00007f4ba3270291 in __libc_start_main () at /usr/lib/libc.so.6
#30 0x000055d2d2055d1a in _start ()

Sorry, I compiled Firefox without debug symbols, but at least you can see it doesn't use system Cairo library.
(In reply to kitsunyan from comment #14)
> But I compiled it without system Cairo. At least I don't see this option in
> mozconfig. And Firefox still crashes.
> 
> #0  0x00007f4b9fa90ff1 in  () at /usr/lib/libglib-2.0.so.0
> #1  0x00007f4b9fa93731 in g_log_writer_default () at
> /usr/lib/libglib-2.0.so.0
> #2  0x00007f4b9fa91b8c in g_log_structured_array () at
> /usr/lib/libglib-2.0.so.0
> #3  0x00007f4b9fa91e89 in g_log_structured () at /usr/lib/libglib-2.0.so.0
> #4  0x00007f4ba245a6fe in  () at /usr/lib/libgdk-3.so.0
> #5  0x00007f4ba24678d3 in  () at /usr/lib/libgdk-3.so.0
> #6  0x00007f4ba1cee6fd in _XError () at /usr/lib/libX11.so.6
> #7  0x00007f4ba1ceb627 in  () at /usr/lib/libX11.so.6
> #8  0x00007f4ba1ceb6e5 in  () at /usr/lib/libX11.so.6
> #9  0x00007f4ba1cebfe5 in _XEventsQueued () at /usr/lib/libX11.so.6
> #10 0x00007f4ba1cddcb7 in XPending () at /usr/lib/libX11.so.6
> #11 0x00007f4ba2461e4e in  () at /usr/lib/libgdk-3.so.0
> #12 0x00007f4b9fa8ac89 in g_main_context_prepare () at
> /usr/lib/libglib-2.0.so.0
> #13 0x00007f4b9fa8b6ab in  () at /usr/lib/libglib-2.0.so.0
> #14 0x00007f4b9fa8b89c in g_main_context_iteration () at
> /usr/lib/libglib-2.0.so.0
> #15 0x00007f4b95f95ec5 in  () at /usr/lib/firefox/libxul.so
> #16 0x00007f4b95f7d907 in  () at /usr/lib/firefox/libxul.so
> #17 0x00007f4b95f7da66 in  () at /usr/lib/firefox/libxul.so
> #18 0x00007f4b94c59d09 in  () at /usr/lib/firefox/libxul.so
> #19 0x00007f4b94c74597 in  () at /usr/lib/firefox/libxul.so
> #20 0x00007f4b94e7a954 in  () at /usr/lib/firefox/libxul.so
> #21 0x00007f4b94e6a73e in  () at /usr/lib/firefox/libxul.so
> #22 0x00007f4b95f7bafe in  () at /usr/lib/firefox/libxul.so
> #23 0x00007f4b965d469e in  () at /usr/lib/firefox/libxul.so
> #24 0x00007f4b9661bd1a in  () at /usr/lib/firefox/libxul.so
> #25 0x00007f4b9661bfe1 in  () at /usr/lib/firefox/libxul.so
> #26 0x00007f4b9661c222 in XRE_main () at /usr/lib/firefox/libxul.so
> #27 0x000055d2d205655f in  ()
> #28 0x000055d2d2055b17 in  ()
> #29 0x00007f4ba3270291 in __libc_start_main () at /usr/lib/libc.so.6
> #30 0x000055d2d2055d1a in _start ()
> 
> Sorry, I compiled Firefox without debug symbols, but at least you can see it
> doesn't use system Cairo library.

Can you compile with debug symbols, and then run with the environment variable MOZ_X_SYNC=1 set? That should help get a more useful backtrace. The backtrace you are currently getting is only way far away from where the actual error is caused, several iterations of the main loop down the road, because X is merely queuing the error to be fetched later.
Flags: needinfo?(kitsunyan)
On the presumption that we are accidentally destroying xrender pictures assigned to the window AFTER the window gets destroyed, this forces the resource cleanup to happen before said window destruction. The X server theoretically cleans up the pictures associated with a window when the window is destroyed, and yet the Cairo xlib surface has its own client-side references to these pictures still, which it tries to destroy. By doing the cleanup first, we avoid the window destructing hitting the pictures before the Cairo xlib surface does.

