Open Bug 1364192 Opened 5 years ago Updated 11 months ago
Crash in sse2::blit
_row _s32a _opaque
This bug was filed from the Socorro interface and is report bp-ceb1ffdb-74f9-4ed2-bd85-2a9db0170511. ============================================================= 18 crashes on the 5-10 Nightly, but all from a single installation. There are a few hundred crashes across all branches. Maybe we're running invalid instructions for a particular CPU? Though they are mostly EXCEPTION_ACCESS_VIOLATION_READ so maybe this is just bad memory or the like.
At a first look of the minidump, the access violation reading location 0x000000002A8B3000. The source code was shown in . The address value of src seems a non-NULL value which stored in R10(000000002A8B2FF0). But the value it pointed to couldn't be read from mini-dump. Based on this, I can't think of any possible reason to cause the crash. : https://searchfox.org/mozilla-central/rev/cd8c561106d804e26bc09389f18f361846d005eb/gfx/skia/skia/src/opts/SkBlitRow_opts.h#125 Lee, could you please have a look into this? Really thanks
The Skia code where the crash signature is occurring itself is fine. I extensively checked this. It appears something upstream of it is passing in an invalid SourceSurface which is getting read down there. Maybe this is because somehow the memory it points to got freed, or the structure itself was somehow corrupted to point to a garbage address. I did pretty much a full audit of DrawTargetSkia looking for potential use-after-free cases related to Snapshot() or other possible Moz2d-related sources of invalid SourceSurfaceSkias, and I could not find anything that looked causative. Also, the address of the invalid memory that is being read looks too random right now to judge much about what's going on based on it. I think we really need to find some way to reliably reproduce to make local investigation feasible before much can be done here.
You need to log in before you can comment on or make changes to this bug.