1633693 - Crash in [@ mozilla::gfx::SourceSurfaceD2D1::DrawTargetWillChange]

Status: RESOLVED FIXED

(Core :: Graphics, defect, P1)

Description

[Alex Chronopoulos [:achronop]]

This bug is for crash report bp-970fe456-248a-4340-a62f-039120200420.

Top 10 frames of crashing thread:

0 xul.dll mozilla::gfx::SourceSurfaceD2D1::DrawTargetWillChange gfx/2d/SourceSurfaceD2D1.cpp:121
1 xul.dll mozilla::gfx::DrawTargetD2D1::MarkChanged gfx/2d/DrawTargetD2D1.cpp:1489
2 xul.dll mozilla::gfx::DrawTargetD2D1::ClearRect gfx/2d/DrawTargetD2D1.cpp:373
3 xul.dll mozilla::gfx::DrawTarget::DrawCapturedDT gfx/2d/DrawTarget.cpp:167
4 xul.dll mozilla::layers::PaintThread::AsyncPaintTask gfx/layers/PaintThread.cpp:228
5 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/gfx/layers/PaintThread.cpp:199:30'>::Run xpcom/threads/nsThreadUtils.h:557
6 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
7 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:481
8 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:308

It has started happening since 20200417100143. The list of bugs of that day:

Bug 1626590 Use os._exit not sys.exit in atexit in Python3 r=glandium,janerik
Bug 1622659 - Removed 'else' after 'return' in HTMLInputElement - r=emilio
Bug 1519226 - Wait for the bookmarked status to finish updating before starting test; r=Gijs
Bug 1542293 - Rewrite various nsHttpResponseHead::Get* to use Tokenizer r=mayhemer
Bug 1628690 [Wayland][VA-API] Respect disabled HW decoding to allow fallback to SW decoding, r=jya
Bug 1627795 - Remove unused getCssProperties() helper r=gl
Bug 1607755 - Remove box model highlighter implementation with setupInParent() r=jdescottes
Bug 1629432 - converting integer literal to bool. r=sylvestre
Bug 1619367 - Fix mask/filter opacity optimizations with WebRender r=jrmuizel
Bug 1630615 - Combine toolkit/themes/shared/extensions/utilities.svg and browser/themes/shared/icons/settings.svg. r=dao
Bug 1629602 - Include reason for failure when describing features. r=aosmond
Bug 1628120 - Make sure to dispatch to correct event target. r=peterv
Bug 1615588 - Extended nsIPromptService to support tab modal prompts. r=johannh,MattN,necko-reviewers,dragana
Bug 1615588 - TabModalPrompt(Box): Added tab level system prompts. r=MattN
Bug 1615588 - Extended GeckoView prompt implementation to support prompting by BrowsingContext. r=snorp
Bug 1615588 - nsDocumentViewer: Use prompt service instead of nsIPrompt. r=johannh,jfkthame
Bug 1615588 - SearchOneOffs: Use prompt service instead of nsIPrompt. r=johannh
Bug 1615588 - pageActions: Use prompt service instead of nsIPrompt. r=johannh
Bug 1615588 - Updated prompt tests. r=marionette-reviewers,johannh,whimboo
Backed out changeset 7d9103e6c1df (bug 1542293) for xpcshell failures at test_race_cache_with_network.js. CLOSED TREE
Bug 1628982 - Activate the condprofile on desktop + GV r=Bebe,perftest-reviewers,whimboo
Bug 1630090: Refactor PrepareAndExecuteRegexp r=jandem
Bug 1630090: Implement PrepareAndExecuteRegexp for new engine r=jandem
Bug 1619979 - Don't show PiP toggle on videos that have been laid out with small dimensions. r=mstriemer
Backed out changeset dfb973b3e25c (bug 1619367) for reftest failures at mask-opacity-invalidation-1.html. CLOSED TREE
Bug 1630481 - make Wrench force external BGRA8 images to known format to avoid needing swizzles. r=kvark
Bug 1630312 - Bump to lucetc with prop 0.9.6 dependency for rust 1.44 support r=dmajor
Bug 1628954 - Fix bad string comparison in gyp r=dmajor
Bug 1619367 - Fix mask/filter opacity optimizations with WebRender r=jrmuizel
Backed out changeset 9780a50735c6 (bug 1628787) as requested by rcaliman on bug 1629043 for failing with Beta configuration. CLOSED TREE
Backed out changeset 05ccd03beb2f (bug 1528288) as requested by rcaliman on Bug 1629043 for failing with Beta configuration. CLOSED TREE
Bug 1627738 - expose GPU troubleshooting information to webcompat reports; r=Gijs,webcompat-reviewers,miketaylr
No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Bug 1627206 - Upgrade failure telemetry for HTTPS Only Mode. r=ckerschb,jcj,dragana
Bug 1619673 - Disable appcache in release r=dragana
Bug 1630171 - Fix intermittent due to AboutWelcome actor not available r=mconley
Bug 1353429: Test Principal URI escaping.r=valentin
Bug 1630676 - Fix some errors and formatting changes when updating rustc to 1.43.0-nightly (5d04ce67f 2020-02-13).
Bug 1630676 - Update ipc-channel and crossbeam-channel in Servo.
Bug 1630676 - Cherry-pick some layout-2020 changes.
Bug 1630676 - Update Servo's attribute length parsing code to match spec.
Bug 1630676 - Don't expose any AtomicRefCell directly from style traits.
Bug 1630676 - Don't use transmute to create PaintOrder values. r=emilio
Bug 1630676 - Replace ScopedTLS::unsafe_get by ScopedTLS::into_slots. r=emilio
Bug 1630676 - Rearrange FontLanguageOverride. r=emilio
Bug 1630676 - Refactor some Servo-only animations code.
Bug 1630676 - Reformat recent changes, various build fixes, and tidy fixes.
Bug 1615412 - Disable IPv6 when connecting to remote runtime. r=jdescottes
Bug 1625749 - Make sure SlicedInputStream initializes all its members. r=nika
Bug 1625749 - Make sure PartiallySeekableInputStream initializes all its members. r=kershaw
Backed out changeset 7749765974c1 (bug 1630615) for failing browser_primaryUI.js on a CLOSED TREE
Bug 1630676 - Fix a typo introduced earlier in this bug.
Backed out changeset 376986092fe4 (bug 1627206) for causing browser_console_logging.js to fail CLOSED TREE
Bug 1630521: Allow CanvasDrawEventRecorder to control surface destruction recording, so it can be done on the main thread. r=jrmuizel
Bug 1630668 - Fix incompatible type signatures in subclasses of Repository r=dmajor
