Closed Bug 1569974 Opened 6 months ago Closed 6 months ago

Crash in drawSnapshot with custom DOMRect [@ mozilla::gfx::CrossProcessPaint::Start]

Categories

(Core :: Graphics, defect, P3, critical)

70 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- verified

People

(Reporter: whimboo, Assigned: mattwoodrow)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Attached file Marionette test

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0 ID:20190729095501

Running the attached Marionette test triggers the following crash. Fission doesn't need to be enabled.

$ mach marionette-test %path_to_file%

It looks like to be a regression from bug 1561395. Ryan, can you please have a look?

Crash details:

Operating system: Mac OS X
                  10.14.5 18F132
CPU: amd64
     family 6 model 142 stepping 10
     8 CPUs

GPU: UNKNOWN

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x0
Process uptime: 4 seconds

Thread 0 (crashed)
 0  XUL!mozilla::gfx::CrossProcessPaint::Start(mozilla::dom::WindowGlobalParent*, mozilla::dom::DOMRect const*, float, unsigned int, mozilla::dom::Promise*) [CrossProcessPaint.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 173 + 0x11]
    rax = 0x000000011987ce38   rdx = 0x00000000ffffffff
    rcx = 0x0000000109f8ce30   rbx = 0x00007ffee5cd8190
    rsi = 0x000000013091c420   rdi = 0x0000000132e57340
    rbp = 0x00007ffee5cd8080   rsp = 0x00007ffee5cd7fe0
     r8 = 0x0000000132600240    r9 = 0x0000000000000000
    r10 = 0x000000012db00ed0   r11 = 0x0000000000000000
    r12 = 0x0000000132e57340   r13 = 0x000000003f800000
    r14 = 0x000000012d48a820   r15 = 0x000000013091c420
    rip = 0x00000001145aef5e
    Found by: given as instruction pointer in context
 1  XUL!mozilla::dom::WindowGlobalParent::DrawSnapshot(mozilla::dom::DOMRect const*, double, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) [WindowGlobalParent.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 372 + 0x15]
    rbp = 0x00007ffee5cd80d0   rsp = 0x00007ffee5cd8090
    rip = 0x000000011628c0f6
    Found by: previous frame's frame pointer
 2  XUL!mozilla::dom::WindowGlobalParent_Binding::drawSnapshot_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::WindowGlobalParent*, JSJitMethodCallArgs const&) [WindowGlobalActorsBinding.cpp: : 1509 + 0x27c]
    rbp = 0x00007ffee5cd81f0   rsp = 0x00007ffee5cd80e0
    rip = 0x00000001152b5417
    Found by: previous frame's frame pointer
 3  XUL!bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) [BindingUtils.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 3181 + 0x14]
    rbp = 0x00007ffee5cd82b0   rsp = 0x00007ffee5cd8200
    rip = 0x00000001156c1ffa
    Found by: previous frame's frame pointer
 4  XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 540 + 0x165]
    rbp = 0x00007ffee5cd8370   rsp = 0x00007ffee5cd82c0
    rip = 0x0000000117dc18d0
    Found by: previous frame's frame pointer
 5  XUL!js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [Wrapper.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 162 + 0x33]
    rbp = 0x00007ffee5cd8450   rsp = 0x00007ffee5cd8380
    rip = 0x000000011817a34d
    Found by: previous frame's frame pointer
 6  XUL!js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [CrossCompartmentWrapper.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 237 + 0xf]
    rbp = 0x00007ffee5cd84c0   rsp = 0x00007ffee5cd8460
    rip = 0x00000001181639eb
    Found by: previous frame's frame pointer
 7  XUL!js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) [Proxy.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 504 + 0x15]
    rbp = 0x00007ffee5cd8520   rsp = 0x00007ffee5cd84d0
    rip = 0x000000011816f283
    Found by: previous frame's frame pointer
 8  XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 514 + 0xe]
    rbp = 0x00007ffee5cd85e0   rsp = 0x00007ffee5cd8530
    rip = 0x0000000117dc1db1
    Found by: previous frame's frame pointer
 9  XUL!Interpret(JSContext*, js::RunState&) [Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 599 + 0x8]
    rbp = 0x00007ffee5cd8a80   rsp = 0x00007ffee5cd85f0
    rip = 0x0000000117db8e13
    Found by: previous frame's frame pointer
10  XUL!js::RunScript(JSContext*, js::RunState&) [Interpreter.cpp:50df4b75c9b6c7fec8c8c4685fd188634d193e75 : 425 + 0xb]
    rbp = 0x00007ffee5cd8ae0   rsp = 0x00007ffee5cd8a90
    rip = 0x0000000117dabf20
    Found by: previous frame's frame pointer
Flags: needinfo?(rhunt)
Flags: needinfo?(matt.woodrow)
Priority: -- → P3

The marionette test is actually not needed. Just run the following code in the scratch pad under the browser environment:

var context = window.gBrowser.selectedTab.linkedBrowser.browsingContext;
var windowGlobal = context.currentWindowGlobal;

var rect = new window.DOMRect(0, 0, 200, 200);
windowGlobal.drawSnapshot(rect, window.devicePixelRatio, "white").then(s => {
  var canvas = window.document.createElementNS("http://www.w3.org/1999/xhtml", "canvas");
  canvas.width = s.width;
  canvas.height = s.height;
  var ctx = canvas.getContext('2d');
  ctx.drawImage(s, 0, 0);

  window.loadURI(
    canvas.toDataURL("image/png"),
    null,
    null,
    null,
    null,
    null,
    null,
    null,
    Services.scriptSecurityManager.getSystemPrincipal()
  );
});
Assignee: nobody → matt.woodrow
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(rhunt)
Blocks: 1570147

:mattwoodrow, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(matt.woodrow)

Sorry, I put bug 1561395 into the wrong field.

No longer blocks: 1561395
Flags: needinfo?(matt.woodrow)
Regressed by: 1561395
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f2901a5df92f
Don't try to deference an empty Maybe when starting CrossProcessPaint with a rect. r=rhunt
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Works great. Thanks for fixing it that quickly! Maybe we can add this test as part of the upcoming work on bug 1570147.

Status: RESOLVED → VERIFIED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.