Closed Bug 1493616 Opened Last year Closed Last year

blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange


(Core :: Graphics: WebRender, defect, P1, critical)

64 Branch



Tracking Status
geckoview62 --- unaffected
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- verified


(Reporter: calixte, Assigned: jrmuizel)


(Blocks 2 open bugs)


(Keywords: crash, regression)

Crash Data


(2 files)

This bug was filed from the Socorro interface and is
report bp-a1e2e77f-a0f7-4b0b-9bb1-6ad320180920.

Top 10 frames of crashing thread:

0 xul.dll void mozilla::layers::DIGroup::PaintItemRange gfx/layers/wr/WebRenderCommandBuilder.cpp:763
1 xul.dll void mozilla::layers::DIGroup::EndGroup gfx/layers/wr/WebRenderCommandBuilder.cpp:674
2 xul.dll void mozilla::layers::Grouper::ConstructGroups gfx/layers/wr/WebRenderCommandBuilder.cpp:1020
3 xul.dll void mozilla::layers::WebRenderCommandBuilder::DoGroupingForDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1224
4 xul.dll nsDisplaySVGWrapper::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:10352
5 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
6 xul.dll nsDisplayTransform::CreateWebRenderCommands layout/painting/nsDisplayList.cpp:8771
7 xul.dll mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList gfx/layers/wr/WebRenderCommandBuilder.cpp:1412
8 xul.dll void mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands gfx/layers/wr/WebRenderCommandBuilder.cpp:1277
9 xul.dll mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer gfx/layers/wr/WebRenderLayerManager.cpp:291


There are 60 crashes (from 52 installations) in nightly 64 starting with buildid 20180920100522.
:darkspirit, could you investigate please ?
Flags: needinfo?(jan)
> MOZ_RELEASE_ASSERT(!data->mInvalid)

Changes between 20180919220108 and 20180920100522:
URL: 1477448
Flags: needinfo?(jan)
Priority: -- → P2
Summary: Crash in mozilla::layers::DIGroup::PaintItemRange → blob invalidation: Crash in mozilla::layers::DIGroup::PaintItemRange
Changes between 2018-09-18 and 2018-09-22:

Ctrl+F Jeff Muizelaar. Suspicious sounding titles:
20180922100157 Bug 1491590. Make sure that the paint rect is set to the bounds. r=mstange
20180919123806 Bug 1491395. Replace BorderWidths with LayoutSideOffsets.
Bug 1447880 is the more likely cause.
Priority: P2 → P3
Priority: P3 → P2
Could you use your superpowers and look if some crash reports contain an URL?
Bug 1396642 caused a behavior change in WR bug 1494934.
> dc6c04a63309	Robert Longson — Bug 1396642 - support smaller viewBox coordinates at the expense of larger ones r=dholbert
It lies within the possible regression range.
Assignee: nobody → jmuizelaar
Pushed by
Fix up logging to only trigger appropriately.
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Resolution: FIXED → ---
Target Milestone: mozilla64 → ---
OS: Windows 10 → All
The crashing item seems to be a nsDisplayTransform
Pushed by
blob-inval: Log whether we have a 3d transform
Depends on: 1496188 is a crashing URL and it seems most likely to be reproducible of the ones I've seen. 

Note: this may have been fixed by bug 1496188 so builds after 20181004100222 may not reproduce anymore.
That search might get time zone confused. Here's an actual crash:
So looking at the call stack we see nsDisplayMasksAndClipPaths::PaintWithContentsPaintCallback(nsDisplayListBuilder*, gfxContext*, std::function<void > const&) so bug 1496188 exposed this.
Blocks: 1447880
QA Contact: mreavy
Pushed by
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Forgot to update the patch. Sorry.
Flags: needinfo?(jmuizelaar)
Pushed by
Clear mInvalid more agressively so that we don't reuse it across paints r=mstange
Pushed by
Add some data gathering to try to figure out the crash.
Pushed by
blob-inval: Log the some more data about the broken situation.
It looks like this is probably a rounding or off by one issue: "CGC--0-0-281-31,0-0-280-31-ib"
Pushed by
Make sure we invalidate the entire area of the item r=mstange
Jeff -- I believe it's now safe to mark this resolved.  Just needinfo'ing you for a sanity-check.
Closed: Last yearLast year
Flags: needinfo?(jmuizelaar)
Keywords: leave-open
Resolution: --- → FIXED
Yes. Probably. We should double check that the crashes go away, but they should.
Flags: needinfo?(jmuizelaar)
No crashes on Nightly since this landed.
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.