Bug 1630510 - Clean up .bookmark-item max-width rules. r=Gijs
Bug 1626661 - Don't make the about:logins searchbox more opaque on focus r=jaws
Bug 1629569 - Warp: Support IONFLAGS=logs. r=jandem
Bug 1630661 - Fix webaudio querystring to autostart for PGO r=padenot
Bug 1614468, r=bomsy
Bug 1630449 - Avoid refreshing editor on selectedFrame change r=jlast
Bug 1459175 - Introduce UI for Options drop down menu in Network panel r=Honza
Bug 1571412 - Update addon manager browser tests to use pushPrefEnv where appropriate. r=rpl
Backed out 11 changesets (bug 1630676) for causing multiple failures CLOSED TREE
Bug 1626425 - Disable multiple tests on win and macos debug for causing crashes. r=jmaher
Bug 1630615 - Remove duplicate settings icons. r=dao
Bug 1627206 - Upgrade failure telemetry for HTTPS Only Mode. r=ckerschb,jcj,dragana
Bug 1630371 - Disable DirectComposition when we have a scaled resolution and no hardware stretching. r=aosmond
Bug 1630676 - Fix some errors and formatting changes when updating rustc to 1.43.0-nightly (5d04ce67f 2020-02-13).
Bug 1630676 - Update ipc-channel and crossbeam-channel in Servo.
Bug 1630676 - Cherry-pick some layout-2020 changes.
Bug 1630676 - Update Servo's attribute length parsing code to match spec.
Bug 1630676 - Don't expose any AtomicRefCell directly from style traits.
Bug 1630676 - Don't use transmute to create PaintOrder values. r=emilio
Bug 1630676 - Replace ScopedTLS::unsafe_get by ScopedTLS::into_slots. r=emilio
Bug 1630676 - Rearrange FontLanguageOverride. r=emilio
Bug 1630676 - Refactor some Servo-only animations code.
Bug 1630676 - Reformat recent changes, various build fixes, and tidy fixes.
Bug 1630676 - Fix two regressions from the previous patches.
Bug 1527656 - Don't throw on recordEvent an unknown event r=janerik
Bug 1592105 - Part 1 - Add a reference to CompilationInfo within TokenStream. r=mgaudet
Bug 1588113: Only consider the major version part when checking for downgrades. r=glandium
Bug 1627125 Part 1 - Allow ReflowFlexItem to take available size as an input, and output reflow status. r=dholbert
Bug 1627125 Part 2 - Add a helper to compute available size for flex items, and pass the information to ReflowChildren. r=dholbert
Bug 1627125 Part 3 - Add aColumnWrapThreshold to DoFlexLayout. r=dholbert
Bug 1627125 Part 4 - Run DoFlexLayout only in first-in-flow, and store SharedFlexData in it. r=dholbert
Bug 1627125 Part 5 - Make ReflowChildren() output children's max block-end edge and completeness. r=dholbert
Bug 1627125 Part 6 - Redesign the logic that computes flex container's final size with "box-decoration-break: clone" considered. r=dholbert
Bug 1627125 Part 7 - Add reftests for flex containers with "box-decoration-break: clone" and unbreakable children. r=dholbert
Bug 1627125 Part 8 - Make nsFlexContainerFrame static-analysis warning free. r=dholbert
Bug 1628788 - update valid-with-semicolon.https.html expectancy for mac shippable r=jmaher
Backed out changeset 5c1092771230 (bug 1519226) for landing with wrong bug number on a CLOSED TREE
Bug 1519226 - Wait for the bookmarked status to finish updating before starting test; r=Gijs CLOSED TREE DONTBUILD
Backed out changeset bebf14fcc0e2 (bug 1519226) bug number not updated CLOSED TREE
Bug 1385882 - Wait for the bookmarked status to finish updating before starting test; r=Gijs CLOSED TREE DONTBUILD
Bug 1624649: Move android emu to pull from toolchain instead tooltool r=nalexander
Bug 1613796 - Add test case to verify that browser.permissions.request() resolves in the expected order. r=robwu
Bug 1613796 - Make the permission popup queue browser-specific. r=robwu
Bug 1630212 - Remove non-tiled blob images. r=jrmuizel
Bug 1587713 - Remove the late blob rasterization code. r=jrmuizel
Backed out changeset 1ad3c93e1e07 (bug 1624649) for wrench failure on a CLOSED TREE
Bug 1629700 - Update expectances for manifest-utf8-with-bom.https.html on Win 7, Win 10, OS X r=jmaher
Bug 1618051 - Proper hi res logo for search only newtab r=Mardak
Backed out changeset c424381097d7 (bug 1627206) for causing browser_console_logging.js failures CLOSED TREE
Bug 1622846 - WebGPU dummy destroy() and optional stencil states r=webidl,smaug
Bug 1627104 - Ensure Constructed StyleSheets' parent object is constructor document r=emilio
Bug 1628029 - Add telemetry events for OS authentication. r=MattN
Bug 1623745 - Add a value to the pwmgr.reauthenticated telemetry event to specify if the user was able to authenticate without a password. r=MattN,spohl
Bug 1628165 - Add telemetry probe for clicks on vulnerable password learn more link. r=MattN
Bug 1630105 - Add a telemetry scalar to track how often people encounter printing errors. r=mconley
Backed out changeset fdddf4601d4d (bug 1628165) for build bustages on a CLOSED TREE
Bug 1630512 - Initialize VRDisplayClient api mode to WebVR r=kip,daoshengmu
Bug 1630739 - Invert Quest and Focus Plus controller rotation matrix for remapping. r=kip
Bug 1628165 - Add telemetry probe for clicks on vulnerable password learn more link. r=MattN
Bug 1482147 - Simplify nsTypeAheadFind visibility code to not lie. r=masayuki
Bug 1482147 - Fix the expectation of a GeckoView test which was relying on this bug. r=agi
Bug 1614462: Part 1 - Remove unused message principals. r=nika
Bug 1614462: Part 2a - Remove commented out mozbrowser test code. r=mccr8
Bug 1614462: Part 2b - Remove unnecessary mozbrowser usage in chrome tests. r=mccr8
Bug 1614462: Part 2c - Remove content mozbrowser tests. r=mccr8
Bug 1614462: Part 2d - Fix tests that don't need to use mozbrowser. r=mccr8
Bug 1614462: Part 2e - Migrate desktop-only CrashService_crash test to browser test. r=mconley
Bug 1614462: Part 2f - Remove browser-element mochitests. r=mccr8
Bug 1614462: Part 3a - Remove support for <iframe mozbrowser> in content processes. r=nika
Bug 1614462: Part 3b - Remove moribund DocShell FrameType/IsMozBrowser/IsInMozBrowser fields. r=nika
Bug 1614462: Part 3c - Remove dead TabContext IsMozBrowserElement fields. r=nika
Bug 1623745 - disable test_osreauthenticator.js on automation r=test-fix CLOSED TREE
Backed out 10 changesets (bug 1614462) for causing xpcshell failures CLOSED TREE
Bug 1630419 support management as an optional extension permission r=rpl
Bug 1630629. Block WebRender on Intel if no DComp. r=aosmond
Backed out changeset 923c7f562468 (bug 1630629) because phabricator version is not the same as one on try on a CLOSED TREE
Backed out changeset a95e314cd2af (bug 1618051) for failing bc at browser_parsable_css.js on a CLOSED TREE
Bug 1629776 - Handle WR case of an empty inner transformed rectangle r=gw
Bug 1621399 - Add RTCPeerConnection-perfect-negotiation.https.html wpt test. r=bwc
Bug 1628139 - Tighten negotiationneeded test to disallow double-firing and racing w/onmessage. r=bwc
Bug 1628139 - Queue negotiationneeded when chain is/becomes empty. r=bwc
Bug 1630361 - Remove [NeedsWindowsUndef] attribute from webidl, r=peterv
Bug 1629376, Revert the fragment caching changes to ensure downloads are shown in Library menu. r=emilio
Bug 612118 - Make .getBBox() on a non-rendered element not throw. r=heycam
Backed out changeset bcb914fcd7d6 (bug 1623745) to revert the changes on a closed tree
Bug 1623745 - fix test_osreauthenticator.js r=test-fix on a CLOSED TREE
Bug 1618769 - Increase max chars for search suggestions, and don't fetch suggestions at all when max is reached due to paste. r=mak
Bug 1630788 - Init FunctionHasExtraBodyVarScope during lazy parse. r=arai
Bug 1627175 - part 7: Move `EditorBase::IsPaddingBRElementForEmptyLastLine()` to `EditorUtils` r=m_kato
Backed out changeset c6490dad74ac (bug 1629376) for causing browser_toolbar_library_open_recent.js failures CLOSED TREE
Bug 1629732 - Fix non-unified build errors in layout/mathml. r=tnikkel
Bug 1630655 - Actually advance lateWriteChecksStage to 3 r=erahm
Bug 1616411 - Part 1: Split out some helper methods from OrientedImage. r=tnikkel
Bug 1616411 - Part 2: Don't bother passing in the size to OrientedImage::OrientSurface. r=tnikkel
Bug 1616411 - Part 3: Make RasterImage deal with and apply image orientation. r=tnikkel
Bug 1616411 - Part 4: Make nsLayoutUtils::OrientImage undo any automatic RasterImage orientation when required. r=tnikkel
Bug 1616411 - Part 4a: Make SurfaceCache aware that native image sizes can be affected by orientation. r=tnikkel
Bug 1616411 - Part 5: Make naturalWidth/naturalHeight getters take RasterImage orientation handling into account. r=tnikkel
Bug 1616411 - Part 6: When -moz-element references an image, use the target orientation. r=tnikkel
Bug 1616411 - Part 6a: Make OrientedImage::GetFrameAtSize return an appropriately sized surface. r=tnikkel
Bug 1616411 - Part 7: Tests. r=tnikkel
Backed out changeset f055b35804d7 (bug 1630655) for multiple failures regarding/IOInterposer on a CLOSED TREE
Bug 1627175 - part 8: Move `EditorBase::IsContainer()` to `HTMLEditUtils` r=m_kato
Backed out changeset 894ebe92bdae (bug 1628052) for causing failure increase in bug 1358898 CLOSED TREE
Bug 1629376, Revert the fragment caching changes to ensure downloads are shown in Library menu. r=emilio
Backed out changeset a6904ec3d1e0 (bug 1347710) for causing Bug 1630860 a=backout

