Closed
Bug 1440966
Opened 6 years ago
Closed 6 years ago
crash near null in [@ Frame | GetDisplayItemDataForManager]
Categories
(Core :: Web Painting, defect, P2)
Core
Web Painting
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | + | fixed |
People
(Reporter: tsmith, Assigned: mattwoodrow)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
398 bytes,
text/html
|
Details | |
|
9.02 KB,
patch
|
jnicol
:
review+
|
Details | Diff | Splinter Review |
Found with m-c 20180224-bfe62272d2a2
It may take a few attempts to trigger the failure with the testcase.
==16140==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f88afba7261 bp 0x7ffc7c458290 sp 0x7ffc7c458230 T0)
==16140==The signal is caused by a READ memory access.
==16140==Hint: address points to the zero page.
#0 0x7f88afba7260 in Frame src/layout/painting/nsDisplayList.h:2240:12
#1 0x7f88afba7260 in GetDisplayItemDataForManager src/layout/painting/FrameLayerBuilder.cpp:2060
#2 0x7f88afba7260 in mozilla::FrameLayerBuilder::StoreOptimizedLayerForFrame(nsDisplayItem*, mozilla::layers::Layer*) src/layout/painting/FrameLayerBuilder.cpp:2002
#3 0x7f88afbb51ec in FinishPaintedLayerData<(lambda at src/layout/painting/FrameLayerBuilder.cpp:2875:50)> src/layout/painting/FrameLayerBuilder.cpp:3226:24
#4 0x7f88afbb51ec in mozilla::PaintedLayerDataNode::PopPaintedLayerData() src/layout/painting/FrameLayerBuilder.cpp:2875
#5 0x7f88afbb625c in PopAllPaintedLayerData src/layout/painting/FrameLayerBuilder.cpp:2885:5
#6 0x7f88afbb625c in Finish src/layout/painting/FrameLayerBuilder.cpp:2839
#7 0x7f88afbb625c in mozilla::PaintedLayerDataTree::Finish() src/layout/painting/FrameLayerBuilder.cpp:2899
#8 0x7f88afbdb584 in mozilla::ContainerState::Finish(unsigned int*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:5373:25
#9 0x7f88afbde309 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:5759:9
#10 0x7f88afca9c82 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) src/layout/painting/nsDisplayList.cpp:7067:5
#11 0x7f88afbcac66 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:4406:38
#12 0x7f88afbde0f2 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:5752:9
#13 0x7f88afc6650f in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) src/layout/painting/nsDisplayList.cpp:2556:9
#14 0x7f88afc6886a in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2746:20
#15 0x7f88af3b11db in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:4016:12
#16 0x7f88af294c0e in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6483:5
#17 0x7f88ae9ebfbc in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#18 0x7f88ae9ead8c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#19 0x7f88ae9ee6a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#20 0x7f88af1ebcc9 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2063:11
#21 0x7f88af1f3dc4 in nsRefreshDriver::FinishedWaitingForTransaction() src/layout/base/nsRefreshDriver.cpp:2171:5
#22 0x7f88a9a02a93 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) src/gfx/layers/client/ClientLayerManager.cpp:532:32
#23 0x7f88a9af5863 in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) src/gfx/layers/ipc/CompositorBridgeChild.cpp:543:8
#24 0x7f88a89a08ef in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1441:20
#25 0x7f88a80cc82e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2110:25
#26 0x7f88a80c98a7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2040:17
#27 0x7f88a80cafac in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1886:5
#28 0x7f88a80cb608 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1919:15
#29 0x7f88a71faef4 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
#30 0x7f88a7216eb0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
#31 0x7f88a80d494a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#32 0x7f88a8024c39 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
#33 0x7f88a8024c39 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
#34 0x7f88a8024c39 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#35 0x7f88aea73dca in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#36 0x7f88b2f3894b in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288:30
#37 0x7f88b3144c4c in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4679:22
#38 0x7f88b3147b9c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4814:8
#39 0x7f88b3148fe4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4906:21
#40 0x4f6d45 in do_main src/browser/app/nsBrowserApp.cpp:231:22
#41 0x4f6d45 in main src/browser/app/nsBrowserApp.cpp:304
#42 0x7f88c68f982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#43 0x4265bc in _start (firefox+0x4265bc)Flags: in-testsuite?
|
Assignee | |
Comment 1•6 years ago
|
||
I haven't been able to reproduce this yet, but I think I understand the issue. We have an item in a PaintedLayer that tries to build an inactive layer, fails, and takes the early return from AddPaintedDisplayItem (which clears mItem). We've also decided to optimize the PaintedLayer into one of the specialized types (probably ColorLayer). I can't find any item that could do both of these things, but I think you could have an opaque nsDisplayColor on top of another item that uses an inactive layer to get this effect. When building the optimized Layer in FinishPaintedLayerData we iterate over mAssignedDisplayItems again, and dereference mItem, which crashes. I think we can just reorder these operations and deal with the optimized Layer first, and then this isn't an issue.
|
|
Assignee | |
Comment 2•6 years ago
|
||
Regression from bug 1435648, which is when we started mutating mAssignedDisplayItems.
Blocks: 1435648
|
|
Assignee | |
Comment 3•6 years ago
|
||
Assignee: nobody → matt.woodrow
Attachment #8954589 -
Flags: review?(jnicol)
|
|
Assignee | |
Updated•6 years ago
|
Crash Signature: [@ GetDisplayItemDataForManager] → [@ GetDisplayItemDataForManager]
[@ mozilla::FrameLayerBuilder::GetDisplayItemDataForManager]
|
||
Updated•6 years ago
|
Attachment #8954589 -
Flags: review?(jnicol) → review+
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P2
Pushed by mwoodrow@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b3cf1b5c14cc Store optimized Layer in DisplayItemData as part of AddPaintedLayerFor. r=jnicol
|
||
Comment 6•6 years ago
|
||
Backed out changeset 1c81ecf47268 (bug 1438990) for build bustages on a CLOSED TREE Log of the bustage: https://taskcluster-artifacts.net/UL4OFeZvR_6YVZFXGCqN3w/0/public/logs/live_backing.log Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/545df7f2c6bcfdab972b22b95fa3fd92b1df07c8 Push that got backout: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=b3cf1b5c14cc373f90fda4f109e35bef5f69f84f&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-classifiedState=unclassified
Flags: needinfo?(matt.woodrow)
Pushed by mwoodrow@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1a8e77cb2c21 Store optimized Layer in DisplayItemData as part of AddPaintedLayerFor. r=jnicol
|
||
Comment 8•6 years ago
|
||
Backed out for reftest failures e.g. async-scrolling/bg-fixed-child-mask.html==async-scrolling/bg-fixed-child-mask-ref.html Push that caused the failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=1a8e77cb2c21d4f42dd3e90fdcbece7a633b473b Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=166423669&repo=mozilla-inbound&lineNumber=3079 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/aa30c92136b8cdeb7389022592900ed097add981
|
||
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
tracking-firefox60:
--- → +
Keywords: regression
|
||
Comment 9•6 years ago
|
||
Bughunter found a reproducible case where it reliably crashes Linux Nightly/60 on load at http://www.velikolepnyivek.com/online/2_season/45_seriya.php
|
||
Comment 10•6 years ago
|
||
Pushed by mwoodrow@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fe859b4ec63c Store optimized Layer in DisplayItemData as part of AddPaintedLayerFor. r=jnicol
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/fe859b4ec63c
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Updated•6 years ago
|
Flags: qe-verify+
|
||
Comment 12•6 years ago
|
||
I've tried to reproduce this issue, but unfortunately it didn't crashed on my side. I used the testcase from comment 0 and the website from comment 9 on Nightly 60.0a1 (2018-02-24) asan build and Nightly 60.0a1 (2018-02-24) regular build, under Ubuntu 16.04 x64/x86 and Ubuntu 14.04. Hi Matt, I'm wondering if there's anything else I can try here, in order to reproduce this bug? Thanks!
|
|
Assignee | |
Comment 13•6 years ago
|
||
(In reply to Ciprian Georgiu, QA [:ciprian_georgiu] from comment #12) > I've tried to reproduce this issue, but unfortunately it didn't crashed on > my side. I used the testcase from comment 0 and the website from comment 9 > on Nightly 60.0a1 (2018-02-24) asan build and Nightly 60.0a1 (2018-02-24) > regular build, under Ubuntu 16.04 x64/x86 and Ubuntu 14.04. > > Hi Matt, > > I'm wondering if there's anything else I can try here, in order to reproduce > this bug? Thanks! I was never able to reproduce this either unfortunately.
Flags: needinfo?(matt.woodrow)
You need to log in
before you can comment on or make changes to this bug.
Description
•