Closed
Bug 1418786
Opened 8 years ago
Closed 3 years ago
Crash in FlattenedDisplayItemIterator::GetNext
Categories
(Core :: Web Painting, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: philipp, Unassigned)
References
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is
report bp-fac45aff-cd2c-4a5b-adfe-5a7060171119.
=============================================================
Top 10 frames of crashing thread:
0 @0x1
1 xul.dll FlattenedDisplayItemIterator::GetNext layout/painting/nsDisplayList.h:6307
2 xul.dll mozilla::ContainerState::ProcessDisplayItems layout/painting/FrameLayerBuilder.cpp:3979
3 mozglue.dll arena_t::DallocSmall memory/build/mozjemalloc.cpp:3517
4 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor layout/painting/FrameLayerBuilder.cpp:5678
5 xul.dll nsDisplayOpacity::BuildLayer layout/painting/nsDisplayList.cpp:6266
6 xul.dll mozilla::FrameLayerBuilder::AddPaintedDisplayItem layout/painting/FrameLayerBuilder.cpp:4700
7 xul.dll mozilla::ContainerState::FinishPaintedLayerData<<lambda_32363612eb4612bf5e4e8cb38fe3dcce> > layout/painting/FrameLayerBuilder.cpp:3164
8 xul.dll mozilla::PaintedLayerDataNode::PopPaintedLayerData layout/painting/FrameLayerBuilder.cpp:2869
9 xul.dll mozilla::PaintedLayerDataNode::Finish layout/painting/FrameLayerBuilder.cpp:2833
=============================================================
these 2 signatures started showing up in 58.0b in a codepath that bug 1407815 has touched. the reports appear to be windows only at this point and are mainly happening in the content process
|
||
Comment 2•8 years ago
|
||
RDL is disabled in non-Nightly for now.
|
||
Updated•8 years ago
|
Priority: -- → P1
|
|
||
Comment 3•8 years ago
|
||
Marking 58:affected per report dates.
|
|
||
Updated•8 years ago
|
Group: core-security
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
||
Comment 4•8 years ago
|
||
I don't think this needs to be hidden.
This crash is the #3 top crash for OSX on the 1-17 Nightly.
Group: layout-core-security
|
||
Comment 5•8 years ago
|
||
Using the crash signature search links from above, I see a total of 11 OSX crash reports for the last week. I assume that's missing something though.
Can you link to the results that show the full set? Thanks!
Flags: needinfo?(matt.woodrow)
|
|
||
Comment 7•8 years ago
|
||
(In reply to Matt Woodrow (:mattwoodrow) from comment #5)
> Can you link to the results that show the full set? Thanks!
11 crashes is enough to make something a top crash for a single OSX Nightly, because the overall crash volume is so low. However, it looks like the 20180117100129 build is the only 59 build that had any of these crashes, so either it was a fluke or whatever the issue was has been fixed.
Flags: needinfo?(continuation)
Perhaps related to the retained display list changes, but appearing even when that is pref'd off. Miko, can you take a quick look?
Flags: needinfo?(mikokm)
|
||
Updated•8 years ago
|
status-firefox60:
--- → affected
status-firefox61:
--- → affected
|
||
Comment 9•8 years ago
|
||
Some observations regarding these crash signatures in the last six months:
- Crashes are mainly on Windows 7 (80.9%) and Windows 10 (15.5%)
- Crashes happen at simple code that *should* work.
It is very likely that the cause for these crashes is the same memory corruption problem as with bug 1359569, bug 1418807, and bug 1359233. For example, platform distribution for bug 1359233 crashes is Win7 (80.6%) and Win 10 (14%).
Sadly there is very little that can be done to fix this.
Flags: needinfo?(mikokm)
|
||
Updated•8 years ago
|
Flags: needinfo?(milan)
|
||
Updated•8 years ago
|
Flags: needinfo?(milaninbugzilla)
|
||
Comment 10•8 years ago
|
||
Lots of reads and write crashes at random wildptr addresses
Group: core-security
Keywords: csectype-wildptr,
sec-high
|
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 12•8 years ago
|
||
Per the recent dupe, this changed signatures in 61+.
Crash Signature: [@ FlattenedDisplayItemIterator::GetNext]
[@ FlattenedDisplayItemIterator::ResolveFlattening ] → [@ FlattenedDisplayItemIterator::GetNext]
[@ FlattenedDisplayItemIterator::ResolveFlattening ]
[@ mozilla::FLBDisplayItemIterator::ShouldFlattenNextItem]
|
|
||
Updated•8 years ago
|
status-firefox62:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → ?
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Crash Signature: [@ FlattenedDisplayItemIterator::GetNext]
[@ FlattenedDisplayItemIterator::ResolveFlattening ]
[@ mozilla::FLBDisplayItemIterator::ShouldFlattenNextItem] → [@ FlattenedDisplayItemIterator::GetNext]
[@ FlattenedDisplayItemIterator::ResolveFlattening ]
[@ mozilla::FLBDisplayItemIterator::ShouldFlattenNextItem]
[@ FlattenedDisplayItemIterator::ShouldFlattenNextItem]
|
||
Updated•7 years ago
|
status-firefox65:
--- → affected
|
||
Updated•7 years ago
|
status-firefox66:
--- → affected
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Group: layout-core-security → gfx-core-security
|
|
||
Updated•6 years ago
|
|
||
Comment 14•3 years ago
|
||
No crashes at all on crash stats with FlattenedDisplayItemIterator.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
|
||
Comment 15•3 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
|
|
||
Updated•3 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•