Closed Bug 1486198 Opened 6 years ago Closed 6 years ago

Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]


(Core :: Graphics: WebRender, defect, P1)




Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- disabled
firefox64 --- fixed


(Reporter: calixte, Assigned: jrmuizel)


(Blocks 2 open bugs)


(Keywords: crash, regression)

Crash Data


(2 files)

This bug was filed from the Socorro interface and is
report bp-1a6f231e-f58f-4637-ae9b-2ff320180825.

Top 10 frames of crashing thread:

0 xul.dll static bool mozilla::wr::Moz2DRenderCallback gfx/webrender_bindings/Moz2DImageRenderer.cpp:311
1 xul.dll wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:377
2 xul.dll static void rayon::iter::plumbing::bridge_producer_consumer::helper<rayon::vec::VecProducer<webrender_bindings::moz2d_renderer::{{impl}}::rasterize::Job>, rayon::iter::map::MapConsumer<rayon::iter::collect::consumer::CollectConsumer< third_party/rust/rayon/src/iter/plumbing/
3 xul.dll static void rayon_core::job::{{impl}}::execute<rayon_core::latch::SpinLatch, closure,  third_party/rust/rayon-core/src/
4 xul.dll static void rayon_core::registry::WorkerThread::wait_until_cold<rayon_core::latch::CountLatch> third_party/rust/rayon-core/src/
5 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure,  src/libstd/sys_common/
6 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/
7 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/
8 kernel32.dll BaseThreadInitThunk 
9 mozglue.dll static void patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:662


There is 1 crash in nightly 63 with buildid 20180824100112. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1473943.

Flags: needinfo?(jmuizelaar)
> MOZ_CRASH Reason 	MOZ_RELEASE_ASSERT(aBlob.length() > sizeof(size_t))
Priority: -- → P3
Crash Signature: [@ static bool mozilla::wr::Moz2DRenderCallback] → [@ static bool mozilla::wr::Moz2DRenderCallback] [@ wr_moz2d_render_cb ] [@ mozilla::wr::Moz2DRenderCallback ] [@ Moz2DRenderCallback ]
OS: Windows 10 → All
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t))
See Also: → 1466613
Attached video 2018-09-09_13-51-22.mp4
(Asif Youssuff from bug 1466613 comment 15)
> I am seeing this crash when navigating to

> bp-0367742f-d339-4caf-b85e-27c9a0180908

(Mayank Bansal from bug 1466613 comment 19)
> I created a test account, and did some random ratings to generate the graphs.
> You can use this login:   testing123456:testing123

Debian Testing, KDE, Xorg, GTX 1060
I zoomed to 110%, pressed F5 and zommed in to 120% and back to 110% by Ctrl+Mousewheel.
If it crashed once, just resuming the seession is enough: The tab loads at 110% zoom and automatically crashes. Resetting to 100% zoom does not help.
It seems that the top left diagram does not expand to the right when it crashes.
(Mayank Bansal from bug 1466613 comment 17)
> I got crashes like  these when opening blank google sheets and typing something. But its not 100% reproducible.

(Francois Guerraz from bug 1466613 comment 7)
> Created attachment 9007176 [details]
> ASAN crash report
> I can reproduce it reliably while editing a google slide presentation, attached is the ASAN crash report.

(Francois Guerraz from bug 1466613 comment 9)
> Yes, create a new presentation:
> Click the "blank template", start typing a title in the big title box, and voilà.
> It's pretty much unusable, anything I try to do with slides leads to a crash.
Assignee: nobody → jmuizelaar
Blocks: stage-wr-nightly
No longer blocks: stage-wr-next
Priority: P3 → P1
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]
Assignee: jmuizelaar → nobody
Flags: needinfo?(jmuizelaar)
Assignee: nobody → a.beingessner
I'm hitting this on Beware if it gets into your session history, because it crashes early during the page load.
Assignee: a.beingessner → jmuizelaar
I've reproduced this locally on movielens
I was able to trace this a bit. It looks like we're ending up with extra-short blob after merging.
Comment on attachment 9008246 [details]
Bug 1486198. Be more accepting of empty blob images

Markus Stange [:mstange] has approved the revision.
Attachment #9008246 - Flags: review+
Pushed by
Be more accepting of empty blob images r=mstange
Blocks: 1330487
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.