Closed Bug 1443518 Opened 7 years ago Closed 7 years ago

Crash in mozilla::layers::InputBlockState::SetConfirmedTargetApzc

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Platform:
Unspecified
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 + verified
firefox61 --- verified

People

(Reporter: calixte, Assigned: mikokm)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(6 files, 1 obsolete file)

1443518.png
202.90 KB, image/png
Details
bug1443518-1.png
51.23 KB, image/png
Details
Reduced testcase
409 bytes, text/html
Details
Display list dump with LayerEventRegions (layout.simple-event-region-items=false)
15.33 KB, text/plain
Details
Display list dump with CompositorHitTestInfo (layout.simple-event-region-items=true)
16.60 KB, text/plain
Details
Bug 1443518 - Fix incorrect CompositorHitTestInfo ordering for inline lines
59 bytes, text/x-review-board-request
mattwoodrow
: review+
jcristau
: approval-mozilla-beta+
Details
This bug was filed from the Socorro interface and is report bp-1bd0164f-4a34-40ef-8c25-7c6110180306. ============================================================= Top 10 frames of crashing thread: 0 xul.dll mozilla::layers::InputBlockState::SetConfirmedTargetApzc gfx/layers/apz/src/InputBlockState.cpp:70 1 xul.dll mozilla::layers::InputQueue::ConfirmDragBlock gfx/layers/apz/src/InputQueue.cpp:721 2 xul.dll mozilla::layers::APZCTreeManager::StartScrollbarDrag gfx/layers/apz/src/APZCTreeManager.cpp:758 3 xul.dll mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::layers::IAPZCTreeManager>, void xpcom/threads/nsThreadUtils.h:1200 4 xul.dll mozilla::layers::APZThreadUtils::RunOnControllerThread gfx/layers/apz/util/APZThreadUtils.cpp:65 5 xul.dll mozilla::layers::APZCTreeManagerParent::RecvStartScrollbarDrag gfx/layers/ipc/APZCTreeManagerParent.cpp:279 6 xul.dll mozilla::layers::PAPZCTreeManagerParent::OnMessageReceived ipc/ipdl/PAPZCTreeManagerParent.cpp:448 7 xul.dll mozilla::layers::PCompositorManagerParent::OnMessageReceived ipc/ipdl/PCompositorManagerParent.cpp:121 8 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage ipc/glue/MessageChannel.cpp:2133 9 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW ipc/glue/MessageChannel.cpp:2063 ============================================================= There are 3 crashes (from 1 installation) in nightly 60 with buildid 20180306100123. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1437694. [1] https://hg.mozilla.org/mozilla-central/rev?node=c0b2aa2dc564
status-firefox58: --- → unaffected
status-firefox59: --- → unaffected
status-firefox60: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(botond)
Yes, this is definitely caused by bug 1437694. The diagnostic assert firing indicates an underlying bug in compositor hit testing. If people who are experiencing this crash could provide STR (in particular, what page the crash occurred on), that would be very helpful.
OS: Windows 10 → All
Assignee: nobody → botond
Flags: needinfo?(botond)
STR 1. https://www.marketwatch.com/story/now-the-bad-news-and-slightly-less-horrible-news-about-saving-for-retirement-2018-03-07 2. Select investment style select and attempt to scroll the choices. Reproduced with Today's Nightly on macos. bp-8ee7d37f-99e8-4384-964e-fee0a0180307
(In reply to Bob Clary [:bc:] from comment #2) > 2. Select investment style select and attempt to scroll the choices. Hmm, I can't find that on the page. Any chance you could post a screenshot?
Attached image 1443518.png
Just above Get Your Score, the select begins with Growth with I...
Attached image bug1443518-1.png
Interesting, I get a different widget there that doesn't have such a dropdown (the "Annually" dropdown is not scrollable).
You are in Toronto which may be related to the difference. Can you proxy through Mountain View?
Attached file Reduced testcase
Meanwhile, I was given another URL privately, and reduced it to the attached testcase.
Attachment #8957026 - Attachment mime type: text/plain → text/html
There's a layer with an empty visible region but a nonempty hit region that's on top of the scroll frame and eating the events.
Miko, this appears to be a regression from bug 1434243. I got display list dumps with CompositorHitTestInfo items (the default) and LayerEventRegions items (with layout.simple-event-region-items=false), attached. In the CompositorHitTestInfo dump, there is a CompositorHitTestInfo item (p=0x7fad4de281a0) in front of the other items which creates an invisible layer (0x7fad4de9f400) that eats the events. There is no such LayerEventRegions item in the LayerEventRegions dump. Coudl you have a look?
Blocks: 1434243
Flags: needinfo?(mikokm)
The new CompositorHitTestInfo item is created because the CompositorHitTestInfo (p=0x7fad4de287a0) above has an empty area, and fails the check at [1]. With LayerEventRegions items, the child item was merged with the empty parent item. I need to investigate more to figure out what the expected behavior here is. [1]: https://searchfox.org/mozilla-central/rev/33cc9e0331da8d9ff3750f1e68d72d61201176cb/layout/painting/nsDisplayList.cpp#2287
Flags: needinfo?(mikokm)
Since this ended up being a bug with display list item ordering, I've moved this to the appropriate component. The problem was that the CompositorHitTestInfo item was placed in the child content list, because the line box was inline[1]. This caused it to get incorrectly positioned above the floats. [1]: https://searchfox.org/mozilla-central/rev/588d8120aa11738657da93e09a03378bcd1ba8ec/layout/generic/nsBlockFrame.cpp#6642
Assignee: botond → mikokm
Status: NEW → ASSIGNED
Component: Panning and Zooming → Layout: Web Painting
Comment on attachment 8957556 [details] Bug 1443518 - Fix incorrect CompositorHitTestInfo ordering for inline lines https://reviewboard.mozilla.org/r/226432/#review232626 Does the same bug not also exist for LayerEventRegions? The conditions to trigger it are probably different (since we combine frames under different conditions), but I think the underlying logic bug is still there. I realise we're phasing that out, but it might be worth moving both while we're at it.
Attachment #8957556 - Flags: review?(matt.woodrow) → review+
(In reply to Matt Woodrow (:mattwoodrow) from comment #17) > Comment on attachment 8957556 [details] > Bug 1443518 - Fix incorrect CompositorHitTestInfo ordering for inline lines > > https://reviewboard.mozilla.org/r/226432/#review232626 > > Does the same bug not also exist for LayerEventRegions? The conditions to > trigger it are probably different (since we combine frames under different > conditions), but I think the underlying logic bug is still there. > > I realise we're phasing that out, but it might be worth moving both while > we're at it. I think it does exist for LayerEventRegions as well, but as you mentioned, combining frames avoids this particular problem. My opinion would be to leave this behavior as it is for LayerEventRegions. This way we could preserve this more mature codepath for reference if we get any more regressions like this. Even if we decide to fix this, we would get almost no testing for this change, as nsDisplayCompositorEventRegion items are used by default.
Pushed by mikokm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/271e8d061124 Fix incorrect CompositorHitTestInfo ordering for inline lines r=mattwoodrow
Thank you for fixing this, Miko!
https://hg.mozilla.org/mozilla-central/rev/271e8d061124
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Please request uplift to beta when you get a chance.
tracking-firefox60: --- → +
Flags: needinfo?(mikokm)
Comment on attachment 8957556 [details] Bug 1443518 - Fix incorrect CompositorHitTestInfo ordering for inline lines Approval Request Comment [Feature/Bug causing the regression]: An assertion added in bug 1437694 uncovered an existing problem with CompositorHitTestInfo display item ordering. [User impact if declined]: Possible crashes in Dev edition and Nightly due to MOZ_DIAGNOSTIC_ASSERT. In other versions possibly buggy scrollbar behavior. [Is this code covered by automated tests?]: No. As this feature requires dragging the scrollbar, implementing automated test is complicated. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: Yes. STR: 1) Open the attached "Reduced testcase" (https://bug1443518.bmoattachments.org/attachment.cgi?id=8957026) 2) Drag the vertical scrollbar under the text "A line of text that overflows..." back and forth a couple of times. Expected results: No crash and scrolling the text works. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Low risk. [Why is the change risky/not risky?]: The problem and the fix are well understood and simple. The crash rates for this signature have significantly dropped since this patch was introduced. [String changes made/needed]: None.
Flags: needinfo?(mikokm)
Attachment #8957556 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Comment on attachment 8957556 [details] Bug 1443518 - Fix incorrect CompositorHitTestInfo ordering for inline lines scrollbar crash fix, beta60+
Attachment #8957556 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
the patch seems to have somewhat reduced the volume of the crash, but the crash signature is still around in current builds. should we reopen this bug or file a new one about the remaining crashes?
Flags: needinfo?(mikokm)
Please file a new bug. Additional URLs that triggered this crash have been provided to me privately, and I plan to test them and reduce them as appropriate. Thanks!
Flags: needinfo?(mikokm)
See Also: → 1447131
Managed to reproduce this crash using the STR from comment 23, on an affected Nightly build (60.0a1, 2018-03-06) - https://crash-stats.mozilla.com/report/index/d3cdd22b-c99b-4dd3-b118-e5a520180320 I cannot reproduce it anymore on latest Nightly 61.01 (2018-03-20) and Beta 60.0b5 (20180319175655) on the following OSes: Windows 10 x64, Mac OS X 10.11 and Ubuntu 16.04 x64. Since the crash signature is fixed on my side and the remaining crashes will be addressed in bug 1447131, I will close this issue as verified fixed.
Status: RESOLVED → VERIFIED
status-firefox60: fixedverified
status-firefox61: fixedverified
Flags: qe-verify+
Blocks: 1449759
(In reply to Miko Mynttinen [:miko] from comment #23) > [Is this code covered by automated tests?]: No. As this feature requires > dragging the scrollbar, implementing automated test is complicated. We've actually recently built out infrastructure to test scrollbar dragging (or at least, hit testing over scrollbars) in APZ mochitests. I'll write one in bug 1449759.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: