MOZ_RELEASE_ASSERT(mCompositorOptions) Crash in mozilla::dom::TabChild::AsyncPanZoomEnabled

RESOLVED FIXED in Firefox 55

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: philipp, Assigned: kats)

Tracking

({crash, regression})

53 Branch
mozilla56
Unspecified
Linux
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 wontfix, firefox54 wontfix, firefox55 fixed, firefox56 verified)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-4e5a9694-f5cc-413e-a2fc-3b9550170601.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::dom::TabChild::AsyncPanZoomEnabled 	dom/ipc/TabChild.cpp:450
1 	libxul.so 	libxul.so@0x17afe1e 	
2 	libxul.so 	libxul.so@0x1d9de39 	
3 	libxul.so 	nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) 	
4 	libxul.so 	nsDocumentViewer::InitPresentationStuff(bool) 	
5 	libxul.so 	nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) 	
6 	libxul.so 	nsDocumentViewer::Init 	layout/base/nsDocumentViewer.cpp:690
7 	libxul.so 	nsDocShell::SetupNewViewer(nsIContentViewer*) 	
8 	libxul.so 	nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) 	
9 	libxul.so 	nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) 	
10 	libxul.so 	nsDocShell::GetDocument() 	
11 	libxul.so 	nsPIDOMWindow<mozIDOMWindowProxy>::MaybeCreateDoc 	dom/base/nsGlobalWindow.cpp:4132
12 	libxul.so 	nsGlobalWindow::WrapObject 	dom/base/nsPIDOMWindow.h:216
13 	libxul.so 	XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, bool, nsresult*) 	
14 	libxul.so 	XPCConvert::NativeData2JS(JS::MutableHandle<JS::Value>, void const*, nsXPTType const&, nsID const*, nsresult*) 	
15 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	
16 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	
17 	libxul.so 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	
18 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
19 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
20 	libxul.so 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	
21 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
22 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
23 	libxul.so 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	
24 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
25 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
26 	libxul.so 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	
27 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
28 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
29 	libxul.so 	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 	
30 	libxul.so 	JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	
31 	libxul.so 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	
32 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120
33 	libxul.so 	SharedStub 	
34 	libxul.so 	nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) 	
35 	libxul.so 	nsDocShell::Destroy() 	
36 	libxul.so 	nsWebBrowser::SetDocShell 	toolkit/components/browser/nsWebBrowser.cpp:1705
37 	libxul.so 	nsWebBrowser::InternalDestroy 	toolkit/components/browser/nsWebBrowser.cpp:95
38 	libxul.so 	nsWebBrowser::Destroy 	toolkit/components/browser/nsWebBrowser.cpp:1298
39 	libxul.so 	mozilla::dom::TabChild::DestroyWindow 	dom/ipc/TabChild.cpp:1089
40 	libxul.so 	mozilla::dom::TabChild::RecvDestroy 	dom/ipc/TabChild.cpp:2460
41 	libxul.so 	mozilla::dom::PBrowserChild::OnMessageReceived 	obj-firefox/ipc/ipdl/PBrowserChild.cpp:4345
42 	libxul.so 	mozilla::dom::PContentChild::OnMessageReceived 	obj-firefox/ipc/ipdl/PContentChild.cpp:5630
43 	libxul.so 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	
44 	libxul.so 	libxul.so@0xc4ef28 	
45 	libxul.so 	mozilla::ipc::MessageChannel::MessageTask::Run() 	
46 	libxul.so 	mozilla::SchedulerGroup::Runnable::Run 	xpcom/threads/SchedulerGroup.cpp:365
47 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	
48 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	
49 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	
50 	libxul.so 	MessageLoop::Run() 	
51 	libxul.so 	nsBaseAppShell::Run 	widget/nsBaseAppShell.cpp:156
52 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:893
53 	libxul.so 	MessageLoop::Run() 	
54 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:709
55 	firefox 	content_process_main 	ipc/contentproc/plugin-container.cpp:64
56 	firefox 	_init 	
Ø 57 	libc-2.19.so 	libc-2.19.so@0x21b44 	
58 	firefox 	firefox@0x11c1f 	
59 	firefox 	firefox@0x1b5bf 	
60 	firefox 	__libc_csu_fini 	
61 	firefox 	firefox@0x1b5bf 	
62 	firefox 	_start

