Closed
Bug 1496843
Opened 6 years ago
Closed 6 years ago
Crash in <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update
Categories
(Core :: Graphics: WebRender, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | disabled |
firefox64 | --- | disabled |
firefox65 | --- | fixed |
People
(Reporter: mccr8, Assigned: jrmuizel)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files, 2 obsolete files)
This bug was filed from the Socorro interface and is
report bp-c3cea662-176a-441e-876d-f12cb0181005.
=============================================================
Top 10 frames of crashing thread:
0 libmozglue.dylib mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:35
1 libmozglue.dylib abort memory/mozalloc/mozalloc_abort.cpp:82
2 XUL panic_abort::__rust_start_panic::abort src/libpanic_abort/lib.rs:61
3 XUL __rust_start_panic src/libpanic_abort/lib.rs:56
4 XUL std::panicking::rust_panic_with_hook src/libstd/panicking.rs:523
5 XUL std::panicking::begin_panic src/libstd/panicking.rs:409
6 XUL <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update gfx/webrender_bindings/src/moz2d_renderer.rs:329
7 XUL webrender::resource_cache::ResourceCache::pre_scene_building_update gfx/webrender/src/resource_cache.rs:827
8 XUL webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:941
9 XUL webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:685
=============================================================
moz crash reason is:
assertion failed: old_reader.cache.is_empty()
Another crash signature with this crash reason is: webrender_bindings::moz2d_renderer::{{impl}}::update
An example of that signature is: bp-202d2e0c-acfb-40c2-af25-20c350181001
Not a high volume of crashes. I only see 15 in the last few weeks with this crash reason.
Reporter | ||
Comment 1•6 years ago
|
||
Bug 1460441 was the same assertion failure but with a different signature.
Updated•6 years ago
|
Blocks: wr-stability, stage-wr-trains
status-firefox64:
--- → affected
OS: Mac OS X → All
Priority: -- → P4
Comment 2•6 years ago
|
||
This has become very frequent today on the latest macOS for me:
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-6c67cefd-e95c-4f93-ab54-941ab0181107
Closing a tab seems to be the most sure fire way to cause it and twice the tab that was about to be displayed was the slide deck from the Wednesday cross-functional meeting, in case it's useful.
Reporter | ||
Comment 3•6 years ago
|
||
The first two of those crashes have a different assertion:
assertion failed: old.bounds.contained_by(&dirty_rect)
Comment 4•6 years ago
|
||
I can reliably reproduce this by mousing over the counties on the map at https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/
My crash reports are
https://crash-stats.mozilla.com/report/index/a19a5067-5cb0-41be-a2a1-da8da0181107
https://crash-stats.mozilla.com/report/index/cd434cf5-8389-4e70-bee8-ba0150181107
Assignee | ||
Comment 5•6 years ago
|
||
This page seems to cause the "assertion failed: old_reader.cache.is_empty()"
https://abcnews.go.com/Politics/fullpage/midterm-election-map-2018-live-results-58723598
Assignee | ||
Updated•6 years ago
|
Priority: P4 → P2
Comment 6•6 years ago
|
||
CCing Joe, who hit this on an internal google slide deck.
Updated•6 years ago
|
Assignee: nobody → a.beingessner
Reporter | ||
Comment 7•6 years ago
|
||
top non-hang crash on the Nov 7 OSX Nightly, with 13 crashes
Reporter | ||
Comment 8•6 years ago
|
||
One of the comments says "Mousing over counties at https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/ ". I couldn't repro, FWIW.
I have had this crash occur while selecting text, while doing nothing but staring at my Gmail index, and by loading drive.google.com in a fresh tab.
Note that my hardware isn't shown properly by Socorro — Graphics Adapter 0x8086 0x5927 is Apple's custom Intel Iris Pro 560 chip (iMac 2017 21.5" Retina) and I believe all 4 crashes listed for that chip are me:
https://crash-stats.mozilla.com/signature/?product=Firefox&signature=%3Cwebrender_bindings%3A%3Amoz2d_renderer%3A%3AMoz2dBlobImageHandler%20as%20webrender_api%3A%3Aimage%3A%3ABlobImageHandler%3E%3A%3Aupdate&date=%3E%3D2018-11-01T16%3A29%3A34.000Z&date=%3C2018-11-08T15%3A29%3A34.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#summary
Comment 10•6 years ago
|
||
I get this consistently by navigating to https://store.google.com/product/google_home_mini_specs (from https://store.google.com/product/google_home_mini).
Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)
Comment 11•6 years ago
|
||
(In reply to Jan Alexander Steffens [:heftig] from comment #10)
> I get this consistently by navigating to
> https://store.google.com/product/google_home_mini_specs (from
> https://store.google.com/product/google_home_mini).
>
> Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)
can confirm crash on loading https://store.google.com/product/google_home_mini_specs with WR on Win10
https://crash-stats.mozilla.com/report/index/7408880f-d260-4e90-a720-4a99f0181109 (though the signature is different)
Comment 12•6 years ago
|
||
This doesn't seem to show up on beta for some reason.
status-firefox65:
--- → affected
Comment 13•6 years ago
|
||
Huh. I can still repro on https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/ with latest nightly. Crash report from today is https://crash-stats.mozilla.com/report/index/c8071109-2a72-4ce3-818f-216ba0181109 . This is OS X 10.13.6 on a 15-inch 2017 Macbook Pro.
Comment 14•6 years ago
|
||
the crash in comment 13 is also "assertion failed: old.bounds.contained_by(&dirty_rect)"
Comment 15•6 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #12)
> This doesn't seem to show up on beta for some reason.
Probably because WR on beta is restricted to Windows, and these crashes seem to be on macOS/Linux. It's possible the Windows ones are under a different signature and bug somewhere else.
Comment 16•6 years ago
|
||
Spent the day debugging this, the issue is that when computing the dirty rect we intersect the old bounds of a changed item with mImageRect. This makes the bounds of that old item not-contained in the dirty rect, which during blob merging causes us to get confused, because deleted items are supposed to be contained inside the dirty rect.
log with `xxxx-` markers for relevant sections:
https://gist.github.com/Gankro/07d6c49be973fd69629ef9da8eeb7b26
Comment 17•6 years ago
|
||
This has likely gotten worse because Bug 1456555 introduce more aggressive shrinking of mImageRect.
Assignee | ||
Comment 18•6 years ago
|
||
It looks like the problem here is caused by us not updating BlobItemData when the mImageRect change happens.
Assignee | ||
Comment 19•6 years ago
|
||
Here's an untested patch which I think should fix the problem.
Assignee | ||
Comment 20•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Attachment #9024209 -
Attachment is obsolete: true
Assignee | ||
Comment 21•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee: a.beingessner → jmuizelaar
Assignee | ||
Comment 22•6 years ago
|
||
Assignee | ||
Comment 23•6 years ago
|
||
The relationship between this test case and the patch is left as an exercise for the reader.
Attachment #9024247 -
Attachment is obsolete: true
Comment 24•6 years ago
|
||
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/244e82052be1
Make sure we update mRect when mImageBounds changes. r=mattwoodrow
Comment 25•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Updated•6 years ago
|
status-firefox63:
--- → disabled
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•