Closed Bug 1405814 Opened 7 years ago Closed 6 years ago

Crash in mozilla::layers::ScrollMetadata::ScrollMetadata

Categories

(Core :: Graphics: WebRender, defect, P2)

Product:
Core
Component:
Graphics: WebRender
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- disabled
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox63 --- disabled
firefox64 --- fixed
firefox65 --- fixed

People

(Reporter: philipp, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: [wr-reserve])

Crash Data

Attachments

(1 file)

Bug 1405814 - Avoid crash with WebRender when the scroll metadata is unavailable.
46 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
This bug was filed from the Socorro interface and is report bp-74138075-a3db-4b31-9a5c-068f00170927. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 XUL mozilla::layers::ScrollMetadata::ScrollMetadata(mozilla::layers::ScrollMetadata const&) xpcom/ds/nsTArray.h:398 1 XUL mozilla::layers::WebRenderScrollData::AddMetadata(mozilla::layers::ScrollMetadata const&) gfx/layers/FrameMetrics.h:778 2 XUL mozilla::layers::WebRenderLayerScrollData::Initialize(mozilla::layers::WebRenderScrollData&, nsDisplayItem*, int, mozilla::ActiveScrolledRoot const*) gfx/layers/wr/WebRenderScrollData.cpp:89 3 XUL mozilla::layers::WebRenderLayerManager::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) gfx/layers/wr/WebRenderLayerManager.cpp:361 4 XUL mozilla::layers::WebRenderLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags, nsDisplayList*, nsDisplayListBuilder*) gfx/layers/wr/WebRenderLayerManager.cpp:784 5 XUL nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) layout/painting/nsDisplayList.cpp:2173 6 XUL nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3823 7 XUL mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/PresShell.cpp:6454 8 XUL nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:480 9 XUL nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:412 10 XUL nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1102 11 XUL nsRefreshDriver::Tick(long long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:2082 12 XUL mozilla::RefreshDriverTimer::TickRefreshDrivers(long long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:337 13 XUL mozilla::RefreshDriverTimer::Tick(long long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:329 14 XUL mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:770 15 XUL mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:584 16 XUL mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:67 17 XUL mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) ipc/ipdl/PVsyncChild.cpp:155 18 XUL mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:2119 19 XUL mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:2049 20 XUL mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1928 21 XUL nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1039 22 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/threads/nsThreadUtils.cpp:466 23 XUL nsBaseAppShell::NativeEventCallback() widget/nsBaseAppShell.cpp:99 24 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm:436 ... reports with this signature seem to get more common with webrender - primarily on macos and fennec. is this related to bug 1384181?
Flags: needinfo?(bugmail)
Whiteboard: [wr-mvp] [triage]
(In reply to [:philipp] from comment #0) > reports with this signature seem to get more common with webrender - > primarily on macos and fennec. is this related to bug 1384181? I don't see any reports of this on Fennec. That should be impossible since webrender is not (and now cannot be) enabled on fennec. But yes, I see crashes on all three desktop platforms. It's not obvious to me from looking at the stack what the problem is, but it's something we'll need to fix.
Blocks: wr-stability, stage-wr-nightly
Flags: needinfo?(bugmail)
Priority: -- → P2
Whiteboard: [wr-mvp] [triage] → [wr-mvp]
Priority: P2 → P3
Whiteboard: [wr-mvp] → [wr-reserve]
I don't see any more crashes in crash-stats that match this.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Blocks: stage-wr-trains
No longer blocks: stage-wr-nightly
We are failing to copy construct this array: https://searchfox.org/mozilla-central/rev/e0c879c86b95bdc752b1dbff6088169735674e4a/gfx/layers/FrameMetrics.h#827 ScrollMetadata::mSnapInfo::mScrollSnapCoordinates::mHdr seems to point to an invalid location in the source data that we want to copy. This ScrollMetadata structure actually lives on the stack, a little further up the call stack: https://searchfox.org/mozilla-central/rev/e0c879c86b95bdc752b1dbff6088169735674e4a/gfx/layers/wr/WebRenderScrollData.cpp#68-74 The Maybe<ScrollMetadata> is probably Nothing, just like in the ClipManager crash in bug 1471671.
Assignee: nobody → aosmond
Priority: P3 → P2
See Also: → 1471671
Similar to bug 1471671, we are seeing missing scroll metadata in cases we do not expect that, and have been observing low volume crashes in the wild as a result. It appears that in the non-WR path, it skips such items, so we should probably do the same thing with WebRender. If it is a real problem, we will hopefully get a reproducible test case from a user if scrolling fails for them.
Pushed by aosmond@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b1cb5cc2e2d5 Avoid crash with WebRender when the scroll metadata is unavailable. r=kats
https://hg.mozilla.org/mozilla-central/rev/b1cb5cc2e2d5
Status: REOPENED → RESOLVED
Closed: 7 years ago6 years ago
status-firefox65: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
I'm confused - this bug predates WebRender and we see crashes with this signature without WR on the stack: https://crash-stats.mozilla.com/report/index/4c96f62c-a7de-4ba0-932b-5553a0181030 Is there a bug tracking these original crashes somewhere still?
Flags: needinfo?(aosmond)
Huh, nevermind. I guess this bug always *was* for the WR crash. Andrew, can you please nominate this for Beta approval since the volume there seems non-negligible?
status-firefox63: --- → disabled
status-firefox64: --- → affected
status-firefox-esr60: --- → disabled
Crash Signature: [@ mozilla::layers::ScrollMetadata::ScrollMetadata] → [@ mozilla::layers::ScrollMetadata::ScrollMetadata] [@ nsTArray_Impl<T>::AppendElements<T> | mozilla::layers::ScrollMetadata::ScrollMetadata]
Comment on attachment 9020096 [details] Bug 1405814 - Avoid crash with WebRender when the scroll metadata is unavailable. [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: May experience crashes while using WebRender. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): The change is not risky. The worst case scrolling is would not work as the user expects, versus today where it crashes mid scroll. String changes made/needed: N/A
Flags: needinfo?(aosmond)
Attachment #9020096 - Flags: approval-mozilla-beta?
Comment on attachment 9020096 [details] Bug 1405814 - Avoid crash with WebRender when the scroll metadata is unavailable. [Triage Comment] Fixes a crash for users opted into the WebRender experiments on Beta. Approved for 64.0b7.
Attachment #9020096 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: