Crash in mozilla::layers::APZCTreeManager::NotifyScrollbarDragInitiated

RESOLVED FIXED in Firefox 66



2 months ago
a month ago


(Reporter: philipp, Assigned: kats)


({crash, regression})

65 Branch
crash, regression

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 fixed, firefox67 fixed)


(crash signature)


(1 attachment)



2 months ago

This bug is for crash report bp-3fb2d8d6-6d4f-46a3-aab9-acb1f0190205.

Top 10 frames of crashing thread:

0 xul.dll void mozilla::layers::APZCTreeManager::NotifyScrollbarDragInitiated gfx/layers/apz/src/APZCTreeManager.cpp:812
1 xul.dll void mozilla::layers::APZCTreeManager::SetupScrollbarDrag gfx/layers/apz/src/APZCTreeManager.cpp:1874
2 xul.dll mozilla::layers::APZCTreeManager::ReceiveInputEvent gfx/layers/apz/src/APZCTreeManager.cpp:1253
3 xul.dll mozilla::layers::APZInputBridge::ReceiveInputEvent gfx/layers/apz/src/APZInputBridge.cpp:75
4 xul.dll nsBaseWidget::DispatchInputEvent widget/nsBaseWidget.cpp:1103
5 xul.dll nsWindow::DispatchMouseEvent widget/windows/nsWindow.cpp:4442
6 xul.dll nsWindow::ProcessMessage widget/windows/nsWindow.cpp:5363
7 xul.dll static __int64 nsWindow::WindowProcInternal widget/windows/nsWindow.cpp:4770
8 xul.dll static __int64 nsWindow::WindowProc widget/windows/nsWindow.cpp:4723
9 user32.dll UserCallWinProcCheckWow 

this crash signature is regressing in firefox 65 - it's occurring in fairly low volume though. possibly related to bug 1503029?

Kats, do you have cycles to look at this crash?

Flags: needinfo?(kats)

Seems kinda related to bug 1511701 - similar crash in a different function. But this started a short while before that patch landed, so it's not a regression from that. I can take a closer look.

Assignee: nobody → kats
Flags: needinfo?(kats)
See Also: → bug 1511701

So I think what's happening here is that we're trying to use the GeckoContentController on the controller thread (which on Windows with GPU process is the GPU process main thread) but the layers id -> GeckoContentController is generally managed on the compositor thread. So it's possible for races to happen and for GetContentController to find a null controller. That also explains why we're seeing this crash only on Windows.

With bug 1511701 there was an explicit message getting passed to the controller thread and so the same sort of problem could occur with the race happening during the message passing step.

At any rate I don't know if there's much else to do here except guard against the null pointer. If the GeckoContentController is gone then the layers tree must be in the process of being torn down and we can just abandon the attempt at scrollbar dragging.

Comment 5

a month ago
Pushed by
Guard against a null controller. r=botond

Comment 6

a month ago
Last Resolved: a month ago
status-firefox67: ? → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Nightly crash stats are looking good so far. Please nominate it for Beta when you get a chance :)

Flags: needinfo?(kats)

Comment on attachment 9042276 [details]
Bug 1525450 - Guard against a null controller. r?botond

Beta/Release Uplift Approval Request

Feature/Bug causing the regression


User impact if declined

Crashes, probably while attempt to drag scrollbar

Is this code covered by automated tests?


Has the fix been verified in Nightly?


Needs manual test from QE?


If yes, steps to reproduce

No real STR

List of other uplifts needed

1511701 (already uplifted)

Risk to taking this patch


Why is the change risky/not risky? (and alternatives if risky)

Simple null check

String changes made/needed


Flags: needinfo?(kats)
Attachment #9042276 - Flags: approval-mozilla-beta?

Comment on attachment 9042276 [details]
Bug 1525450 - Guard against a null controller. r?botond

Crash fix, looks good in Nightly.
Let's uplift for beta 8.

Attachment #9042276 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 10

a month ago
status-firefox66: affected → fixed
status-firefox65: affected → wontfix
You need to log in before you can comment on or make changes to this bug.