Closed Bug 1493616 Opened Last year Closed Last year

blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange

Categories

(Core :: Graphics: WebRender, defect, P1, critical)

64 Branch
Unspecified
All
defect

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
geckoview62 --- unaffected
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- verified

People

(Reporter: calixte, Assigned: jrmuizel)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is
report bp-a1e2e77f-a0f7-4b0b-9bb1-6ad320180920.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll void mozilla::layers::DIGroup::PaintItemRange gfx/layers/wr/WebRenderCommandBuilder.cpp:763
1 xul.dll void mozilla::layers::DIGroup::EndGroup gfx/layers/wr/WebRenderCommandBuilder.cpp:674
2 xul.dll void mozilla::layers::Grouper::ConstructGroups gfx/layers/wr/WebRenderCommandBuilder.cpp:1020
3 xul.dll void mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1224
4 xul.dll nsDisplaySVGWrapper::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:10352
5 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
6 xul.dll nsDisplayTransform::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:8771
7 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
8 xul.dll void mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands gfx/layers/wr/WebRenderCommandBuilder.cpp:1277
9 xul.dll mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer gfx/layers/wr/WebRenderLayerManager.cpp:291

=============================================================

There are 60 crashes (from 52 installations) in nightly 64 starting with buildid 20180920100522.
:darkspirit, could you investigate please ?
Flags: needinfo?(jan)
> MOZ_RELEASE_ASSERT(!data->mInvalid)

Changes between 20180919220108 and 20180920100522:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9812141ec782&tochange=08592337ced1
URL: 1477448
Flags: needinfo?(jan)
Priority: -- → P2
Summary: Crash in mozilla::layers::DIGroup::PaintItemRange → blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange
Changes between 2018-09-18 and 2018-09-22:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=85b4d2bf888afa32b67638602a3338d0a6935ff9&tochange=221c18ebe962f68358b4cba927df9099ea935b40

Ctrl+F Jeff Muizelaar. Suspicious sounding titles:
20180922100157 Bug 1491590. Make sure that the paint rect is set to the bounds. r=mstange
20180919123806 Bug 1491395. Replace BorderWidths with LayoutSideOffsets.
Bug 1447880 is the more likely cause.
Priority: P2 → P3
Priority: P3 → P2
Could you use your superpowers and look if some crash reports contain an URL?
Bug 1396642 caused a behavior change in WR bug 1494934.
> dc6c04a63309	Robert Longson — Bug 1396642 - support smaller viewBox coordinates at the expense of larger ones r=dholbert
It lies within the possible regression range.
Assignee: nobody → jmuizelaar
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/742336dae392
Fix up logging to only trigger appropriately.
https://hg.mozilla.org/mozilla-central/rev/c97cf45fc0e4
https://hg.mozilla.org/mozilla-central/rev/742336dae392
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla64 → ---
OS: Windows 10 → All
The crashing item seems to be a nsDisplayTransform
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a91bad559883
blob-inval: Log whether we have a 3d transform
Depends on: 1496188
https://multimedia.scmp.com/news/world/article/2165980/flight-paths/index.html is a crashing URL and it seems most likely to be reproducible of the ones I've seen. 

Note: this may have been fixed by bug 1496188 so builds after 20181004100222 may not reproduce anymore.
That search might get time zone confused. Here's an actual crash: https://crash-stats.mozilla.com/report/index/43d89dad-7869-4428-a751-332540181004
So looking at the call stack we see nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(nsDisplayListBuilder*, gfxContext*, std::function<void > const&) so bug 1496188 exposed this.
Blocks: 1447880
QA Contact: mreavy
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f936a4baa698
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Forgot to update the patch. Sorry.
Flags: needinfo?(jmuizelaar)
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/497bb152e567
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce95adbcf2e4
Add some data gathering to try to figure out the crash.
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3158d143d83
blob-inval: Log the some more data about the broken situation.
It looks like this is probably a rounding or off by one issue: "CGC--0-0-281-31,0-0-280-31-ib"
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6a8e29086733
Make sure we invalidate the entire area of the item r=mstange
Jeff -- I believe it's now safe to mark this resolved.  Just needinfo'ing you for a sanity-check.
Status: REOPENED → RESOLVED
Closed: Last yearLast year
Flags: needinfo?(jmuizelaar)
Keywords: leave-open
Resolution: --- → FIXED
Yes. Probably. We should double check that the crashes go away, but they should.
Flags: needinfo?(jmuizelaar)
No crashes on Nightly since this landed.
Status: RESOLVED → VERIFIED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.