Closed Bug 1578376 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::layers::NativeLayerCA::NextSurfaceAsFramebuffer]

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Version:
71 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- fixed

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-e28a71ac-4c32-49cb-b6a1-8f9f50190902.

Top 10 frames of crashing thread:

0 XUL mozilla::layers::NativeLayerCA::NextSurfaceAsFramebuffer gfx/layers/NativeLayerCA.mm:356
1 XUL mozilla::wr::RenderCompositorOGL::BeginFrame gfx/webrender_bindings/RenderCompositorOGL.cpp:67
2 XUL mozilla::wr::RenderThread::UpdateAndRender gfx/webrender_bindings/RenderThread.cpp:444
3 XUL mozilla::wr::RenderThread::HandleFrameOneDoc gfx/webrender_bindings/RenderThread.cpp:319
4 XUL mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void  xpcom/threads/nsThreadUtils.h:1176
5 XUL MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:523
6 XUL base::MessagePumpDefault::Run ipc/chromium/src/base/message_pump_default.cc:35
7 XUL base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:192
8 XUL ThreadFunc ipc/chromium/src/base/platform_thread_posix.cc:40
9 libsystem_pthread.dylib _pthread_body

There are 7 crashes (from 5 installations) in nightly 71 starting with buildid 20190902094857. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1578099.

[1] https://hg.mozilla.org/mozilla-central/rev?node=34aa23a05c67

Flags: needinfo?(mstange)

As usual, the crash stack does not show inline callstack information and is not very helpful in actually pointing out the cause of the crash. It only shows the outermost caller. I had to do manual work to work around this problem.

Here's what I did:

  1. Go to the crash report.
  2. Find the module offset of the crashing instruction, by going to the "Raw Dump" tab. It's the address in the line "module_offset": "0x14c601b",.
  3. Also note down the crashing module's name, here (and usually) XUL.
  4. Find the breakpad ID of the crashing module, by going to the "Modules" tab. It's 3378E7F8C8E339A6AAAD847F4A12748D0.
  5. Download and uncompress https://symbols.mozilla.org/XUL/3378E7F8C8E339A6AAAD847F4A12748D0/XUL.dSYM.tar.bz2
  6. Run dwarfdump --lookup 0x14c601b /path/to/XUL.dSYM

This produces:

----------------------------------------------------------------------
 File: /Users/mstange/Downloads/target.crashreporter-symbols-full(2)/XUL/3378E7F8C8E339A6AAAD847F4A12748D0/XUL.dSYM/Contents/Resources/DWARF/XUL (x86_64)
----------------------------------------------------------------------
Looking up address: 0x00000000014c601b in .debug_info... found!

0x0f56518f: Compile Unit: length = 0x00066da1  version = 0x0002  abbr_offset = 0x00000000  addr_size = 0x08  (next CU at 0x0f5cbf34)

0x0f56519a: TAG_compile_unit [629] *
             AT_producer( "clang version 8.0.1 " )
             AT_language( DW_LANG_ObjC_plus_plus )
             AT_name( "/builds/worker/workspace/build/src/obj-firefox/gfx/layers/Unified_mm_gfx_layers0.mm" )
             AT_stmt_list( 0x0176a528 )
             AT_comp_dir( "/builds/worker/workspace/build/src/obj-firefox/gfx/layers" )
            Unknown DW_AT constant: 0x2134( 0x01 )
             AT_APPLE_optimized( 0x01 )
             AT_APPLE_major_runtime_vers( 0x02 )
             AT_low_pc( 0x00000000014bd830 )
             AT_high_pc( 0x00000000014ca193 )

0x0f5bc980:     TAG_subprogram [308] *
                 AT_low_pc( 0x00000000014c5d00 )
                 AT_high_pc( 0x00000000014c65a6 )
                 AT_frame_base( rbp )
                 AT_object_pointer( {0x0f5bc9a3} )
                 AT_decl_file( "/builds/worker/workspace/build/src/gfx/layers/NativeLayerCA.mm" )
                 AT_decl_line( 349 )
                 AT_specification( {0x000000000f56d1bb}"_ZN7mozilla6layers13NativeLayerCA24NextSurfaceAsFramebufferEb" )
                  AT_MIPS_linkage_name( "_ZN7mozilla6layers13NativeLayerCA24NextSurfaceAsFramebufferEb" )
                  AT_name( "NextSurfaceAsFramebuffer" )
                  AT_decl_file( "/builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/NativeLayerCA.h" )
                  AT_decl_line( 112 )
                  AT_type( {0x000000000022da76} ( Maybe<unsigned int> ) )
                  AT_virtuality( DW_VIRTUALITY_virtual )
                  AT_vtable_elem_location( <0x2> 10 0b  )
                  AT_declaration( 0x01 )
                  AT_external( 0x01 )
                  AT_APPLE_optimized( 0x01 )
                  AT_accessibility( DW_ACCESS_public )
                  AT_containing_type( {0x000000000f56ce07} )

0x0f5bcb4d:         TAG_inlined_subroutine [182] *
                     AT_abstract_origin( {0x000000000f5bbe76}"_ZN7mozilla6layers13NativeLayerCA32GetOrCreateFramebufferForSurfaceERKNS_12BaseAutoLockIRNS_5MutexEEE12CFTypeRefPtrIP11__IOSurfaceEb" )
                      AT_decl_file( "/builds/worker/workspace/build/src/gfx/layers/NativeLayerCA.mm" )
                      AT_decl_line( 359 )
                      AT_specification( {0x000000000f56d431}"_ZN7mozilla6layers13NativeLayerCA32GetOrCreateFramebufferForSurfaceERKNS_12BaseAutoLockIRNS_5MutexEEE12CFTypeRefPtrIP11__IOSurfaceEb" )
                       AT_MIPS_linkage_name( "_ZN7mozilla6layers13NativeLayerCA32GetOrCreateFramebufferForSurfaceERKNS_12BaseAutoLockIRNS_5MutexEEE12CFTypeRefPtrIP11__IOSurfaceEb" )
                       AT_name( "GetOrCreateFramebufferForSurface" )
                       AT_decl_file( "/builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/NativeLayerCA.h" )
                       AT_decl_line( 164 )
                       AT_type( {0x000000000cced223} ( GLuint ) )
                       AT_declaration( 0x01 )
                       AT_external( 0x01 )
                       AT_APPLE_optimized( 0x01 )
                       AT_accessibility( DW_ACCESS_protected )
                      AT_inline( DW_INL_inlined )
                      AT_object_pointer( {0x0f5bbe88} )
                     AT_ranges( 0x00f768d0
                        [0x00000000014c5d5a - 0x00000000014c5e52)
                        [0x00000000014c5e60 - 0x00000000014c641a)
                        [0x00000000014c6458 - 0x00000000014c6587)
                         End )
                     AT_call_file( "/builds/worker/workspace/build/src/gfx/layers/NativeLayerCA.mm" )
                     AT_call_line( 356 )
Line table dir : '/builds/worker/workspace/build/src'
Line table file: 'gfx/layers/NativeLayerCA.mm' line 380, column 20 with start address 0x00000000014c601b

Looking up address: 0x00000000014c601b in .debug_frame... not found.

This contains the string Line table file: 'gfx/layers/NativeLayerCA.mm' line 380, column 20, and indeed, line 380 has a pointer dereference! So that dereference is probably what's crashing. And looking at the implementation of MozFramebuffer::CreateWith, it can return null in out-of-memory or error cases.

Flags: needinfo?(mstange)

I'm pretty sure this is because of out-of-memory conditions caused by bug 1578310. That bug is now fixed, so there should be no more reports of this kind in today's build.

I've filed bug 1578449 about handling this case properly.

Depends on: 1578310
Priority: -- → P3

No more reports since Sept 3, so it looks like bug 1578310 indeed fixed this.

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Crashes with this signature have started appearing again over the last few months. They're still null-dereferences, but I haven't tried to figure out if they're at the same address.

Top ten frames of new crash stacks:

    0  XUL  mozilla::layers::NativeLayerCA::NextSurfaceAsFramebuffer(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, bool)  gfx/layers/NativeLayerCA.mm:588  context
    1  XUL  mozilla::layers::CompositorOGL::RenderTargetForNativeLayer(mozilla::layers::NativeLayer*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&)  gfx/layers/opengl/CompositorOGL.cpp:771  scan
    2  XUL  mozilla::gfx::BaseIntRegion<mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits> >::And(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)  gfx/src/nsRegion.h:2253  scan
    3  XUL  mozilla::layers::CompositorOGL::BeginRenderingToNativeLayer(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::NativeLayer*)  gfx/layers/opengl/CompositorOGL.cpp:853  scan
    4  XUL  mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&)  gfx/layers/composite/LayerManagerComposite.cpp:1243  scan
    5  libmozglue.dylib  free  memory/build/malloc_decls.h:54  scan
    6  XUL  regiondetails::Band* nsTArray_Impl<regiondetails::Band, nsTArrayInfallibleAllocator>::ReplaceElementsAt<regiondetails::Band, nsTArrayInfallibleAllocator>(unsigned long, unsigned long, regiondetails::Band const*, unsigned long)  xpcom/ds/nsTArray.h:2281  scan
    7  XUL  mozilla::layers::LayerManagerComposite::UpdateAndRender()  gfx/layers/composite/LayerManagerComposite.cpp:645  scan
    8  XUL  mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags)  gfx/layers/composite/LayerManagerComposite.cpp:564  scan
    9  XUL  mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)  gfx/layers/ipc/CompositorBridgeParent.cpp:1047  scan
    10  XUL  empty_buffer (.llvm.605019813206002948)   scan

Same bug? Different bug?

Flags: needinfo?(mstange)

Different bug - they all have moz crash reason: "MOZ_RELEASE_ASSERT(mFrontSurface) (The first call to NextSurface* must always update the entire layer. If this is the second call, mFrontSurface will be Some().)". And I'm surprised that no bug has been filed on this - MOZ_CRASH / MOZ_RELEASE_ASSERT crashes are important to know about.

Flags: needinfo?(mstange)
See Also: → 1717889
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.