Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]

RESOLVED FIXED in Firefox 64

Status

()

defect
P1
critical
RESOLVED FIXED
10 months ago
9 months ago

People

(Reporter: calixte, Assigned: jrmuizel)

Tracking

(Blocks 2 bugs, {crash, regression})

Trunk
mozilla64
Unspecified
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 disabled, firefox64 fixed)

Details

(crash signature)

Attachments

(2 attachments)

Reporter

Description

10 months ago
This bug was filed from the Socorro interface and is
report bp-1a6f231e-f58f-4637-ae9b-2ff320180825.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll static bool mozilla::wr::Moz2DRenderCallback gfx/webrender_bindings/Moz2DImageRenderer.cpp:311
1 xul.dll wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:377
2 xul.dll static void rayon::iter::plumbing::bridge_producer_consumer::helper<rayon::vec::VecProducer<webrender_bindings::moz2d_renderer::{{impl}}::rasterize::Job>, rayon::iter::map::MapConsumer<rayon::iter::collect::consumer::CollectConsumer< third_party/rust/rayon/src/iter/plumbing/mod.rs:418
3 xul.dll static void rayon_core::job::{{impl}}::execute<rayon_core::latch::SpinLatch, closure,  third_party/rust/rayon-core/src/job.rs:113
4 xul.dll static void rayon_core::registry::WorkerThread::wait_until_cold<rayon_core::latch::CountLatch> third_party/rust/rayon-core/src/registry.rs:567
5 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure,  src/libstd/sys_common/backtrace.rs:137
6 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/boxed.rs:640
7 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/thread.rs:55
8 kernel32.dll BaseThreadInitThunk 
9 mozglue.dll static void patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:662

=============================================================

There is 1 crash in nightly 63 with buildid 20180824100112. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1473943.

[1] https://hg.mozilla.org/mozilla-central/rev?node=73ffc23ea21b
Flags: needinfo?(jmuizelaar)
> MOZ_CRASH Reason 	MOZ_RELEASE_ASSERT(aBlob.length() > sizeof(size_t))
Priority: -- → P3
Crash Signature: [@ static bool mozilla::wr::Moz2DRenderCallback] → [@ static bool mozilla::wr::Moz2DRenderCallback] [@ wr_moz2d_render_cb ] [@ mozilla::wr::Moz2DRenderCallback ] [@ Moz2DRenderCallback ]
OS: Windows 10 → All
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t))
See Also: → 1466613
(Asif Youssuff from bug 1466613 comment 15)
> I am seeing this crash when navigating to
> https://movielens.org/profile/about-your-ratings

> bp-0367742f-d339-4caf-b85e-27c9a0180908

(Mayank Bansal from bug 1466613 comment 19)
> I created a test account, and did some random ratings to generate the graphs.
> You can use this login:   testing123456:testing123

Debian Testing, KDE, Xorg, GTX 1060
I zoomed to 110%, pressed F5 and zommed in to 120% and back to 110% by Ctrl+Mousewheel.
If it crashed once, just resuming the seession is enough: The tab loads at 110% zoom and automatically crashes. Resetting to 100% zoom does not help.
It seems that the top left diagram does not expand to the right when it crashes.
bp-037ee29e-5941-42cf-a48b-376000180909
(Mayank Bansal from bug 1466613 comment 17)
> I got crashes like  these when opening blank google sheets and typing something. But its not 100% reproducible.
> https://crash-stats.mozilla.com/report/index/85aaeae6-440d-4664-ac92-35f760180909

(Francois Guerraz from bug 1466613 comment 7)
> Created attachment 9007176 [details]
> ASAN crash report
> 
> I can reproduce it reliably while editing a google slide presentation, attached is the ASAN crash report.

(Francois Guerraz from bug 1466613 comment 9)
> Yes, create a new presentation:
> https://docs.google.com/presentation/
> Click the "blank template", start typing a title in the big title box, and voilà.
> 
> It's pretty much unusable, anything I try to do with slides leads to a crash.
Assignee: nobody → jmuizelaar
Blocks: stage-wr-nightly
No longer blocks: stage-wr-next
Priority: P3 → P1
Summary: Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) → Crash in static bool mozilla::wr::Moz2DRenderCallback (aBlob.length() > sizeof(size_t)) [Google Slides]
Assignee

Updated

9 months ago
Assignee: jmuizelaar → nobody
Flags: needinfo?(jmuizelaar)
Assignee: nobody → a.beingessner
I'm hitting this on http://questionablecontent.net/. Beware if it gets into your session history, because it crashes early during the page load.
Assignee

Updated

9 months ago
Assignee: a.beingessner → jmuizelaar
Assignee

Comment 5

9 months ago
I've reproduced this locally on movielens
Assignee

Comment 6

9 months ago
I was able to trace this a bit. It looks like we're ending up with extra-short blob after merging.
Comment on attachment 9008246 [details]
Bug 1486198. Be more accepting of empty blob images

Markus Stange [:mstange] has approved the revision.
Attachment #9008246 - Flags: review+

Comment 9

9 months ago
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c34d1145c5e
Be more accepting of empty blob images r=mstange

Updated

9 months ago
Blocks: 1330487

Comment 10

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1c34d1145c5e
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.