1656415 - Crash in [@ wl_proxy_create_wrapper | dri2_wl_create_window_surface]

Status: RESOLVED WORKSFORME

(Core :: Widget: Gtk, defect, P2)

Description

[Matt Fagnani]

This bug is for crash report bp-4f49759d-633e-4248-9791-3bad10200731.

Top 10 frames of crashing thread:

0 libwayland-client.so.0 wl_proxy_create_wrapper src/wayland-client.c:2237
1 libEGL_mesa.so.0 libEGL_mesa.so.0@0x255c8 
2 libEGL_mesa.so.0 libEGL_mesa.so.0@0x1076f 
3 libEGL_mesa.so.0 libEGL_mesa.so.0@0x10608 
4 libxul.so mozilla::gl::CreateSurfaceFromNativeWindow gfx/gl/GLContextProviderEGL.cpp:234
5 libxul.so _fini 
6 firefox-bin replace_calloc memory/replace/phc/PHC.cpp:1152
7 libwayland-client.so.0 _fini 
8 libgtk-3.so.0 libgtk-3.so.0@0x3b0cef 
9 libgobject-2.0.so.0 <name omitted> ../gobject/gtype.c:4016

Firefox 81.0a1 (2020-7-30) on Wayland with Webrender enabled in Plasma 5.19.3 in Fedora Rawhide crashed when I was clicking on the icons in the top right of the address bar repeatedly to try to reproduce the crash in https://bugzilla.mozilla.org/show_bug.cgi?id=1655120 which did occur two other times. A segmentation fault happened in wl_proxy_create_wrapper(void *proxy) at src/wayland-client.c:2237 in libwayland-client-1.18.0-1.fc33.x86_64 which was pthread_mutex_lock(&wrapped_proxy->display->mutex);

The crash address was 0x0. proxy and wrapped_proxy might have been null pointers resulting in a null pointer dereference. The crash is infrequent and requires clicking on the icons at the top right many times. A race condition between when Firefox created the Wayland surface of the popup and that pointer was used in wl_proxy_create_wrapper and changed to a null pointer in this case might have happened.

Comment 1

[Matt Fagnani]

The lines of frames 1 to 3 were shown in gdb for libEGL_mesa.so.0 from mesa-libEGL-20.1.4-1.fc33.x86_64 as follows.

gdb /usr/lib64/libEGL_mesa.so.0

(gdb) info line *0x255c8
Line 304 of "../src/egl/drivers/dri2/platform_wayland.c"
starts at address 0x255c0 <dri2_wl_create_window_surface+608>
and ends at 0x255e7 <dri2_wl_create_window_surface+647>.
(gdb) info line *0x1076f
Line 963 of "../src/egl/main/eglapi.c" starts at address 0x10764 <_eglCreateWindowSurfaceCommon+596>
and ends at 0x10770 <eglCreateWindowSurface>.
(gdb) info line *0x10608
Line 971 of "../src/egl/main/eglapi.c" starts at address 0x10600 <_eglCreateWindowSurfaceCommon+240>
and ends at 0x1060c <_eglCreateWindowSurfaceCommon+252>.

Comment 2

[Darkspirit]

Duping due to same STR as bug 1645677.

Comment 3

[Matt Fagnani]

Firefox Nightly 81.0a1 (2020-8-5) on Wayland with Webrender enabled in Plasma 5.19.4 in Fedora Rawhide crashed when clicking to disable Tracking protection in the Tracking protection popup. A segmentation fault occurred in wl_proxy_create_wrapper at src/wayland-client.c:2237 in libwayland-client-1.18.0-2.fc33.x86_64 in the Renderer thread as in crash I originally reported here. The crash address was 0x0. A null pointer dereference might've happened. https://crash-stats.mozilla.org/report/index/23ad0563-e71b-4986-b183-cff7f0200805

The functions in frames 1 and 2 were similar to those in the original crash.
1 dri2_wl_create_window_surface in ../src/egl/drivers/dri2/platform_wayland.c:377 in mesa-libEGL-20.1.4-2.fc33.x86_64
2 _eglCreateWindowSurfaceCommon in ../src/egl/main/eglapi.c:971 in mesa-libEGL-20.1.4-2.fc33.x86_64

Comment 4

[Martin Stránský [:stransky] (ni? me)]

Do you see the crash also on Gnome or is that KDE specific?
Thanks.