Kitsunyan, can you please try this patch and see if it fixes your issue?
Attachment #8839004 - Flags: review?(karlt)
(In reply to Lee Salzman [:lsalzman] from comment #15)
> Can you compile with debug symbols, and then run with the environment
> variable MOZ_X_SYNC=1 set? That should help get a more useful backtrace. The
> backtrace you are currently getting is only way far away from where the
> actual error is caused, several iterations of the main loop down the road,
> because X is merely queuing the error to be fetched later.

#0  0x00007f77f8090ff1 in  () at /usr/lib/libglib-2.0.so.0
#1  0x00007f77f8093731 in g_log_writer_default () at /usr/lib/libglib-2.0.so.0
#2  0x00007f77f8091b8c in g_log_structured_array () at /usr/lib/libglib-2.0.so.0
#3  0x00007f77f8091e89 in g_log_structured () at /usr/lib/libglib-2.0.so.0
#4  0x00007f77faa5a6fe in  () at /usr/lib/libgdk-3.so.0
#5  0x00007f77faa678d3 in  () at /usr/lib/libgdk-3.so.0
#6  0x00007f77fa2ee6fd in _XError () at /usr/lib/libX11.so.6
#7  0x00007f77fa2eb627 in  () at /usr/lib/libX11.so.6
#8  0x00007f77fa2eb6e5 in  () at /usr/lib/libX11.so.6
#9  0x00007f77fa2ec5f8 in _XReply () at /usr/lib/libX11.so.6
#10 0x00007f77fa2e7fed in XSync () at /usr/lib/libX11.so.6
#11 0x00007f77fa2e808b in  () at /usr/lib/libX11.so.6
#12 0x00007f77eecbf797 in _cairo_xlib_surface_finish (abstract_surface=0x7f77b317f800)
    at /src/firefox-51.0.1/gfx/cairo/cairo/src/cairo-xlib-surface.c:494
#13 0x00007f77eece6dd1 in INT__moz_cairo_surface_finish (surface=0x7f77b317f800)
    at /src/firefox-51.0.1/gfx/cairo/cairo/src/cairo-surface.c:728
#14 0x00007f77eece6e0c in INT__moz_cairo_surface_destroy (surface=0x7f77b317f800)
    at /src/firefox-51.0.1/gfx/cairo/cairo/src/cairo-surface.c:649
#15 0x00007f77ed910a8d in gfxASurface::Release() (this=0x7f77b6eaae00)
    at /src/firefox-51.0.1/gfx/thebes/gfxASurface.cpp:101
#16 0x00007f77ee596143 in mozilla::widget::WindowSurfaceX11Image::~WindowSurfaceX11Image() (this=0x7f77b6eaa400, __in_chrg=<optimized out>)
    at /src/firefox-51.0.1/widget/gtk/WindowSurfaceX11Image.cpp:29
#17 0x00007f77ee593374 in mozilla::DefaultDelete<mozilla::widget::WindowSurface>::operator()(mozilla::widget::WindowSurface*) const (this=<optimized out>, aPtr=<optimized out>)
    at /src/firefox-51.0.1/obj-x86_64-pc-linux-gnu/dist/include/mozilla/UniquePtr.h:528
#18 0x00007f77ee593374 in mozilla::UniquePtr<mozilla::widget::WindowSurface, mozilla::DefaultDelete
mozilla::widget::WindowSurface> >::reset(mozilla::widget::WindowSurface*) (aPtr=0x0, this=0x7f77b2e5ae08)
    at /src/firefox-51.0.1/obj-x86_64-pc-linux-gnu/dist/include/mozilla/UniquePtr.h:343
#19 0x00007f77ee593374 in mozilla::UniquePtr<mozilla::widget::WindowSurface, mozilla::DefaultDelete<mozilla::widget::WindowSurface> >::~UniquePtr() (this=0x7f77b2e5ae08, __in_chrg=<optimized out>)
    at /src/firefox-51.0.1/obj-x86_64-pc-linux-gnu/dist/include/mozilla/UniquePtr.h:288
#20 0x00007f77ee593374 in mozilla::widget::WindowSurfaceProvider::~WindowSurfaceProvider() (this=0x7f77b2e5ade8, __in_chrg=<optimized out>)
    at /src/firefox-51.0.1/obj-x86_64-pc-linux-gnu/dist/include/mozilla/widget/WindowSurfaceProvider.h:25
#21 0x00007f77ee593374 in nsWindow::~nsWindow() (this=0x7f77b2e5ac00, __in_chrg=<optimized out>)
    at /src/firefox-51.0.1/widget/gtk/nsWindow.cpp:487
#22 0x00007f77ee5933cd in nsChildWindow::~nsChildWindow() (this=0x7f77b2e5ac00, __in_chrg=<optimized out>) at /src/firefox-51.0.1/widget/gtk/nsWindow.cpp:6395
