Closed Bug 1468020 Opened 7 years ago Closed 7 years ago

blob-invalidation: Crash in mozilla::layers::Grouper::ConstructGroupInsideInactive

Categories

(Core :: Graphics: WebRender, defect, P1)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- disabled
firefox62 --- disabled
firefox63 --- fixed

People

(Reporter: jan, Assigned: kats)

References

(Blocks 1 open bug)

Details

(Keywords: crash, nightly-community, regression, Whiteboard: [gfx-noted])

Crash Data

Attachments

(6 files)

testcase.html
17.53 KB, text/html
Details
Fix
1.39 KB, patch
mstange
: review+
Details | Diff | Splinter Review
Bug 1468020 - Extract helper function to avoid duplicated code.
59 bytes, text/x-review-board-request
mstange
: review+
Details
Bug 1468020 - Add crashtest.
59 bytes, text/x-review-board-request
mstange
: review+
Details
Bug 1468020 - Conform to static analysis bot suggestion.
59 bytes, text/x-review-board-request
mstange
: review+
Details
Bug 1468020 - Don't layerize filter and mask items.
59 bytes, text/x-review-board-request
mstange
: review+
Details
This crash reason has been introduced by bug 1388842.
Summary: Crash in mozilla::layers::Grouper::ConstructGroupInsideInactive → blob-invalidation: Crash in mozilla::layers::Grouper::ConstructGroupInsideInactive
Assignee: nobody → a.beingessner
Blocks: stage-wr-trains
Priority: -- → P1
Whiteboard: [gfx-noted]
Tab immediately crashes on http://myphoneandme.vodafone.com.tr/
Crash Signature: [@ mozilla::layers::Grouper::ConstructGroupInsideInactive ] → [@ mozilla::layers::Grouper::ConstructGroupInsideInactive ] [@ void mozilla::layers::Grouper::ConstructGroupInsideInactive]
(In reply to get_logan from comment #2) > Tab immediately crashes on http://myphoneandme.vodafone.com.tr/ Thank you! Instant tab crash. bp-d52d8335-fbe8-49ea-89f8-df4ec0180721 As expected: RUST_BACKTRACE=1 mozregression --good 2018-03-25 --bad 2018-07-21 -B debug --pref gfx.webrender.all:true -a http://myphoneandme.vodafone.com.tr/ > 10:25.99 INFO: Last good revision: 38cfaf35c4c1b2761c97c78769496b3181a6eedc > 10:25.99 INFO: First bad revision: 2a2282923b5abdf8b95bad5a59e694ac8e744883 > 10:25.99 INFO: Pushlog: > https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=38cfaf35c4c1b2761c97c78769496b3181a6eedc&tochange=2a2282923b5abdf8b95bad5a59e694ac8e744883 > 2a2282923b5a Jeff Muizelaar — Bug 1450015. Enable blob invalidation by default. r=gankro
Blocks: 1450015
Keywords: regression
Has Regression Range: --- → yes
Has STR: --- → yes
This is now the #1 WR topcrash by a large margin.
Blocks: stage-wr-nightly
No longer blocks: stage-wr-trains
Linux was mostly me. But those 11 crashes on Windows (https://bit.ly/2uLRomM) made this indeed to the weekend's top crash when the shield study apparently functioned for one browsing session (bug 1477380).
Stealing
Assignee: a.beingessner → bugmail
So I think the problem here is that IsItemProbablyActive [1] only checks a couple of display item types. In particular, the item could be a wrap list type which contains an active 2D transform item, and this function would report it as inactive. And then later when trying to add the item it blows up. [1] https://searchfox.org/mozilla-central/rev/d160ac574a5798010eda4e33e91ee628aa268a33/gfx/layers/wr/WebRenderCommandBuilder.cpp#904
Attached patch Fix — — Splinter Review
I'll work on a crashtest as well. This patch fixes it on the reproducible URL though.
Attachment #8994335 - Flags: review?(jmuizelaar)
