1417411 - tab crash on (tweaked) reveal.js

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Xavier Mouton-Dubosc]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20171114220116

Steps to reproduce:

Go on https://dascritch.net/vrac/Supports/1701-CRYPTOPARTY/1705-ce_qu_on_sait_sur_WannaCry.html#/
Press → key 



Actual results:

Since last monday, the tab is crashing on Firefox Nightly (59) 



Expected results:

I'm using a old version of reveal.js with a special script.
I'm noticing that segment feature is not crashing, as with https://dascritch.net/vrac/Supports/1701-CRYPTOPARTY/faille_pebkac.html 

Some examples https://dascritch.net/vrac.php/Supports/1701-CRYPTOPARTY/

Comment 1

[Kohei Yoshino]

Please provide your crash ID: https://support.mozilla.org/kb/mozillacrashreporter

Comment 2

[Xavier Mouton-Dubosc]

https://crash-stats.mozilla.com/report/index/9a9fff57-cfa6-4266-bee2-4df630171116

Comment 3

[Jason Orendorff [:jorendorff]]

Reproduces for me. Crash seems to be in APZ.

https://crash-stats.mozilla.com/report/index/0ce74d9d-2407-4b20-bdc9-d2a3f0171116

Comment 4

[Kartikaya Gupta (email:kats@mozilla.staktrace.com)]

The crash stack in comment 3 makes no sense, it seems to be just random pieces of code that are unrelated. But I'll try reproducing in a local build and see what falls out.

Comment 5

[Kartikaya Gupta (email:kats@mozilla.staktrace.com)]

In my Nightly build I got this crash where the stack makes a lot more sense:
https://crash-stats.mozilla.com/report/index/58a1dbd0-ddfc-4b66-8050-993800171116

In my local build I got a similar stack (the equivalent with webrender disabled):

Process 43463 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x000000010afd127a XUL`nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() [inlined] nsStyleContext::IsServo(this=0x7ffffffff0dea7ff) const at nsStyleContext.h:59 [opt]
   56  	public:
   57  	#ifdef MOZ_STYLO
   58  	  bool IsGecko() const { return !IsServo(); }
-> 59  	  bool IsServo() const { return (mBits & NS_STYLE_CONTEXT_IS_GECKO) == 0; }
   60  	#else
   61  	  bool IsGecko() const { return true; }
   62  	  bool IsServo() const { return false; }
Target 0: (plugin-container) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x000000010afd127a XUL`nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() [inlined] nsStyleContext::IsServo(this=0x7ffffffff0dea7ff) const at nsStyleContext.h:59 [opt]
    frame #1: 0x000000010afd127a XUL`nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() [inlined] nsStyleContext::IsGecko(this=0x7ffffffff0dea7ff) const at nsStyleContext.h:58 [opt]
    frame #2: 0x000000010afd127a XUL`nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() [inlined] nsStyleContext::GetAsGecko(this=0x7ffffffff0dea7ff) at nsStyleContextInlines.h:23 [opt]
    frame #3: 0x000000010afd127a XUL`nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>(this=0x7ffffffff0dea7ff) at nsStyleStructList.h:100 [opt]
    frame #4: 0x000000010d555e26 XUL`nsDisplayTransform::ComputePerspectiveMatrix(nsIFrame const*, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits>&) [inlined] nsStyleContext::StyleDisplay() at nsStyleStructList.h:100 [opt]
    frame #5: 0x000000010d555e21 XUL`nsDisplayTransform::ComputePerspectiveMatrix(nsIFrame const*, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits>&) [inlined] nsIFrame::StyleDisplay() const at nsStyleStructList.h:100 [opt]
    frame #6: 0x000000010d555de6 XUL`nsDisplayTransform::ComputePerspectiveMatrix(nsIFrame const*, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits>&) [inlined] nsIFrame::IsTransformed() const at nsIFrame.h:1771 [opt]
    frame #7: 0x000000010d555de6 XUL`nsDisplayTransform::ComputePerspectiveMatrix(aFrame=0x00000001487b3778, aAppUnitsPerPixel=60, aOutMatrix=0x00007ffee7610fd0) at nsDisplayList.cpp:7850 [opt]
    frame #8: 0x000000010d55c35a XUL`nsDisplayPerspective::BuildLayer(this=0x0000000149c23d18, aBuilder=<unavailable>, aManager=0x0000000108c0a240, aContainerParameters=<unavailable>) at nsDisplayList.cpp:8882 [opt]
    frame #9: 0x000000010d505e04 XUL`mozilla::ContainerState::ProcessDisplayItems(this=0x00007ffee76116a0, aList=0x0000000148d05928) at FrameLayerBuilder.cpp:4271 [opt]
    frame #10: 0x000000010d50d002 XUL`mozilla::FrameLayerBuilder::BuildContainerLayerFor(this=<unavailable>, aBuilder=0x0000000148dba000, aManager=0x0000000108c0a240, aContainerFrame=0x00000001481fadb0, aContainerItem=0x0000000148d05818, aChildren=<unavailable>, aParameters=<unavailable>, aTransform=<unavailable>, aFlags=<unavailable>) at FrameLayerBuilder.cpp:5673 [opt]
    frame #11: 0x000000010d559451 XUL`nsDisplayTransform::BuildLayer(this=0x0000000148d05818, aBuilder=0x0000000148dba000, aManager=0x0000000108c0a240, aContainerParameters=0x00007ffee7611c70) at nsDisplayList.cpp:8400 [opt]
    frame #12: 0x000000010d505e04 XUL`mozilla::ContainerState::ProcessDisplayItems(this=0x00007ffee7611fe0, aList=0x0000000148dbc910) at FrameLayerBuilder.cpp:4271 [opt]
    frame #13: 0x000000010d50d002 XUL`mozilla::FrameLayerBuilder::BuildContainerLayerFor(this=<unavailable>, aBuilder=0x0000000148dba000, aManager=0x0000000108c0a240, aContainerFrame=0x00000001481fa018, aContainerItem=0x0000000000000000, aChildren=<unavailable>, aParameters=<unavailable>, aTransform=<unavailable>, aFlags=<unavailable>) at FrameLayerBuilder.cpp:5673 [opt]
    frame #14: 0x000000010d53b0a1 XUL`nsDisplayList::PaintRoot(this=0x0000000148dbc910, aBuilder=<unavailable>, aCtx=<unavailable>, aFlags=13) at nsDisplayList.cpp:2477 [opt]
    frame #15: 0x000000010d205735 XUL`nsLayoutUtils::PaintFrame(aRenderingContext=0x0000000000000000, aFrame=0x00000001481fa018, aDirtyRegion=0x0000000000000000, aBackstop=0, aBuilderMode=<unavailable>, aFlags=<unavailable>) at nsLayoutUtils.cpp:3941 [opt]
    frame #16: 0x000000010d18fda2 XUL`mozilla::PresShell::Paint(this=0x00000001481b4000, aViewToPaint=<unavailable>, aDirtyRegion=0x00007ffee7615330, aFlags=<unavailable>) at PresShell.cpp:6496 [opt]
    frame #17: 0x000000010cdd8bc3 XUL`nsViewManager::ProcessPendingUpdatesPaint(this=<unavailable>, aWidget=0x0000000122e62400) at nsViewManager.cpp:480 [opt]
    frame #18: 0x000000010cdd8683 XUL`nsViewManager::ProcessPendingUpdatesForView(this=<unavailable>, aView=<unavailable>, aFlushDirtyRegion=<unavailable>) at nsViewManager.cpp:412 [opt]
    frame #19: 0x000000010cdd979c XUL`nsViewManager::ProcessPendingUpdates(this=<unavailable>) at nsViewManager.cpp:1102 [opt]
    frame #20: 0x000000010d149449 XUL`nsRefreshDriver::Tick(this=0x0000000148192000, aNowEpoch=<unavailable>, aNowTime=(mValue = 262186210244478)) at nsRefreshDriver.cpp:2047 [opt]
    frame #21: 0x000000010d14e2be XUL`mozilla::RefreshDriverTimer::TickRefreshDrivers(long long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [inlined] mozilla::RefreshDriverTimer::TickDriver(driver=0x0000000148192000, jsnow=<unavailable>, now=(mValue = 262186210244478)) at nsRefreshDriver.cpp:336 [opt]
    frame #22: 0x000000010d14e277 XUL`mozilla::RefreshDriverTimer::TickRefreshDrivers(this=0x00000001481726a0, aJsNow=1510860238226984, aNow=(mValue = 262186210244478), aDrivers=<unavailable>) at nsRefreshDriver.cpp:306 [opt]
    frame #23: 0x000000010d14e189 XUL`mozilla::RefreshDriverTimer::Tick(this=0x00000001481726a0, jsnow=1510860238226984, now=(mValue = 262186210244478)) at nsRefreshDriver.cpp:328 [opt]
    frame #24: 0x000000010d14f2e4 XUL`mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(this=0x000000014817c600, aVsyncTimestamp=<unavailable>) at nsRefreshDriver.cpp:682 [opt]
    frame #25: 0x000000010d14efd7 XUL`mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(this=0x000000014817c600, aVsyncTimestamp=<unavailable>) at nsRefreshDriver.cpp:583 [opt]
    frame #26: 0x000000010d4b2fd8 XUL`mozilla::layout::VsyncChild::RecvNotify(this=0x0000000108d2d1f0, aVsyncTimestamp=0x00007ffee7615838) at VsyncChild.cpp:68 [opt]
    frame #27: 0x000000010a8d3e1d XUL`mozilla::layout::PVsyncChild::OnMessageReceived(this=0x0000000108d2d1f0, msg__=<unavailable>) at PVsyncChild.cpp:155 [opt]
    frame #28: 0x000000010a83b0e0 XUL`mozilla::ipc::PBackgroundChild::OnMessageReceived(this=0x0000000109b9b000, msg__=0x000000011cbd7430) at PBackgroundChild.cpp:1815 [opt]
    frame #29: 0x000000010a6672cb XUL`mozilla::ipc::MessageChannel::DispatchAsyncMessage(this=0x0000000109b9b138, aMsg=0x000000011cbd7430) at MessageChannel.cpp:2119 [opt]
    frame #30: 0x000000010a6655f6 XUL`mozilla::ipc::MessageChannel::DispatchMessage(this=0x0000000109b9b138, aMsg=0x000000011cbd7430) at MessageChannel.cpp:2049 [opt]
    frame #31: 0x000000010a665f6e XUL`mozilla::ipc::MessageChannel::RunMessage(this=0x0000000109b9b138, aTask=<unavailable>) at MessageChannel.cpp:1895 [opt]
    frame #32: 0x000000010a6667ea XUL`mozilla::ipc::MessageChannel::MessageTask::Run(this=0x000000011cbd73d0) at MessageChannel.cpp:1928 [opt]
    frame #33: 0x000000010a0dbd38 XUL`nsThread::ProcessNextEvent(this=0x0000000108c3b0e0, aMayWait=<unavailable>, aResult=0x00007ffee7616157) at nsThread.cpp:1037 [opt]

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Hmm, I can't repro this...

Comment 7

[Emilio Cobos Álvarez (:emilio)]

This only happens with retained display lists on.

Comment 8

[Matt Woodrow (:mattwoodrow)]

Attachment: perspective-invalidation-frame

Comment 9

[Miko Mynttinen]

Comment on attachment 8929208 [details] [diff] [review]
perspective-invalidation-frame

Review of attachment 8929208 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

Comment 10

[Pulsebot]

Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa4187810b90
Invalidate nsDisplayPerspective items when the inner transform frame changes. r=miko

Comment 11

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/aa4187810b90

Comment 12

[Matt Woodrow (:mattwoodrow)]

Comment on attachment 8929208 [details] [diff] [review]
perspective-invalidation-frame

Approval Request Comment
[Feature/Bug causing the regression]: bug 1352499. This is code that is preffed off, but we want to run a shield study enabling the pref.
[User impact if declined]: None, preffed off code.
[Is this code covered by automated tests?]: Yes, when the pref is enabled.
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: Code is preffed off.
[String changes made/needed]: None

Comment 13

[Xavier Mouton-Dubosc]

If the slides' page isn't crashing the tab anymore, the rendering is flickering, disappearing, unusable, instead of the actual main version of Firefox.

Step to reproduce :
Go to https://dascritch.net/vrac/Supports/1701-CRYPTOPARTY/1705-ce_qu_on_sait_sur_WannaCry.html
Press [→] key to change tab
Then press [→] key to display segments : rendering is flickering/ hashed/ not displayed on Nightly

Comment 14

[Matt Woodrow (:mattwoodrow)]

I filed bug 1420312 for the flicking issue as the bug as initial reported here is fixed.

Comment 15

[Gerry Chang [:gchang]]

Comment on attachment 8929208 [details] [diff] [review]
perspective-invalidation-frame

Support shield study for retain display lists. Beta58+.

Comment 16

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-beta/rev/3480ca96e9cd

Comment 17

[Andrei Vaida [:avaida]]

(In reply to Matt Woodrow (:mattwoodrow) from comment #12)
> [Is this code covered by automated tests?]: Yes, when the pref is enabled.
> [Has the fix been verified in Nightly?]: Yes
> [Needs manual test from QE? If yes, steps to reproduce]: No

Has automated coverage, does not need manual testing, per Matt.