Comment 5

[Matt Fagnani]

(In reply to Martin Stránský [:stransky] from comment #4)

Do you see the crash also on Gnome or is that KDE specific?
Thanks.

Martin, I've only been using the Fedora Rawhide KDE Plasma spin. I haven't had Gnome installed. The crash signature wl_proxy_create_wrapper | dri2_wl_create_window_surface has 29 crashes from Fedora 32 (Workstation Edition) and other Fedora, Debian, Ubuntu versions from others in the last 6 months https://crash-stats.mozilla.org/signature/?signature=wl_proxy_create_wrapper%20|%20dri2_wl_create_window_surface&date=%3E%3D2020-02-06T14%3A17%3A00.000Z&date=%3C2020-08-06T14%3A17%3A00.000Z

So I guess that crashes with that signature happened in Gnome also. Thanks.

Comment 6

[Matt Fagnani]

I opened Firefox 80.0.1 on Wayland in Plasma 5.19.5 in Fedora 33 with mesa 20.2.0~rc3 and selected the Bookmarks menu > Bookmark This Page. A segmentation fault happened in wl_proxy_create_wrapper at wayland-client.c:2237 in libwayland-client-1.18.0-2.fc33.x86_64 with a trace like that I reported here.
https://crash-stats.mozilla.org/report/index/1299a190-cfb0-4a04-bc10-da7ca0200904

Another crash with this trace happened when I repeatedly clicked on the toolbar buttons like the Firefox Account and View history ones in Firefox 80.0.1 on Wayland to try to troubleshoot this problem. Crashes like this happened after clicking toolbar buttons anywhere from 1 to 30 or more times.
https://crash-stats.mozilla.org/report/index/bb7fd521-7204-4aff-8f21-1d3c30200904

I saw a crash in Firefox Nighly 82.0a1 (2019-9-3) on Wayland while running in gdb and clicking the toolbar buttons repeatedly.
The segmentation fault was in wl_proxy_create_wrapper at src/wayland-client.c:2237 as before, but the rest of the trace was somewhat different proxy=0xe5e5e5e5e5e5e5e5 appeared to be a corrupted or invalid pointer which was assigned to wrapped_proxy leading to the segmentation fault.

Thread 33 "Renderer" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc8227640 (LWP 12677)]
wl_proxy_create_wrapper (proxy=0xe5e5e5e5e5e5e5e5) at src/wayland-client.c:2237
2237 pthread_mutex_lock(&wrapped_proxy->display->mutex);
(gdb) bt full
#0 wl_proxy_create_wrapper (proxy=0xe5e5e5e5e5e5e5e5) at src/wayland-client.c:2237
wrapped_proxy = 0xe5e5e5e5e5e5e5e5
wrapper = 0x7fffb3bedab0
#1 0x00007fffc7d83b02 in get_wl_surface_proxy (window=0x7fffb5660340)
at ../src/egl/drivers/dri2/platform_wayland.c:303
No locals.
#2 dri2_wl_create_window_surface (drv=<optimized out>, disp=<optimized out>, conf=0x7fffc63bf940,
native_window=0x7fffb5660340, attrib_list=0x0) at ../src/egl/drivers/dri2/platform_wayland.c:376
dri2_dpy = 0x7fffd5b39740
dri2_conf = 0x7fffc63bf940
window = 0x7fffb5660340
dri2_surf = 0x7fffb4fcc400
visual_idx = <optimized out>
config = 0x7fffc63b1400
#3 0x00007fffc7d6ca6f in _eglCreateWindowSurfaceCommon (disp=0x7fffd4424000, config=<optimized out>,
native_window=0x7fffb5660340, attrib_list=0x0) at ../src/egl/main/eglapi.c:973
conf = <optimized out>
drv = <optimized out>
surf = <optimized out>
ret = <optimized out>
func = "_eglCreateWindowSurfaceCommon"
#4 0x00007fffed96b55e in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#5 0x00007fffedb21b06 in ?? () from /home/matt/programs/firefox/libxul.so
--Type <RET> for more, q to quit, c to continue without paging--c
No symbol table info available.
#6 0x00007fffedb222e7 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#7 0x00007fffedb325e4 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#8 0x00007fffedb274c4 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#9 0x00007fffedb2b7b4 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#10 0x00007ffff00b3332 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#11 0x00007ffff09f9a5f in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#12 0x00007ffff0a00bf4 in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#13 0x00007ffff09fe71a in ?? () from /home/matt/programs/firefox/libxul.so
No symbol table info available.
#14 0x00007ffff7f953f9 in start_thread (arg=0x7fffc8227640) at pthread_create.c:463
ret = <optimized out>
pd = 0x7fffc8227640
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736551089728, -9137811646448216344, 140737488333214, 140737488333215, 0, 140736551089728, 9137919075899856616, 9137829252204779240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 0
#15 0x00007ffff7b71b03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