Comment 1

[Timothy Nikkel (:tnikkel)]

This is another crash in source surface that regressed on the day the image orientation changes landed, except this is on the paint thread. Very odd.

Comment 2

[Alex Chronopoulos [:achronop]]

I am adding a signature that started crashing in the same build id. If it is not relevant, let me know, and I will open a new bug about it.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jbonisteel, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 4

[Jessie [:jbonisteel] pls NI]

Does it look like we could do anything about this crash?

Comment 5

[Timothy Nikkel (:tnikkel)]

I don't really know what's going wrong. There's probably something we could do to investigate, not sure how fruitful it would be though.

Comment 6

[[:philipp]]

[Tracking Requested - why for this release]:
noticeably increasing content crash signature in firefox 78

Comment 7

[Timothy Nikkel (:tnikkel)]

This bug falls into a category of DrawTarget or SourceSurface related crashes that started happening with a similar regression range (bug 1631187 is another), and the range includes bug 1616411 which seems like the only bug touching code that might be related to the crash. Several people (me, Andrew, heycam) have looked over the patches for that bug and come up with nothing. Maybe someone more familiar with this code on the paint thread could look to see if they see anything?

Comment 8

[Jessie [:jbonisteel] pls NI]

Grasping at straws a bit, jgilbert, I don't suppose this could be related to bug 1639062?

Comment 9

[Kelsey Gilbert [:jgilbert]]

Bug 1639062 seems unlikely to me, since that basically shouldn't change the behavior of existing code. (that bug allows for new formats to be used, but it doesn't advertize them or anything, so other code not touched in the patch should have the same behavior as before)

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information

Comment 11

[Jessie [:jbonisteel] pls NI]

Lee - any suggestions about this?
Bob - any chance this could be related to any of your work recently?

Comment 12

[Bob Owen (:bobowen)]

I'm beginning to think that these might be caused by my fix to bug 1630521.
I should have a fix for the issue in bug 1644208.
Basically, I hadn't realised that the template code in NewRunnableMethod "helpfully" assumes that if you are passing in a pointer that is reference counted then you must want to hold it in a RefPtr (with associated AddRef and Release).
However that code is called during the SourceSurface's destructor, so ... bad things happen.

Bug 1631335 and bug 1631188 might also be related and crashes in mozilla::gfx::DrawTargetD2D1::Fill.

Comment 13

[Bob Owen (:bobowen)]

(In reply to Jessie [:jbonisteel] pls NI from comment #11)
...

Bob - any chance this could be related to any of your work recently?

Funny you should ask that. :-)

Comment 14

[Bob Owen (:bobowen)]

Fixed by commit in bug 1644208.