Closed Bug 1436219 Opened 7 years ago Closed 7 years ago

Crash in arena_dalloc | mozilla::layers::ClientTiledPaintedLayer::~ClientTiledPaintedLayer

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox60 --- fix-optional

People

(Reporter: lizzard, Assigned: rhunt)

Details

(Keywords: crash, regression, Whiteboard: [gfx-noted])

Crash Data

This bug was filed from the Socorro interface and is report bp-321ba279-a47f-4c76-8a75-8ad680180205. ============================================================= This seems to be a new content crash from the 20180204220351 build, on MacOS. Top 10 frames of crashing thread: 0 libmozglue.dylib arena_dalloc memory/build/mozjemalloc.cpp:3490 1 XUL mozilla::layers::ClientTiledPaintedLayer::~ClientTiledPaintedLayer gfx/src/nsRegion.h:75 2 XUL mozilla::layers::LayerPropertiesBase::~LayerPropertiesBase gfx/layers/LayerTreeInvalidation.cpp:177 3 XUL mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties mfbt/UniquePtr.h:528 4 XUL nsDisplayList::PaintRoot mfbt/UniquePtr.h:528 5 XUL nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:3985 6 XUL mozilla::PresShell::Paint layout/base/PresShell.cpp:6492 7 XUL nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:480 8 XUL nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:412 9 XUL nsViewManager::ProcessPendingUpdates view/nsViewManager.cpp:1102 =============================================================
Component: Graphics: WebRender → Graphics: Layers
This is a main thread crash in ClientTiledPaintedLayer destructor while doing P-OMTP. Ryan, thoughts?
Assignee: nobody → rhunt
Flags: needinfo?(rhunt)
Whiteboard: [gfx-noted]
This is an odd crash, I'm not certain that this is related to P-OMTP but it could be. The crash is at 0x8 in arena_dalloc from deallocating a nsRegion. It looks like two things are possibly happening, either the assert is failing which implies that the arena's magic has been overwritten, or the pointer to the arena is null or close to null causing us to crash evaluating the assert. I'm not sure which case it is, I tried programming some corruption in this spot to see what would happen and was not able to reproduce it. In either case it's not clear how this could happen. P-OMTP does send a region to the paint threads but it is not shared between any of them, it's always copied. And seeing this is a region inside the PaintedLayer, I'm really not sure how some sort of race condition could be happening. Looking for other reports, I think there has only been one report of this ever so if we start to get more reports I can try and dig into it further.
Flags: needinfo?(rhunt)
Marking fix-optional for 60 since we only have one example of the crash and it's not actionable so far.
status-firefox60: affectedfix-optional
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.