Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]

RESOLVED FIXED in Firefox 64

Status

()

P1
critical
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: calixte, Assigned: jrmuizel)

Tracking

(Blocks: 3 bugs, {crash, regression})

Trunk
mozilla64
Unspecified
All
crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 disabled, firefox64 fixed)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 months ago
This bug was filed from the Socorro interface and is
report bp-1a6f231e-f58f-4637-ae9b-2ff320180825.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll static bool mozilla::wr::Moz2DRenderCallback gfx/webrender_bindings/Moz2DImageRenderer.cpp:311
1 xul.dll wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:377
2 xul.dll static void rayon::iter::plumbing::bridge_producer_consumer::helper<rayon::vec::VecProducer<webrender_bindings::moz2d_renderer::{{impl}}::rasterize::Job>, rayon::iter::map::MapConsumer<rayon::iter::collect::consumer::CollectConsumer< third_party/rust/rayon/src/iter/plumbing/mod.rs:418
3 xul.dll static void rayon_core::job::{{impl}}::execute<rayon_core::latch::SpinLatch, closure,  third_party/rust/rayon-core/src/job.rs:113
4 xul.dll static void rayon_core::registry::WorkerThread::wait_until_cold<rayon_core::latch::CountLatch> third_party/rust/rayon-core/src/registry.rs:567
5 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure,  src/libstd/sys_common/backtrace.rs:137
6 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/boxed.rs:640
7 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/thread.rs:55
8 kernel32.dll BaseThreadInitThunk 
9 mozglue.dll static void patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:662

=============================================================

There is 1 crash in nightly 63 with buildid 20180824100112. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1473943.

[1] https://hg.mozilla.org/mozilla-central/rev?node=73ffc23ea21b
Flags: needinfo?(jmuizelaar)
> MOZ_CRASH Reason 	MOZ_RELEASE_ASSERT(aBlob.length() > sizeof(size_t))
Blocks: 1357819
status-firefox63: affected → disabled
Blocks: 1386674
Priority: -- → P3
Crash Signature: [@ static bool mozilla::wr::Moz2DRenderCallback] → [@ static bool mozilla::wr::Moz2DRenderCallback] [@ wr_moz2d_render_cb ] [@ mozilla::wr::Moz2DRenderCallback ] [@ Moz2DRenderCallback ]
OS: Windows 10 → All
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t))
Created attachment 9007582 [details]
2018-09-09_13-51-22.mp4

(Asif Youssuff from bug 1466613 comment 15)
> I am seeing this crash when navigating to
> https://movielens.org/profile/about-your-ratings

> bp-0367742f-d339-4caf-b85e-27c9a0180908

(Mayank Bansal from bug 1466613 comment 19)
> I created a test account, and did some random ratings to generate the graphs.
> You can use this login:   testing123456:testing123

Debian Testing, KDE, Xorg, GTX 1060
I zoomed to 110%, pressed F5 and zommed in to 120% and back to 110% by Ctrl+Mousewheel.
If it crashed once, just resuming the seession is enough: The tab loads at 110% zoom and automatically crashes. Resetting to 100% zoom does not help.
It seems that the top left diagram does not expand to the right when it crashes.
bp-037ee29e-5941-42cf-a48b-376000180909
(Mayank Bansal from bug 1466613 comment 17)
> I got crashes like  these when opening blank google sheets and typing something. But its not 100% reproducible.
> https://crash-stats.mozilla.com/report/index/85aaeae6-440d-4664-ac92-35f760180909

(Francois Guerraz from bug 1466613 comment 7)
> Created attachment 9007176 [details]
> ASAN crash report
> 
> I can reproduce it reliably while editing a google slide presentation, attached is the ASAN crash report.

(Francois Guerraz from bug 1466613 comment 9)
> Yes, create a new presentation:
> https://docs.google.com/presentation/
> Click the "blank template", start typing a title in the big title box, and voilà.
> 
> It's pretty much unusable, anything I try to do with slides leads to a crash.
Assignee: nobody → jmuizelaar
Blocks: 1386665
No longer blocks: 1386674
status-firefox64: --- → affected
Priority: P3 → P1
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]
(Assignee)

Updated

4 months ago
Assignee: jmuizelaar → nobody
Flags: needinfo?(jmuizelaar)
Assignee: nobody → a.beingessner
I'm hitting this on http://questionablecontent.net/. Beware if it gets into your session history, because it crashes early during the page load.
(Assignee)

Updated

4 months ago
Assignee: a.beingessner → jmuizelaar
(Assignee)

Comment 5

4 months ago
I've reproduced this locally on movielens
(Assignee)

Comment 6

4 months ago
I was able to trace this a bit. It looks like we're ending up with extra-short blob after merging.
(Assignee)

Comment 7

4 months ago
Created attachment 9008246 [details]
Bug 1486198. Be more accepting of empty blob images
Comment on attachment 9008246 [details]
Bug 1486198. Be more accepting of empty blob images

Markus Stange [:mstange] has approved the revision.
Attachment #9008246 - Flags: review+

Comment 9

4 months ago
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c34d1145c5e
Be more accepting of empty blob images r=mstange

Updated

4 months ago
Blocks: 1330487

Comment 10

4 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1c34d1145c5e
Status: NEW → RESOLVED
Last Resolved: 4 months ago
status-firefox64: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.