reports with this signature are regressing from linux installations in firefox 55.0a1. crashes occur with "MOZ_RELEASE_ASSERT(mCompositorOptions)" that got added in bug 1331509.
https://crash-stats.mozilla.com/report/index/c1639279-2640-495c-a93f-0c8060170531 is a better report, has a fully symbolicated stack. Also this is pretty low-volume, but seems to happen more in 55 than it did in 53 or 54.
Assignee: nobody → bugmail
Has Regression Range: --- → irrelevant
Has STR: --- → no
I'm hitting this consistently on a release build using current trunk with the following STR:

1. ./mach run (*don't* disable e10s)
2. Type 'gecko profiler' in the search box
3. Click the first result

A new tab opens and then crashes.

I'll attach the stack since it's a little different to comment 0.
Posted file Stack

Updated

2 years ago
Summary: Crash in mozilla::dom::TabChild::AsyncPanZoomEnabled → MOZ_RELEASE_ASSERT(mCompositorOptions) Crash in mozilla::dom::TabChild::AsyncPanZoomEnabled
Similar, I get this when opening a Bugzilla bug in a new tab from a pinned dashboard tab.
I've backed out the patch from bug 1374548 after ehsan pointed to it via mozregression. I'll respin nightlies in a bit.
For those who are running into this, a workaround for now is to set dom.w3c_touch_events.enabled to 0 and restart. This bug should be affecting devices with touchscreens.
Comment on attachment 8882633 [details]
Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options.

https://reviewboard.mozilla.org/r/153716/#review158898
Attachment #8882633 - Flags: review?(dvander) → review+

Comment 11

2 years ago
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4ded92f42403
Assume APZ is enabled in TabChild if we are queried before we have the compositor options. r=dvander

Comment 12

2 years ago
Pushed by kwierso@gmail.com:
https://hg.mozilla.org/mozilla-central/rev/7cc250ff4f6e
Assume APZ is enabled in TabChild if we are queried before we have the compositor options. r=dvander a=bustage
Grafted this over to m-c so we can spin nightlies later today. Would be nice if people can confirm the crash has stopped with this.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
(In reply to Wes Kocher (:KWierso) from comment #13)
> Grafted this over to m-c so we can spin nightlies later today. Would be nice
> if people can confirm the crash has stopped with this.

I redid my own build (which is where I first saw the issue) including this patch and I can verify that it fixes my issue.

Comment 15

2 years ago
(In reply to Wes Kocher (:KWierso) from comment #13)
> Grafted this over to m-c so we can spin nightlies later today. Would be nice
> if people can confirm the crash has stopped with this.

Fixed on 56.0a1 (2017-07-01) (64-bit)

Updated

2 years ago
Duplicate of this bug: 1377727
I think Wes incorrectly marked status-firefox55 as fixed instead of status-firefox56 back in comment 13.
Comment on attachment 8882633 [details]
Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1331509
[User impact if declined]: intermittent crashes on touchscreen devices when new tabs are opened. the crashes became much more frequent due to some other changes in m-c recently.
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not really
[Why is the change risky/not risky?]: small change, just adds a fallback path where before we were doing a release assert
[String changes made/needed]: none
Attachment #8882633 - Flags: approval-mozilla-beta?
Duplicate of this bug: 1377787
Comment on attachment 8882633 [details]
Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options.

prevent crash in apz, beta55+
Attachment #8882633 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Version: 55 Branch → 53 Branch
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #19)
> [Is this code covered by automated tests?]: yes
> [Has the fix been verified in Nightly?]: yes
> [Needs manual test from QE? If yes, steps to reproduce]: no

Setting qe-verify- based on Kartikaya's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.