Closed
Bug 1493616
Opened 6 years ago
Closed 6 years ago
blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange
Categories
(Core :: Graphics: WebRender, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
geckoview62 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | verified |
People
(Reporter: calixte, Assigned: jrmuizel)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
This bug was filed from the Socorro interface and is
report bp-a1e2e77f-a0f7-4b0b-9bb1-6ad320180920.
=============================================================
Top 10 frames of crashing thread:
0 xul.dll void mozilla::layers::DIGroup::PaintItemRange gfx/layers/wr/WebRenderCommandBuilder.cpp:763
1 xul.dll void mozilla::layers::DIGroup::EndGroup gfx/layers/wr/WebRenderCommandBuilder.cpp:674
2 xul.dll void mozilla::layers::Grouper::ConstructGroups gfx/layers/wr/WebRenderCommandBuilder.cpp:1020
3 xul.dll void mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1224
4 xul.dll nsDisplaySVGWrapper::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:10352
5 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
6 xul.dll nsDisplayTransform::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:8771
7 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
8 xul.dll void mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands gfx/layers/wr/WebRenderCommandBuilder.cpp:1277
9 xul.dll mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer gfx/layers/wr/WebRenderLayerManager.cpp:291
=============================================================
There are 60 crashes (from 52 installations) in nightly 64 starting with buildid 20180920100522.
:darkspirit, could you investigate please ?
Flags: needinfo?(jan)
Comment 1•6 years ago
|
||
> MOZ_RELEASE_ASSERT(!data->mInvalid)
Changes between 20180919220108 and 20180920100522:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9812141ec782&tochange=08592337ced1
Blocks: wr-stability, stage-wr-trains
URL: 1477448
Flags: needinfo?(jan)
Priority: -- → P2
Summary: Crash in mozilla::layers::DIGroup::PaintItemRange → blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange
Updated•6 years ago
|
Comment 2•6 years ago
|
||
Changes between 2018-09-18 and 2018-09-22:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=85b4d2bf888afa32b67638602a3338d0a6935ff9&tochange=221c18ebe962f68358b4cba927df9099ea935b40
Ctrl+F Jeff Muizelaar. Suspicious sounding titles:
20180922100157 Bug 1491590. Make sure that the paint rect is set to the bounds. r=mstange
20180919123806 Bug 1491395. Replace BorderWidths with LayoutSideOffsets.
Assignee | ||
Comment 3•6 years ago
|
||
Bug 1447880 is the more likely cause.
Updated•6 years ago
|
Priority: P2 → P3
Updated•6 years ago
|
Priority: P3 → P2
Comment 4•6 years ago
|
||
Could you use your superpowers and look if some crash reports contain an URL?
Comment 5•6 years ago
|
||
"it's mainly pornhub"
We'll need to find STR on:
https://www.pornhub.com/view_video.php?viewkey=323852368
https://www.fanatical.com/en/bundle
Priority: P2 → P1
Comment 6•6 years ago
|
||
Bug 1396642 caused a behavior change in WR bug 1494934.
> dc6c04a63309 Robert Longson — Bug 1396642 - support smaller viewBox coordinates at the expense of larger ones r=dholbert
It lies within the possible regression range.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jmuizelaar
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c97cf45fc0e4
Add some logging to help debug this crash.
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/742336dae392
Fix up logging to only trigger appropriately.
Comment 9•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c97cf45fc0e4
https://hg.mozilla.org/mozilla-central/rev/742336dae392
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•6 years ago
|
Target Milestone: mozilla64 → ---
Updated•6 years ago
|
status-geckoview62:
--- → unaffected
OS: Windows 10 → All
Assignee | ||
Comment 10•6 years ago
|
||
The crashing item seems to be a nsDisplayTransform
Comment 11•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a91bad559883
blob-inval: Log whether we have a 3d transform
Updated•6 years ago
|
Keywords: leave-open
Comment 12•6 years ago
|
||
bugherder |
Assignee | ||
Comment 13•6 years ago
|
||
https://multimedia.scmp.com/news/world/article/2165980/flight-paths/index.html is a crashing URL and it seems most likely to be reproducible of the ones I've seen.
Note: this may have been fixed by bug 1496188 so builds after 20181004100222 may not reproduce anymore.
Comment hidden (obsolete) |
Assignee | ||
Comment 15•6 years ago
|
||
QA Contact: mreavy
Assignee | ||
Comment 16•6 years ago
|
||
That search might get time zone confused. Here's an actual crash: https://crash-stats.mozilla.com/report/index/43d89dad-7869-4428-a751-332540181004
Assignee | ||
Comment 17•6 years ago
|
||
So looking at the call stack we see nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(nsDisplayListBuilder*, gfxContext*, std::function<void > const&) so bug 1496188 exposed this.
Blocks: 1447880
Updated•6 years ago
|
QA Contact: mreavy
Assignee | ||
Comment 18•6 years ago
|
||
Trying out a possible theory: https://treeherder.mozilla.org/#/jobs?repo=try&revision=356994d14b8827cef8fbdbb84c1fdd50cfa42c01
Assignee | ||
Comment 19•6 years ago
|
||
Assignee | ||
Comment 20•6 years ago
|
||
And a try for that change: https://treeherder.mozilla.org/#/jobs?repo=try&revision=0dbc9d2b5c360e9cf33d1f316a735502d05e9b71
Assignee | ||
Comment 21•6 years ago
|
||
Comment 22•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f936a4baa698
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Comment 23•6 years ago
|
||
Backed out changeset f936a4baa698 (bug 1493616) for build bustages WebRenderCommandBuilder.cpp
push that caused the backout: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed,busted,exception,retry,usercancel,runnable&selectedJob=203786255&revision=f936a4baa698ac02c3ae215f61dee51c595cb37b
failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&fromchange=b26a70a0fe8f22ee4a5118c7c563ab98a115e692&selectedJob=203786257&searchStr=linux%2Cx64%2Cdebug%2Cbuild-linux64%2Fdebug%2C%28b%29
backout: https://hg.mozilla.org/integration/autoland/rev/d4cd818673005e926f505b82eccb89b0b46045f7
Flags: needinfo?(jmuizelaar)
Comment 25•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/497bb152e567
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Comment 26•6 years ago
|
||
bugherder |
Assignee | ||
Comment 27•6 years ago
|
||
Comment 28•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce95adbcf2e4
Add some data gathering to try to figure out the crash.
Comment 29•6 years ago
|
||
bugherder |
Comment 30•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3158d143d83
blob-inval: Log the some more data about the broken situation.
Comment 31•6 years ago
|
||
bugherder |
Assignee | ||
Comment 32•6 years ago
|
||
It looks like this is probably a rounding or off by one issue: "CGC--0-0-281-31,0-0-280-31-ib"
Assignee | ||
Comment 33•6 years ago
|
||
Comment 34•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6a8e29086733
Make sure we invalidate the entire area of the item r=mstange
Comment 35•6 years ago
|
||
bugherder |
Comment 36•6 years ago
|
||
Jeff -- I believe it's now safe to mark this resolved. Just needinfo'ing you for a sanity-check.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Flags: needinfo?(jmuizelaar)
Keywords: leave-open
Resolution: --- → FIXED
Assignee | ||
Comment 37•6 years ago
|
||
Yes. Probably. We should double check that the crashes go away, but they should.
Flags: needinfo?(jmuizelaar)
Comment 38•6 years ago
|
||
No crashes on Nightly since this landed.
You need to log in
before you can comment on or make changes to this bug.
Description
•