Comment on attachment 8994335 [details] [diff] [review] Fix Review of attachment 8994335 [details] [diff] [review]: ----------------------------------------------------------------- mstange is probably a better reviewer
Attachment #8994335 - Flags: review?(jmuizelaar) → review?(mstange)
Attachment #8994335 - Flags: review?(mstange) → review+
Landing fix, adding leave-open for crashtest.
Keywords: leave-open
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e15e56fa50cf More correctly detect active items in the grouper. r=mstange
Jan's testcase from comment 4 works quite well and is pretty reduced already (thanks!). I'll just use that (minus the script tags which are unnecessary).
Comment on attachment 8994341 [details] Bug 1468020 - Extract helper function to avoid duplicated code. https://reviewboard.mozilla.org/r/258926/#review265888 Code analysis found 1 defect in this patch: - 1 defect found by clang-tidy You can run this analysis locally with: - `./mach static-analysis check path/to/file.cpp` (C/C++) If you see a problem in this automated review, please report it here: http://bit.ly/2y9N9Vx ::: gfx/layers/wr/WebRenderCommandBuilder.cpp:1055 (Diff revision 1) > +{ > + nsDisplayList* children = aItem->GetChildren(); > > - if (item->GetType() == DisplayItemType::TYPE_TRANSFORM) { > - nsDisplayTransform* transformItem = static_cast<nsDisplayTransform*>(item); > + if (aItem->GetType() == DisplayItemType::TYPE_TRANSFORM) { > + nsDisplayTransform* transformItem = static_cast<nsDisplayTransform*>(aItem); > - Matrix4x4Flagged t = transformItem->GetTransform(); > + Matrix4x4Flagged t = transformItem->GetTransform(); Warning: The variable 't' is copy-constructed from a const reference but is only used as const reference; consider making it a const reference [clang-tidy: performance-unnecessary-copy-initialization] Matrix4x4Flagged t = transformItem->GetTransform(); ~~~~~~~~~~~~~~~~ ^ const &
Depends on: 1478035
This patch will cause us to try to layerize filter and mask items but that will fail because we don't support doing so in WebRender yet.
I added another patch to this set to address comment 21. Not sure if that's the best solution though.
Comment on attachment 8994602 [details] Bug 1468020 - Don't layerize filter and mask items. https://reviewboard.mozilla.org/r/259136/#review266164
Attachment #8994602 - Flags: review?(mstange) → review+
Comment on attachment 8994345 [details] Bug 1468020 - Conform to static analysis bot suggestion. https://reviewboard.mozilla.org/r/258930/#review266166
Attachment #8994345 - Flags: review?(mstange) → review+
Comment on attachment 8994341 [details] Bug 1468020 - Extract helper function to avoid duplicated code. https://reviewboard.mozilla.org/r/258926/#review266168
Attachment #8994341 - Flags: review?(mstange) → review+
Comment on attachment 8994342 [details] Bug 1468020 - Add crashtest. https://reviewboard.mozilla.org/r/258928/#review266170 Does this test use filters or masks anywhere? I couldn't find any.
Attachment #8994342 - Flags: review?(mstange) → review+
No, this test is just for the original crash. I'll try to reduce the digitalocean page into another crashtest. I can put that on bug 1478035 which should be addressed with this patchset.
Keywords: leave-open
