Closed
Bug 1486198
Opened 6 years ago
Closed 6 years ago
Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]
Categories
(Core :: Graphics: WebRender, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | disabled |
| firefox64 | --- | fixed |
People
(Reporter: calixte, Assigned: jrmuizel)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
This bug was filed from the Socorro interface and is report bp-1a6f231e-f58f-4637-ae9b-2ff320180825. ============================================================= Top 10 frames of crashing thread: 0 xul.dll static bool mozilla::wr::Moz2DRenderCallback gfx/webrender_bindings/Moz2DImageRenderer.cpp:311 1 xul.dll wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:377 2 xul.dll static void rayon::iter::plumbing::bridge_producer_consumer::helper<rayon::vec::VecProducer<webrender_bindings::moz2d_renderer::{{impl}}::rasterize::Job>, rayon::iter::map::MapConsumer<rayon::iter::collect::consumer::CollectConsumer< third_party/rust/rayon/src/iter/plumbing/mod.rs:418 3 xul.dll static void rayon_core::job::{{impl}}::execute<rayon_core::latch::SpinLatch, closure, third_party/rust/rayon-core/src/job.rs:113 4 xul.dll static void rayon_core::registry::WorkerThread::wait_until_cold<rayon_core::latch::CountLatch> third_party/rust/rayon-core/src/registry.rs:567 5 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure, src/libstd/sys_common/backtrace.rs:137 6 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/boxed.rs:640 7 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/thread.rs:55 8 kernel32.dll BaseThreadInitThunk 9 mozglue.dll static void patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:662 ============================================================= There is 1 crash in nightly 63 with buildid 20180824100112. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1473943. [1] https://hg.mozilla.org/mozilla-central/rev?node=73ffc23ea21b
Flags: needinfo?(jmuizelaar)
|
||
Comment 1•6 years ago
|
||
> MOZ_CRASH Reason MOZ_RELEASE_ASSERT(aBlob.length() > sizeof(size_t))Blocks: wr-stability
|
||
Updated•6 years ago
|
Blocks: stage-wr-next
Priority: -- → P3
|
|
||
Updated•6 years ago
|
Crash Signature: [@ static bool mozilla::wr::Moz2DRenderCallback] → [@ static bool mozilla::wr::Moz2DRenderCallback]
[@ wr_moz2d_render_cb ]
[@ mozilla::wr::Moz2DRenderCallback ]
[@ Moz2DRenderCallback ]
OS: Windows 10 → All
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t))
|
|
||
Comment 2•6 years ago
|
||
(Asif Youssuff from bug 1466613 comment 15) > I am seeing this crash when navigating to > https://movielens.org/profile/about-your-ratings > bp-0367742f-d339-4caf-b85e-27c9a0180908 (Mayank Bansal from bug 1466613 comment 19) > I created a test account, and did some random ratings to generate the graphs. > You can use this login: testing123456:testing123 Debian Testing, KDE, Xorg, GTX 1060 I zoomed to 110%, pressed F5 and zommed in to 120% and back to 110% by Ctrl+Mousewheel. If it crashed once, just resuming the seession is enough: The tab loads at 110% zoom and automatically crashes. Resetting to 100% zoom does not help. It seems that the top left diagram does not expand to the right when it crashes. bp-037ee29e-5941-42cf-a48b-376000180909
|
|
||
Comment 3•6 years ago
|
||
(Mayank Bansal from bug 1466613 comment 17) > I got crashes like these when opening blank google sheets and typing something. But its not 100% reproducible. > https://crash-stats.mozilla.com/report/index/85aaeae6-440d-4664-ac92-35f760180909 (Francois Guerraz from bug 1466613 comment 7) > Created attachment 9007176 [details] > ASAN crash report > > I can reproduce it reliably while editing a google slide presentation, attached is the ASAN crash report. (Francois Guerraz from bug 1466613 comment 9) > Yes, create a new presentation: > https://docs.google.com/presentation/ > Click the "blank template", start typing a title in the big title box, and voilà. > > It's pretty much unusable, anything I try to do with slides leads to a crash.
|
|
||
Updated•6 years ago
|
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]
|
Assignee | |
Updated•6 years ago
|
Assignee: jmuizelaar → nobody
Flags: needinfo?(jmuizelaar)
|
|
||
Updated•6 years ago
|
Assignee: nobody → a.beingessner
|
||
Comment 4•6 years ago
|
||
I'm hitting this on http://questionablecontent.net/. Beware if it gets into your session history, because it crashes early during the page load.
|
|
Assignee | |
Updated•6 years ago
|
Assignee: a.beingessner → jmuizelaar
|
|
Assignee | |
Comment 5•6 years ago
|
||
I've reproduced this locally on movielens
|
|
Assignee | |
Comment 6•6 years ago
|
||
I was able to trace this a bit. It looks like we're ending up with extra-short blob after merging.
|
|
Assignee | |
Comment 7•6 years ago
|
||
|
||
Comment 8•6 years ago
|
||
Comment on attachment 9008246 [details] Bug 1486198. Be more accepting of empty blob images Markus Stange [:mstange] has approved the revision.
Attachment #9008246 -
Flags: review+
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1c34d1145c5e Be more accepting of empty blob images r=mstange
|
||
Comment 10•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1c34d1145c5e
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•