1403539 - Crash in mozilla::wr::ShmSegmentsWriter::AllocChunk

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect, P1)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-648e41d0-e56e-4550-825d-f891a0170927.
=============================================================

Seen while looking at nightly data: http://bit.ly/2fPA88L. Crashes started using 20170926100259. It appears based on the comments it may be confined to one user.

Comment says: I only use Firefox Nightly 58 64 bit. And this is the first time I crashed on this website tonight.

URLs:

https://www.youtube.com/watch?v=pGGBYlIYYu0
https://www.youtube.com/watch?v=bAivUvpjKLQ

Comment 1

[Vincent Liu[:vliu]]

From the analysis of crash report , all of them were hit MOZ_CRASH() in [1] from the fail return of AllocShmem(mChunkSize, shmType, &shm). Actually there is no enough information to tell the fail reason for this allocation fail. Might be OOM because there were two crash report indicate false Code: 0x8007000e(E_OUTOFMEMORY). All happens on Windows 10 and most were crashed in Parent process.

[1]: https://searchfox.org/mozilla-central/rev/f54c1723befe6bcc7229f005217d5c681128fcad/gfx/layers/wr/IpcResourceUpdateQueue.cpp#85

Comment 2

[Vincent Liu[:vliu]]

The latest build (20171002100134) still have the crash report of this signature. It seems that 0x8007000e(E_OUTOFMEMORY) only happens in part of signature on 20170926220106 build so it might not be an OOM case. Based on this, I will try to figure out how to fix this.

Comment 3

[Vincent Liu[:vliu]]

Attachment: 0001-Bug-1403539-Skip-AppendElement-for-XXXImage-if-faile.patch

Hi nical,
Here I drafted a patch to skip XXXImage to append once share memory allocated fails in Write(). Could you please have a review to see if it is reasonable for this skipping? Thanks.

Comment 4

[Nicolas Silva [:nical]]

Comment on attachment 8915427 [details] [diff] [review]
0001-Bug-1403539-Skip-AppendElement-for-XXXImage-if-faile.patch

Review of attachment 8915427 [details] [diff] [review]:
-----------------------------------------------------------------

If adding an image is fallible we have to properly support failure in the calling code. Otherwise we will refer to an image that does not exist in the display list, and update/delete images that don't exist. These memory management bugs are a lot harder to debug than this assertion so I much prefer crashing the content process here than moving the bug into the parent process.
This patch is good but we can't (or at least I would prefer we don't) do this without propagating the error up to the display list construction and not generate display items, etc.

Comment 5

[Vincent Liu[:vliu]]

Attachment: 0001-Bug-1403539-Skip-to-PushImage-in-WebRenderCommandsBu.patch

Hi nical,

As talked on IRC, the attached patch was proposed to skip to PushImage in WebRenderCommandsBuilder if AddXXXImage fails to return. In current design, it seems that only AddBlobImage was actually called from GenerateFallbackData(). Could you please have a review to see if it is fine for error handling? Thanks.

Comment 6

[Vincent Liu[:vliu]]

try : https://treeherder.mozilla.org/#/jobs?repo=try&revision=b766f4b1ae35412515a80b49bd93eea7dd8a92a0&selectedJob=136228511

Comment 7

[Pulsebot]

Pushed by vliu@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3dddc032e3d
Skip to PushImage in WebRenderCommandsBuilder if AddXXXImage fails to return. r=nical

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/b3dddc032e3d