Closed
Bug 1469528
Opened 6 years ago
Closed 6 years ago
Crash in free.cold.85 | mozilla::wr::Moz2DRenderCallback
Categories
(Core :: Graphics: WebRender, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | disabled |
firefox62 | --- | disabled |
firefox63 | --- | fixed |
People
(Reporter: jan, Assigned: kats)
References
(Blocks 1 open bug, )
Details
(Keywords: crash, nightly-community, Whiteboard: [gfx-noted])
Crash Data
Attachments
(1 file)
Seen on Socorro. There was bug 1452409 in the past. bp-5eb53e9a-50fd-4308-97ae-b27980180618 build 20180617220505 Linux > MOZ_RELEASE_ASSERT((uintptr_t(aPtr) - (uintptr_t(run) + bin->mRunFirstRegionOffset)) % size == 0)
Assignee | ||
Comment 1•6 years ago
|
||
Looks like this is in jemalloc: https://searchfox.org/mozilla-central/rev/f822a0b61631cbb38901569e69b4967176314aa8/memory/build/mozjemalloc.cpp#3428
Component: Graphics: WebRender → Memory Allocator
Assignee | ||
Comment 2•6 years ago
|
||
Oh, I guess based on https://bugzilla.mozilla.org/show_bug.cgi?id=1452409#c3 this might be us abusing jemalloc rather than a bug in jemalloc itself.
Component: Memory Allocator → Graphics: WebRender
Assignee | ||
Comment 3•6 years ago
|
||
I can repro this on a macOS local build by scrolling down on https://bug1294843.bmoattachments.org/attachment.cgi?id=8780694
Has STR: --- → yes
Assignee | ||
Comment 4•6 years ago
|
||
Investigation so far shows that the recorded command stream is bad, in that there is a PopClip early on without a preceding PushClip/PushClipREct. And so while translating the command stream we pop the clip from [1], and then after we're done the translation we try popping it again and that crashes. [1] https://searchfox.org/mozilla-central/rev/d0a41d2e7770fc00df7844d5f840067cc35ba26f/gfx/webrender_bindings/Moz2DImageRenderer.cpp#272
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ free.cold.85 | mozilla::wr::Moz2DRenderCallback ]
Assignee | ||
Comment 5•6 years ago
|
||
I think this is a bug in the blob merging algorithm. The blobs generated on the client side seem to be fine in that they don't try to Pop something that wasn't pushed, but after merging the blob update message into the blob image already on the parent side, it ends up with a command sequence that has a pop before a push.
Assignee | ||
Comment 6•6 years ago
|
||
I *think* the problem is that after doing the Save() call at [1], we're not flushing the item. So the PushClip that can happen on the DT as part of Save() gets smushed into some other item. Same goes for the Restore(). So then during blob merging we can end up with the PushClip/PopClip getting moved around and that causes the problem. Throwing in some FlushItem() calls after those Save() and Restore() calls seems to fix it for me, but I'll test this more thoroughly tomorrow. [1] https://searchfox.org/mozilla-central/rev/d0a41d2e7770fc00df7844d5f840067cc35ba26f/gfx/layers/wr/WebRenderCommandBuilder.cpp#754
Comment hidden (mozreview-request) |
Assignee | ||
Comment 8•6 years ago
|
||
Pretty sure this is the right thing, although I really don't have much understanding of this code.
Assignee: nobody → bugmail
Comment 9•6 years ago
|
||
I'll look at this tomorrow.
Assignee | ||
Comment 10•6 years ago
|
||
Sure, no rush. This isn't a very high volume crash.
Updated•6 years ago
|
Comment 11•6 years ago
|
||
mozreview-review |
Comment on attachment 8986936 [details] Bug 1469528 - Flush the clip push/pop draw commands so they don't end up in the wrong entry. https://reviewboard.mozilla.org/r/252168/#review263218 ::: gfx/layers/wr/WebRenderCommandBuilder.cpp:755 (Diff revision 1) > DisplayItemClip currentClip = aItem->GetClip(); > > gfx::Matrix matrix; > if (currentClip.HasClip()) { > aContext->Save(); > + aContext->GetDrawTarget()->FlushItem(aItemBounds); I think the FlushItem should actually come after the ApplyTo because we want to include that clipping operation in that Transform item and not in the following item.
Attachment #8986936 -
Flags: review?(jmuizelaar) → review-
Assignee | ||
Comment 12•6 years ago
|
||
mozreview-review |
Comment on attachment 8986936 [details] Bug 1469528 - Flush the clip push/pop draw commands so they don't end up in the wrong entry. https://reviewboard.mozilla.org/r/252168/#review263480 ::: gfx/layers/wr/WebRenderCommandBuilder.cpp:755 (Diff revision 1) > DisplayItemClip currentClip = aItem->GetClip(); > > gfx::Matrix matrix; > if (currentClip.HasClip()) { > aContext->Save(); > + aContext->GetDrawTarget()->FlushItem(aItemBounds); Ok, that makes sense. I was also wondering about the aContext->SetMatrix(matrix) call on line 770, in the case where the item doesn't have a clip. Does that need to be flushed as well? Otherwise that SetTransform operation might end up in the wrong item as well.
Comment hidden (mozreview-request) |
Comment 14•6 years ago
|
||
mozreview-review |
Comment on attachment 8986936 [details] Bug 1469528 - Flush the clip push/pop draw commands so they don't end up in the wrong entry. https://reviewboard.mozilla.org/r/252168/#review263524
Attachment #8986936 -
Flags: review?(jmuizelaar) → review+
Comment 15•6 years ago
|
||
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #12) > > Ok, that makes sense. I was also wondering about the > aContext->SetMatrix(matrix) call on line 770, in the case where the item > doesn't have a clip. Does that need to be flushed as well? Otherwise that > SetTransform operation might end up in the wrong item as well. The transform is recorded at each item boundary so we don't have to have separate items for matrix manipulations.
Comment 16•6 years ago
|
||
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5953de4f6aa8 Flush the clip push/pop draw commands so they don't end up in the wrong entry. r=jrmuizel
Comment 17•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5953de4f6aa8
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•6 years ago
|
status-firefox61:
--- → disabled
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•