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eb6a2ae68d09 Don't layerize filter and mask items. r=mstange https://hg.mozilla.org/integration/autoland/rev/866492bf5ccf Conform to static analysis bot suggestion. r=mstange https://hg.mozilla.org/integration/autoland/rev/621ab5087373 Extract helper function to avoid duplicated code. r=mstange https://hg.mozilla.org/integration/autoland/rev/262d541a474f Add crashtest. r=mstange
Backed out 4 changesets (bug 1468020) for crashtest failures on gfx/tests/crashtests/1468020.html Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=262d541a474f4d8b5eef4b78353b2e4b721b6079 Backout link: https://hg.mozilla.org/integration/autoland/rev/8d36664d8695c095f5a66ceb79a8f989bf1038d8 Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=189889619&repo=autoland&lineNumber=13372 [task 2018-07-24T19:39:27.611Z] 19:39:27 INFO - REFTEST TEST-START | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1468020.html [task 2018-07-24T19:39:27.613Z] 19:39:27 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1468020.html | 1203 / 3583 (33%) [task 2018-07-24T19:39:27.683Z] 19:39:27 INFO - REFTEST TEST-PASS | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1468020.html | (LOAD ONLY) [task 2018-07-24T19:39:27.683Z] 19:39:27 INFO - REFTEST TEST-END | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1468020.html [task 2018-07-24T19:39:27.812Z] 19:39:27 INFO - [Parent 938, Gecko_IOThread] WARNING: pipe error (83): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353 [task 2018-07-24T19:39:27.820Z] 19:39:27 INFO - ###!!! [Parent][MessageChannel] Error: (msgtype=0x17007E,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv [task 2018-07-24T19:39:27.821Z] 19:39:27 INFO - ###!!! [Parent][MessageChannel] Error: (msgtype=0x17007E,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv [task 2018-07-24T19:39:27.822Z] 19:39:27 INFO - ###!!! [Parent][MessageChannel] Error: (msgtype=0x17007E,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv [task 2018-07-24T19:39:27.984Z] 19:39:27 INFO - A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down [task 2018-07-24T19:39:28.284Z] 19:39:28 INFO - !!! error running onStopped callback: TypeError: callback is not a function [task 2018-07-24T19:39:28.342Z] 19:39:28 INFO - JavaScript error: chrome://reftest/content/reftest.jsm, line 1558: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPropertyBag2.getPropertyAsAString] [task 2018-07-24T19:39:28.421Z] 19:39:28 INFO - 1532461168409 Marionette DEBUG Received observer notification xpcom-will-shutdown [task 2018-07-24T19:39:28.421Z] 19:39:28 INFO - 1532461168410 Marionette INFO Stopped listening on port 2828 [task 2018-07-24T19:39:28.421Z] 19:39:28 INFO - 1532461168410 Marionette DEBUG Remote service is inactive [task 2018-07-24T19:39:28.529Z] 19:39:28 INFO - REFTEST INFO | Downloading symbols from: https://queue.taskcluster.net/v1/task/KTTTC5w1QICpZyYo4VYcjg/artifacts/public/build/target.crashreporter-symbols.zip [task 2018-07-24T19:39:33.944Z] 19:39:33 INFO - REFTEST INFO | Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpajBzZN.mozrunner/minidumps/1dd292e2-e14a-9264-3b66-203670066b3a.dmp /tmp/tmpdJtN4x [task 2018-07-24T19:39:42.379Z] 19:39:42 INFO - REFTEST INFO | Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/1dd292e2-e14a-9264-3b66-203670066b3a.dmp [task 2018-07-24T19:39:42.380Z] 19:39:42 INFO - REFTEST INFO | Saved app info as /builds/worker/workspace/build/blobber_upload_dir/1dd292e2-e14a-9264-3b66-203670066b3a.extra [task 2018-07-24T19:39:42.520Z] 19:39:42 INFO - REFTEST PROCESS-CRASH | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1468020.html | application crashed [@ mozilla::layers::Grouper::ConstructItemInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayItem*, mozilla::layers::StackingContextHelper const&)] [task 2018-07-24T19:39:42.521Z] 19:39:42 INFO - Crash dump filename: /tmp/tmpajBzZN.mozrunner/minidumps/1dd292e2-e14a-9264-3b66-203670066b3a.dmp [task 2018-07-24T19:39:42.522Z] 19:39:42 INFO - Operating system: Linux [task 2018-07-24T19:39:42.522Z] 19:39:42 INFO - 0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64 [task 2018-07-24T19:39:42.523Z] 19:39:42 INFO - CPU: amd64 [task 2018-07-24T19:39:42.524Z] 19:39:42 INFO - family 6 model 62 stepping 4 [task 2018-07-24T19:39:42.524Z] 19:39:42 INFO - 2 CPUs [task 2018-07-24T19:39:42.525Z] 19:39:42 INFO - [task 2018-07-24T19:39:42.526Z] 19:39:42 INFO - GPU: UNKNOWN [task 2018-07-24T19:39:42.526Z] 19:39:42 INFO - [task 2018-07-24T19:39:42.527Z] 19:39:42 INFO - Crash reason: SIGSEGV [task 2018-07-24T19:39:42.528Z] 19:39:42 INFO - Crash address: 0x0 [task 2018-07-24T19:39:42.529Z] 19:39:42 INFO - Process uptime: not available [task 2018-07-24T19:39:42.529Z] 19:39:42 INFO - [task 2018-07-24T19:39:42.530Z] 19:39:42 INFO - Thread 0 (crashed) [task 2018-07-24T19:39:42.531Z] 19:39:42 INFO - 0 libxul.so!mozilla::layers::Grouper::ConstructItemInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayItem*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1060 + 0x0] [task 2018-07-24T19:39:42.531Z] 19:39:42 INFO - rax = 0x0000000000636c80 rdx = 0x00007fff9df7c6d0 [task 2018-07-24T19:39:42.532Z] 19:39:42 INFO - rcx = 0x00007fff9df7c660 rbx = 0x00007f053244b320 [task 2018-07-24T19:39:42.533Z] 19:39:42 INFO - rsi = 0x00007f05972e9c80 rdi = 0x00007f053244b320 [task 2018-07-24T19:39:42.533Z] 19:39:42 INFO - rbp = 0x00007fff9df7b790 rsp = 0x00007fff9df7b730 [task 2018-07-24T19:39:42.534Z] 19:39:42 INFO - r8 = 0x00007f053228c7b8 r9 = 0x00007f053244b320 [task 2018-07-24T19:39:42.535Z] 19:39:42 INFO - r10 = 0x00007f057dc10be0 r11 = 0x00007f053221e508 [task 2018-07-24T19:39:42.536Z] 19:39:42 INFO - r12 = 0x00007fff9df7bac0 r13 = 0x00007f053228c7b8 [task 2018-07-24T19:39:42.536Z] 19:39:42 INFO - r14 = 0x00007f053244b480 r15 = 0x00007f0589530250 [task 2018-07-24T19:39:42.537Z] 19:39:42 INFO - rip = 0x00007f05931e96ef [task 2018-07-24T19:39:42.538Z] 19:39:42 INFO - Found by: given as instruction pointer in context [task 2018-07-24T19:39:42.538Z] 19:39:42 INFO - 1 libxul.so!mozilla::layers::Grouper::ConstructGroupInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayList*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1041 + 0x1e] [task 2018-07-24T19:39:42.539Z] 19:39:42 INFO - rbx = 0x00007fff9df7bf90 rbp = 0x00007fff9df7b7f0 [task 2018-07-24T19:39:42.540Z] 19:39:42 INFO - rsp = 0x00007fff9df7b7a0 r12 = 0x00007f053244b320 [task 2018-07-24T19:39:42.540Z] 19:39:42 INFO - r13 = 0x00007fff9df7c6d0 r14 = 0x00007f0589530250 [task 2018-07-24T19:39:42.541Z] 19:39:42 INFO - r15 = 0x00007fff9df7bac0 rip = 0x00007f05931e986e [task 2018-07-24T19:39:42.542Z] 19:39:42 INFO - Found by: call frame info [task 2018-07-24T19:39:42.542Z] 19:39:42 INFO - 2 libxul.so!mozilla::layers::Grouper::ConstructItemInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayItem*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1071 + 0x18] [task 2018-07-24T19:39:42.543Z] 19:39:42 INFO - rbx = 0x00007f053244b720 rbp = 0x00007fff9df7b870 [task 2018-07-24T19:39:42.544Z] 19:39:42 INFO - rsp = 0x00007fff9df7b800 r12 = 0x00007fff9df7bac0 [task 2018-07-24T19:39:42.545Z] 19:39:42 INFO - r13 = 0x00007f053228c7b8 r14 = 0x00007f053244b880 [task 2018-07-24T19:39:42.546Z] 19:39:42 INFO - r15 = 0x00007f0589530250 rip = 0x00007f05931e912b [task 2018-07-24T19:39:42.547Z] 19:39:42 INFO - Found by: call frame info [task 2018-07-24T19:39:42.548Z] 19:39:42 INFO - 3 libxul.so!mozilla::layers::Grouper::ConstructGroupInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayList*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1041 + 0x1e] [task 2018-07-24T19:39:42.549Z] 19:39:42 INFO - rbx = 0x00007fff9df7bf90 rbp = 0x00007fff9df7b8d0 [task 2018-07-24T19:39:42.550Z] 19:39:42 INFO - rsp = 0x00007fff9df7b880 r12 = 0x00007f053244b720 [task 2018-07-24T19:39:42.551Z] 19:39:42 INFO - r13 = 0x00007fff9df7c6d0 r14 = 0x00007f0589530250 [task 2018-07-24T19:39:42.552Z] 19:39:42 INFO - r15 = 0x00007fff9df7bac0 rip = 0x00007f05931e986e [task 2018-07-24T19:39:42.553Z] 19:39:42 INFO - Found by: call frame info [task 2018-07-24T19:39:42.553Z] 19:39:42 INFO - 4 libxul.so!mozilla::layers::Grouper::ConstructItemInsideInactive(mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayItem*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1071 + 0x18] [task 2018-07-24T19:39:42.554Z] 19:39:42 INFO - rbx = 0x00007f05325caf20 rbp = 0x00007fff9df7b950 [task 2018-07-24T19:39:42.555Z] 19:39:42 INFO - rsp = 0x00007fff9df7b8e0 r12 = 0x00007fff9df7bac0 [task 2018-07-24T19:39:42.556Z] 19:39:42 INFO - r13 = 0x00007f053228c7b8 r14 = 0x00007f05325cafd0 [task 2018-07-24T19:39:42.557Z] 19:39:42 INFO - r15 = 0x00007f0589530250 rip = 0x00007f05931e912b [task 2018-07-24T19:39:42.558Z] 19:39:42 INFO - Found by: call frame info [task 2018-07-24T19:39:42.559Z] 19:39:42 INFO - 5 libxul.so!mozilla::layers::Grouper::ConstructGroups(nsDisplayListBuilder*, mozilla::layers::WebRenderCommandBuilder*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::DIGroup*, nsDisplayList*, mozilla::layers::StackingContextHelper const&) [WebRenderCommandBuilder.cpp:262d541a474f4d8b5eef4b78353b2e4b721b6079 : 1020 + 0x21] [task 2018-07-24T19:39:42.560Z] 19:39:42 INFO - rbx = 0x00007fff9df7bac0 rbp = 0x00007fff9df7ba10 [task 2018-07-24T19:39:42.561Z] 19:39:42 INFO - rsp = 0x00007fff9df7b960 r12 = 0x00007f05325caf20 [task 2018-07-24T19:39:42.561Z] 19:39:42 INFO - r13 = 0x00007f053228c7b8 r14 = 0x00007f05321525e0 [task 2018-07-24T19:39:42.562Z] 19:39:42 INFO - r15 = 0x00007f053228c7b8 rip = 0x00007f05931fca31
Apparently I failed to test that patch properly locally, dunno what happened there. In this instance the ancestors of the active transform display item include not just a wrap list but also a nsDisplayPerspective item, so we need to check for that as well when checking for activeness. I've updated the patch accordingly, and (hopefully) did a better job of local testing this time.
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/47b1f2eefc59 Don't layerize filter and mask items. r=mstange https://hg.mozilla.org/integration/autoland/rev/cdc2638ea716 Conform to static analysis bot suggestion. r=mstange https://hg.mozilla.org/integration/autoland/rev/97633e742179 Extract helper function to avoid duplicated code. r=mstange https://hg.mozilla.org/integration/autoland/rev/dde6c15ddbd3 Add crashtest. r=mstange
See Also: → 1480160
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: