Crash in mozilla::layers::ClientLayerManager::ForwardTransaction

RESOLVED FIXED in Firefox 58

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: njn, Assigned: bas.schouten)

Tracking

({crash})

Trunk
mozilla58
Unspecified
Windows 7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox56 unaffected, firefox57 unaffected, firefox58 fixed)

Details

(Whiteboard: [gfx-noted], crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-53ac2d4e-cff2-4a97-8128-fe2290171003.
=============================================================

Moderately frequent bug: 37 occurrences of this in the past 7 days, but 54% of those are in Nightly 58; given Nightly's small userbase this means that it's *much* more common in Nightly, as if something changed recently.

The crashing addresses are all over the place: 0x18131655, 0xd, 0xffffffffffffffff.

Looks like the recent spike started in Nightly 20170929220356, which gives this regression window:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=946b9c995ec331f4f96360409fd8d2fc49e46838&tochange=57f68296c350469d73d788eb3695a898947b4acb

That window includes the first enabling of OMTP (bug 1403935), so that could be a factor. Bas, any ideas?
Flags: needinfo?(bas)
It seems unlikely given the stack, but it's certainly hard to ignore given the data.. is there a drop after the 30th and a rise again after the 3rd?
Flags: needinfo?(bas)
Paint thread doesn't seem to be doing anything at the time of the crash.
Whiteboard: [gfx-noted]
(In reply to Bas Schouten (:bas.schouten) from comment #1)
> It seems unlikely given the stack, but it's certainly hard to ignore given
> the data.. is there a drop after the 30th and a rise again after the 3rd?

Here is a search for this signature in FF58, faceted by build id:
https://crash-stats.mozilla.com/search/?signature=~mozilla%3A%3Alayers%3A%3AClientLayerManager%3A%3AForwardTransaction&version=58.0a1&date=%3E%3D2017-09-27T23%3A45%3A00.000Z&date=%3C2017-10-04T23%3A45%3A00.000Z&_sort=-date&_facets=signature&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-build_id

The answer is: not really. No crashes on the 1st, but crashes on the 29th, 30th, and 2nd.
(In reply to Nicholas Nethercote [:njn] from comment #3)
> (In reply to Bas Schouten (:bas.schouten) from comment #1)
> > It seems unlikely given the stack, but it's certainly hard to ignore given
> > the data.. is there a drop after the 30th and a rise again after the 3rd?
> 
> Here is a search for this signature in FF58, faceted by build id:
> https://crash-stats.mozilla.com/search/
> ?signature=~mozilla%3A%3Alayers%3A%3AClientLayerManager%3A%3AForwardTransacti
> on&version=58.0a1&date=%3E%3D2017-09-27T23%3A45%3A00.000Z&date=%3C2017-10-
> 04T23%3A45%3A00.000Z&_sort=-
> date&_facets=signature&_facets=build_id&_columns=date&_columns=signature&_col
> umns=product&_columns=version&_columns=build_id&_columns=platform#facet-
> build_id
> 
> The answer is: not really. No crashes on the 1st, but crashes on the 29th,
> 30th, and 2nd.

OMTP made it back in the night of the 2nd, so it may very well have made it into that build. So I'm going to bet this is a refcounting race. I have an idea.
Yup, I'm practically certain I know the cause.
Assignee: nobody → bas
Status: NEW → ASSIGNED
Comment on attachment 8915551 [details]
Bug 1405518: Make SyncObjectClient atomically refcounted as it may be accessed both on the paint and the main thread.

https://reviewboard.mozilla.org/r/186758/#review191878
Attachment #8915551 - Flags: review?(dvander) → review+
Pushed by bschouten@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb3f3e05a357
Make SyncObjectClient atomically refcounted as it may be accessed both on the paint and the main thread. r=dvander
https://hg.mozilla.org/mozilla-central/rev/fb3f3e05a357
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.