Closed Bug 1516011 Opened 5 years ago Closed 5 years ago

Google Slides: Crash in wr_moz2d_render_cb (ExternalSourceSurfaceCreation PLAY failure)

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- fixed

People

(Reporter: past, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Bug 1516011 - Part 1. Ensure wrapped shared surfaces are retained for blob rasterization.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1516011 - Part 2. Deny recycling for frames used in blob recordings.
47 bytes, text/x-phabricator-request
Details | Review 
This bug was filed from the Socorro interface and is
report bp-200a75db-d14f-4eb6-80a2-8fe600181221.
=============================================================

Top 10 frames of crashing thread:

0 XUL wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:435
1 XUL webrender_bindings::moz2d_renderer::rasterize_blob gfx/webrender_bindings/src/moz2d_renderer.rs:524
2 XUL <webrender_bindings::moz2d_renderer::Moz2dBlobRasterizer as webrender_api::image::AsyncBlobImageRasterizer>::rasterize libcore/ops/function.rs:156
3 XUL webrender::scene_builder::Transaction::rasterize_blobs gfx/wr/webrender/src/scene_builder.rs:96
4 XUL std::sys_common::backtrace::__rust_begin_short_backtrace gfx/wr/webrender/src/scene_builder.rs:779
5 XUL <F as alloc::boxed::FnBox<A>>::call_box libstd/thread/mod.rs:409
6 XUL std::sys::unix::thread::Thread::new::thread_start src/liballoc/boxed.rs:682
7 libsystem_pthread.dylib libsystem_pthread.dylib@0x3304 
8 libsystem_pthread.dylib libsystem_pthread.dylib@0x626e 
9 libsystem_pthread.dylib libsystem_pthread.dylib@0x2414 

=============================================================

Other similar crashes:
bp-6a18798d-aa31-414e-8697-0c54c0181219
bp-041299dc-349e-4998-9dd4-338c90181212
> MOZ_RELEASE_ASSERT(false)
Blocks: wr-stability, stage-wr-trains
Crash Signature: [@ wr_moz2d_render_cb] → [@ wr_moz2d_render_cb] [@ mozilla::wr::Moz2DRenderCallback ]
status-firefox66: --- → affected
OS: Mac OS X → All
Priority: -- → P3
> GraphicsCriticalError 	|[0][GFX1-]: Replay failure: ExternalSourceSurfaceCreation PLAY (t=14976.7)

Because of the other signature with the same GraphicsCriticalError.
bp-5a6a5539-b81f-4eb0-91ee-c99990190103
bp-c1c008f2-1477-4b53-aecf-bdc2e0190103

Flags: needinfo?(jan)

Thanks. It looks like this happens quite a bit on Google slides.

Summary: Crash in wr_moz2d_render_cb → Google Slides: Crash in wr_moz2d_render_cb
Summary: Google Slides: Crash in wr_moz2d_render_cb → Google Slides: Crash in wr_moz2d_render_cb (ExternalSourceSurfaceCreation PLAY failure)

I'm assigning to Andrew as this is his code. I expect this will be difficult to debug without a STR

Assignee: nobody → aosmond

It is hard to filter the signatures on the gfx logs, but I suspect recycling caused this. Animated image inside a blob might have some extra edge cases.

I can reproduce on giphy.com in a local build by forcing images to go through fallback. I need to scroll around a lot to trigger though.

So if I fix this check:

https://searchfox.org/mozilla-central/rev/76fe4bb385348d3f45bbebcf69ba8c7283dfcec7/gfx/layers/wr/WebRenderCommandBuilder.cpp#186

to take into account recycled surfaces, it appears to fix the crashes. I'm a little worried about some state inconsistencies though, because recycling adds new races where the blob image might display the wrong data...

References to shared surfaces are already kept alive for the blob in the
content process, and it also ensures an image key is created to ensure
any release of the surface is delayed until the next epoch. Wrapped
shared surfaces (when used in an animation which is recycling its
surfaces) did not get an image key created which this patch corrects.
Given the crash resolved in part 1, it is possible for the blob
rasterizer in the compositor process to still be using surfaces after
the animation has advanced to the next frame. With recycling this can be
problematic as the recycled surface will be reused for a future frame.
In an ideal world, the blob recording would use the animation's image
key instead, but the rasterizer doesn't have easy access to the mapping
table. As such, for any frames used in a blob recording, we now
explicitly mark them as non-recyclable and we will be forced to allocate
a new frame instead.

Depends on D16191
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c74c81fe8dcb
Part 1. Ensure wrapped shared surfaces are retained for blob rasterization. r=jrmuizel
https://hg.mozilla.org/integration/mozilla-inbound/rev/3c5fcd8a2f4a
Part 2. Deny recycling for frames used in blob recordings. r=tnikkel
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ed5d7408250
Part 1. Ensure wrapped shared surfaces are retained for blob rasterization. r=jrmuizel
https://hg.mozilla.org/integration/mozilla-inbound/rev/c5f982e02892
Part 2. Deny recycling for frames used in blob recordings. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/7ed5d7408250
https://hg.mozilla.org/mozilla-central/rev/c5f982e02892

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

I see https://crash-stats.mozilla.com/report/index/9f210bca-5925-4eb8-8e08-8fdd50190115#tab-details which includes my fix. I am now puzzled as to the root cause.

See Also: → 1524280
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: