Crash in [@ mozilla::gfx::VRShMem::JoinShMem]
Categories
(Core :: WebVR, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | fixed |
People
(Reporter: calixte, Assigned: thomasmo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug is for crash report bp-0362e851-cb5f-4995-b725-5659b0190730.
Top 10 frames of crashing thread:
0 xul.dll mozilla::gfx::VRShMem::JoinShMem gfx/vr/VRShMem.cpp:279
1 xul.dll void mozilla::gfx::VRService::ServiceInitialize gfx/vr/service/VRService.cpp:151
2 xul.dll nsresult mozilla::detail::RunnableMethodImpl< xpcom/threads/nsThreadUtils.h:1176
3 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:523
4 xul.dll base::MessagePumpDefault::Run ipc/chromium/src/base/message_pump_default.cc:35
5 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:308
6 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:290
7 xul.dll base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:192
8 xul.dll `anonymous namespace'::ThreadFunc ipc/chromium/src/base/platform_thread_win.cc:19
9 kernel32.dll BaseThreadInitThunk
There are 18 crashes (from 10 installations) in nightly 70 starting with buildid 20190729213839. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1563233.
[1] https://hg.mozilla.org/mozilla-central/rev?node=d1b749a11195
Requesting access to crash dumps so that I can investigate the bug
Reliable repro steps:
- turn off vr process in about:config
- restart fx
- navigate to https://webvr.info/samples/03-vr-presentation.html
- enter vr (steamvr should start if not already running)
- exit vr
- navigate to https://www.bing.com/
- wait for firefox.exe to no longer appear in steamvr status
- navigate back to https://webvr.info/samples/03-vr-presentation.html
- crash
This change addresses an issue where VRShMem can be in an invalid state when
there is no VR process available. In this case, the VRExternalShmem struct is
allocated on the heap rather than accessed via shared memory. When VRService
stops, it clears this pointer, but cannot re-access it when it restarts. Thus,
this results in a nullptr crash when a tab Enters, Exits, and Re-enters VR.
The fix is to distinguish between in-proc heap allocation vs cross-proc shared
memory so that VRService can decide to make the call to LeaveShMem in its Stop
function. This will keep the heap allocation alive across service restarts and
prevent the null crash.
Comment 7•5 years ago
|
||
Backed out for crashes on mozilla::gfx::VRShMem::CreateShMem(bool)
Backout link: https://hg.mozilla.org/integration/autoland/rev/51738e0c713be935e60012e29d08b121289c3931
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=260453257&repo=autoland&lineNumber=3561
Comment 9•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Updated•3 years ago
|
Description
•