#23 0x00007f77ee5669c5 in nsBaseWidget::Release() (this=<optimized out>)
    at /src/firefox-51.0.1/widget/nsBaseWidget.cpp:154
#24 0x00007f77ee560935 in nsCOMPtr<nsIWidget>::operator=(nsIWidget*) (aRhs=0x0, this=0x7f77b4e7ab50) at /src/firefox-51.0.1/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:577
#25 0x00007f77ee560935 in DestroyWidgetRunnable::Run() (this=0x7f77b4e7ab40)
    at /src/firefox-51.0.1/view/nsView.cpp:118
#26 0x00007f77ed25bcb1 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f77fb691eb0, aMayWait=<optimized out>, aResult=0x7fffc5a622d7)
    at /src/firefox-51.0.1/xpcom/threads/nsThread.cpp:1067
#27 0x00007f77ed2763f7 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, 
    aThread@entry=0x7f77fb691eb0, aMayWait=aMayWait@entry=false)
    at /src/firefox-51.0.1/xpcom/glue/nsThreadUtils.cpp:311
#28 0x00007f77ed47c7c2 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f77e6f53700, aDelegate=0x7f77fb6ad840)
    at /src/firefox-51.0.1/ipc/glue/MessagePump.cpp:96
#29 0x00007f77ed46c5a6 in MessageLoop::RunHandler() (this=<optimized out>)
    at /src/firefox-51.0.1/ipc/chromium/src/base/message_loop.cc:225
#30 0x00007f77ed46c5a6 in MessageLoop::Run() (this=<optimized out>)
    at /src/firefox-51.0.1/ipc/chromium/src/base/message_loop.cc:205
#31 0x00007f77ee57b9ca in nsBaseAppShell::Run() (this=0x7f77df2253a0)
    at /src/firefox-51.0.1/widget/nsBaseAppShell.cpp:156
#32 0x00007f77eebd4560 in nsAppStartup::Run() (this=0x7f77df270060)
    at /src/firefox-51.0.1/toolkit/components/startup/nsAppStartup.cpp:283
#33 0x00007f77eec1bbd4 in XREMain::XRE_mainRun() (this=this@entry=0x7fffc5a62568)
    at /src/firefox-51.0.1/toolkit/xre/nsAppRunner.cpp:4401
#34 0x00007f77eec1be9b in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffc5a62568, argc=argc@entry=1, argv=argv@entry=0x7fffc5a63948, aAppData=aAppData@entry=0x7fffc5a62768) at /src/firefox-51.0.1/toolkit/xre/nsAppRunner.cpp:4534
#35 0x00007f77eec1c0dc in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffc5a63948, aAppData=0x7fffc5a62768, aFlags=<optimized out>)
    at /src/firefox-51.0.1/toolkit/xre/nsAppRunner.cpp:4625
#36 0x00005648448b736f in do_main(int, char**, char**, nsIFile*) (argc=1, argv=0x7fffc5a63948, envp=<optimized out>, xreDirectory=0x7f77fb64ba80)
    at /src/firefox-51.0.1/browser/app/nsBrowserApp.cpp:281
#37 0x00005648448b69f7 in main(int, char**, char**) (argc=1, argv=0x7fffc5a63948, envp=0x7fffc5a63958) at /src/firefox-51.0.1/browser/app/nsBrowserApp.cpp:414
Flags: needinfo?(kitsunyan)
(In reply to Lee Salzman [:lsalzman] from comment #16)
> Created attachment 8839004 [details] [diff] [review]
> clean gtk window's surface provider before it gets destroyed
> 
> On the presumption that we are accidentally destroying xrender pictures
> assigned to the window AFTER the window gets destroyed, this forces the
> resource cleanup to happen before said window destruction. The X server
> theoretically cleans up the pictures associated with a window when the
> window is destroyed, and yet the Cairo xlib surface has its own client-side
> references to these pictures still, which it tries to destroy. By doing the
> cleanup first, we avoid the window destructing hitting the pictures before
> the Cairo xlib surface does.
> 
> Kitsunyan, can you please try this patch and see if it fixes your issue?

