Closed Bug 1493616 Opened 6 years ago Closed 6 years ago

blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange

Categories

(Core :: Graphics: WebRender, defect, P1)

Product:
Core
Component:
Graphics: WebRender
Version:
64 Branch
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
geckoview62 --- unaffected
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- verified

People

(Reporter: calixte, Assigned: jrmuizel)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Bug 1493616. Clear mInvalid more agressively so that we don't reuse it across paints
46 bytes, text/x-phabricator-request
Details | Review
Bug 1493616. Make sure we invalidate the entire area of the item
46 bytes, text/x-phabricator-request
Details | Review
This bug was filed from the Socorro interface and is report bp-a1e2e77f-a0f7-4b0b-9bb1-6ad320180920. ============================================================= Top 10 frames of crashing thread: 0 xul.dll void mozilla::layers::DIGroup::PaintItemRange gfx/layers/wr/WebRenderCommandBuilder.cpp:763 1 xul.dll void mozilla::layers::DIGroup::EndGroup gfx/layers/wr/WebRenderCommandBuilder.cpp:674 2 xul.dll void mozilla::layers::Grouper::ConstructGroups gfx/layers/wr/WebRenderCommandBuilder.cpp:1020 3 xul.dll void mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1224 4 xul.dll nsDisplaySVGWrapper::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:10352 5 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412 6 xul.dll nsDisplayTransform::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:8771 7 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412 8 xul.dll void mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands gfx/layers/wr/WebRenderCommandBuilder.cpp:1277 9 xul.dll mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer gfx/layers/wr/WebRenderLayerManager.cpp:291 ============================================================= There are 60 crashes (from 52 installations) in nightly 64 starting with buildid 20180920100522. :darkspirit, could you investigate please ?
Flags: needinfo?(jan)
> MOZ_RELEASE_ASSERT(!data->mInvalid) Changes between 20180919220108 and 20180920100522: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9812141ec782&tochange=08592337ced1
Blocks: wr-stability, stage-wr-trains
URL: 1477448
Flags: needinfo?(jan)
Priority: -- → P2
Summary: Crash in mozilla::layers::DIGroup::PaintItemRange → blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange
URL: 1477448
See Also: → 1477448
Changes between 2018-09-18 and 2018-09-22: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=85b4d2bf888afa32b67638602a3338d0a6935ff9&tochange=221c18ebe962f68358b4cba927df9099ea935b40 Ctrl+F Jeff Muizelaar. Suspicious sounding titles: 20180922100157 Bug 1491590. Make sure that the paint rect is set to the bounds. r=mstange 20180919123806 Bug 1491395. Replace BorderWidths with LayoutSideOffsets.
Bug 1447880 is the more likely cause.
Priority: P2 → P3
Priority: P3 → P2
Could you use your superpowers and look if some crash reports contain an URL?
"it's mainly pornhub" We'll need to find STR on: https://www.pornhub.com/view_video.php?viewkey=323852368 https://www.fanatical.com/en/bundle
Priority: P2 → P1
Bug 1396642 caused a behavior change in WR bug 1494934. > dc6c04a63309 Robert Longson — Bug 1396642 - support smaller viewBox coordinates at the expense of larger ones r=dholbert It lies within the possible regression range.
Assignee: nobody → jmuizelaar
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c97cf45fc0e4 Add some logging to help debug this crash.
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/742336dae392 Fix up logging to only trigger appropriately.
https://hg.mozilla.org/mozilla-central/rev/c97cf45fc0e4 https://hg.mozilla.org/mozilla-central/rev/742336dae392
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
status-firefox64: fixedaffected
Target Milestone: mozilla64 → ---
status-geckoview62: --- → unaffected
OS: Windows 10 → All
The crashing item seems to be a nsDisplayTransform
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a91bad559883 blob-inval: Log whether we have a 3d transform
Keywords: leave-open
Depends on: 1496188
https://multimedia.scmp.com/news/world/article/2165980/flight-paths/index.html is a crashing URL and it seems most likely to be reproducible of the ones I've seen. Note: this may have been fixed by bug 1496188 so builds after 20181004100222 may not reproduce anymore.
That search might get time zone confused. Here's an actual crash: https://crash-stats.mozilla.com/report/index/43d89dad-7869-4428-a751-332540181004
So looking at the call stack we see nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(nsDisplayListBuilder*, gfxContext*, std::function<void > const&) so bug 1496188 exposed this.
Blocks: 1447880
QA Contact: mreavy
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f936a4baa698 Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Forgot to update the patch. Sorry.
Flags: needinfo?(jmuizelaar)
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/497bb152e567 Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ce95adbcf2e4 Add some data gathering to try to figure out the crash.
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b3158d143d83 blob-inval: Log the some more data about the broken situation.
It looks like this is probably a rounding or off by one issue: "CGC--0-0-281-31,0-0-280-31-ib"
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6a8e29086733 Make sure we invalidate the entire area of the item r=mstange
Jeff -- I believe it's now safe to mark this resolved. Just needinfo'ing you for a sanity-check.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Flags: needinfo?(jmuizelaar)
Keywords: leave-open
Resolution: --- → FIXED
Yes. Probably. We should double check that the crashes go away, but they should.
Flags: needinfo?(jmuizelaar)
No crashes on Nightly since this landed.
Status: RESOLVED → VERIFIED
status-firefox64: affectedverified
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: