Closed Bug 1420940 Opened 3 years ago Closed 3 years ago

Crash in mozilla::layers::CompositorVsyncScheduler::DispatchVREvents

Categories

(Core :: WebVR, defect)

Unspecified
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- fixed

People

(Reporter: marcia, Assigned: daoshengmu)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is
report bp-b1094ab3-7e51-4b78-9527-2135d0171123.
=============================================================

Seen while looking at crash stats - crashes started using 20171122103138: http://bit.ly/2BpZt2a. marking security sensitive since I see potential UAF. 19 crashes/22 installs.

Bug 1415762 landed in that timeframe. ni on :daoshengmu

Top 10 frames of crashing thread:

0 xul.dll mozilla::layers::CompositorVsyncScheduler::DispatchVREvents gfx/layers/ipc/CompositorVsyncScheduler.cpp:359
1 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void  xpcom/threads/nsThreadUtils.h:1192
2 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:535
3 xul.dll base::MessagePumpDefault::Run ipc/chromium/src/base/message_pump_default.cc:36
4 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:319
5 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:299
6 xul.dll base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:181
7 xul.dll `anonymous namespace'::ThreadFunc ipc/chromium/src/base/platform_thread_win.cc:28
8 kernel32.dll BaseThreadInitThunk 
9 ntdll.dll RtlUserThreadStart 

=============================================================
Flags: needinfo?
Flags: needinfo?
Group: core-security → gfx-core-security
Daosheng, can you please take a look?
Flags: needinfo?(dmu)
Assignee: nobody → dmu
Flags: needinfo?(dmu)
I think this is the mutex deadlock issue because we are using two mutex at a function scope. Besides, we should only call DispatchVREvents() at NotifyVsync(), others like SetNeedsComposite, ScheduleComposition are not necessary.
Attachment #8933596 - Flags: review?(kgilbert)
Attachment #8933596 - Flags: review?(dvander)
Comment on attachment 8933596 [details] [diff] [review]
0001-Bug-1420940-Separate-dispatching-VR-events-to-an-ind.patch

LGTM, Thanks!
Attachment #8933596 - Flags: review?(kgilbert) → review+
Attachment #8933596 - Flags: review?(dvander) → review+
Comment on attachment 8933596 [details] [diff] [review]
0001-Bug-1420940-Separate-dispatching-VR-events-to-an-ind.patch

Please help land it to m-c. Thanks.
Attachment #8933596 - Flags: checkin?(ryanvm)
Comment on attachment 8933596 [details] [diff] [review]
0001-Bug-1420940-Separate-dispatching-VR-events-to-an-ind.patch

https://hg.mozilla.org/integration/mozilla-inbound/rev/3622fedf746420df0d82bb25ea7432715b7cea17
Attachment #8933596 - Flags: checkin?(ryanvm) → checkin+
https://hg.mozilla.org/mozilla-central/rev/3622fedf7464
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Although it appears this fix landed on 12-3, I see some crashes after that in the same stack. One example from today: https://crash-stats.mozilla.com/report/index/29455935-ce62-4f01-ac88-a42450171205
Group: gfx-core-security → core-security-release
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The root cause of this crash is because we cancel the runnable task at Compositor thread when it has been sent to the MessageLoop. Then, VRListenerThread executes this task asynchronously and doesn't aware the runnable task has been deleted at Compositor thread.

This is risky to cancel and execute the same task at two different threads. I decide to use a more simple way to avoid this, just adding a condition to check the VR task is running at a different thread.
Attachment #8935249 - Flags: review?(dvander)
Attachment #8935249 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/0304433368bd
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1425443
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.