Nice. Firefox no longer crashes with this patch.
Comment on attachment 8839004 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed

It should be fine to do this only in Destroy() after DestroyCompositor().

That means it need only be done in one place, and it puts it next to the DestroyCompositor(), which must happen first to ensure the compositor is no longer using mSurfaceProvider.
Attachment #8839004 - Flags: review?(karlt) → review+
Comment on attachment 8839004 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed

testing this w/ 52.0b7 and tb 52.0b3.
Comment on attachment 8839004 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed

Review of attachment 8839004 [details] [diff] [review]:
-----------------------------------------------------------------

I tested it on OpenBSD amd64, and it fixes the problem here too.
(tested on firefox 51 - I should really reread before posting)
Comment on attachment 8839004 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed

Fixes the crash too for me with 52.0b7, before the patch going to https://locka99.gitbooks.io/a-guide-to-porting-c-to-rust/ and exiting firefox was enough to see the crash.
Attachment #8839004 - Flags: feedback+
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/97795c1d467d
clean gtk window's surface provider before it gets destroyed. r=karlt
gfx.xrender.enabled=true" works on my amd64-based thin clients as well.  Thanks!
https://hg.mozilla.org/mozilla-central/rev/97795c1d467d
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Please request Aurora/Beta approval on this when you get a chance.
Assignee: nobody → lsalzman
Flags: needinfo?(lsalzman)
Just putting up the final patch that got to central so it can be uplifted...

Approval Request Comment
[Feature/Bug causing the regression]: bug 1319554, so affects 51+, since we uplifted from 53 to 51 and 52
[User impact if declined]: Firefox may when closing a window on Linux.
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: 52, 53
[Is the change risky?]: no
[Why is the change risky/not risky?]: Just causes some window resources to be destroyed in a safer order on close so that they don't end up double-freeing.
[String changes made/needed]: None
Attachment #8839004 - Attachment is obsolete: true
Flags: needinfo?(lsalzman)
Attachment #8839990 - Flags: review+
Attachment #8839990 - Flags: approval-mozilla-beta?
Attachment #8839990 - Flags: approval-mozilla-aurora?
Comment on attachment 8839990 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed. r=karlt

Fix a crash and was verified. Aurora53+.
Attachment #8839990 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8839990 [details] [diff] [review]
clean gtk window's surface provider before it gets destroyed. r=karlt

linux crash fix for beta52

Should be in 52.0b9
Attachment #8839990 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Setting qe-verify- based on Lee's assessment on manual testing (see Comment 28) and the fact that this fix has automated coverage.
Flags: qe-verify-
H.-Dirk Schmitt, your issue in duplicate bug 1340647 should be fixed in Beta [*], could you confirm?
Eli the Bearded, your issue in duplicate bug 1339866 should be fixed in Beta [*], could you confirm?

[*] https://www.mozilla.org/en-US/firefox/beta/all/
Flags: needinfo?(mozilla)
Flags: needinfo?(dirk)
 Landry Breuil's url (comment 23) to duplicate the crash does not crash my ff51, so I can't give a quick answer. I'll try this beta for the rest of the day though.
Flags: needinfo?(mozilla)
Problem is solved for me.
Flags: needinfo?(dirk)
You need to log in before you can comment on or make changes to this bug.