This problem might involve popups more generally than those of the toolbar since crashes with this trace have happened to me when clicking on the Bookmarks menu, disabling Tracking protection, and clicking the toolbar buttons. The Wayland surfaces of popups might have been infrequently freed or corrupted before they were used in wl_proxy_create_wrapper due to a race condition. Is there a better way to troubleshoot these crashes? I ran Firefox under valgrind using the command line options at https://firefox-source-docs.mozilla.org/contributing/debugging/debugging_firefox_with_valgrind.html but its logs didn't seem to report the correct process memory sizes which were about 147 kB. Thanks.

Comment 7

[Martin Stránský [:stransky] (ni? me)]

0xe5e5e5e5e5e5e5e5 means already released/freed memory.
Please try latest nightly - there are two Wayland related fixes there (Bug 1662425 and Bug 1648872).
Thanks.

Comment 8

[Matt Fagnani]

(In reply to Martin Stránský [:stransky] from comment #7)

0xe5e5e5e5e5e5e5e5 means already released/freed memory.
Please try latest nightly - there are two Wayland related fixes there (Bug 1662425 and Bug 1648872).
Thanks.

I haven't seen a crash in segmentation fault was in wl_proxy_create_wrapper with 82.0a1 (2020-9-6) today. I've seen one crash in 82.0a1 (2020-9-5) and three crashes in 82.0a1 (2020-9-6) in update_buffers of the type I reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1655120
while clicking on the toolbar buttons repeatedly.
https://crash-stats.mozilla.org/report/index/098418af-c1fe-4f3f-a1f3-2d6bd0200905
https://crash-stats.mozilla.org/report/index/2be51f13-1e6a-42f1-a4a8-75a9c0200906
https://crash-stats.mozilla.org/report/index/0632c844-f619-417f-8646-893190200906
https://crash-stats.mozilla.org/report/index/be0e663d-2010-4047-a362-d034b0200907
A crash happened with 82.0a1 (2020-9-6) when I selected the Bookmarks menu and I was scrolling down over the bookmarks folders. The crash reporter didn't appear after that crash, so no crash report was saved. The crash reporter hasn't usually been appearing after crashes involving the Bookmarks and Help menus. Should I report that as a different problem? Your patch for 1662425 in particular looks it could address these problems. I'll comment here again if I see a crash with this trace. Thanks.

Comment 9

[Matt Fagnani]

I haven't seen a segmentation fault in wl_proxy_create_wrapper with 82.0a1 (2020-9-6) today (is what I should've wrote).

Comment 10

[Asif Youssuff]

Just hit this on GNOME: bp-cbe4edb7-df75-4610-91d8-6bd1a0200907

Comment 12

[Matt Fagnani]

(In reply to Martin Stránský [:stransky] from comment #7)

0xe5e5e5e5e5e5e5e5 means already released/freed memory.
Please try latest nightly - there are two Wayland related fixes there (Bug 1662425 and Bug 1648872).
Thanks.

I opened Firefox 83.0a1 (2020-9-25) on Wayland with WebRender compositing enabled in Plasma 5.19.5 in Fedora 33 with mesa 20.2.0~rc4 and selected the Bookmarks menu > Bookmark This Page. A segmentation fault happened in the Renderer thread in wl_proxy_create_wrapper at wayland-client.c:2237 in libwayland-client-1.18.0-2.fc33.x86_64 with a trace like that I reported here. https://crash-stats.mozilla.org/report/index/584ff05a-3754-4329-8741-0f67f0200926

Comment 13

[Eduard Kachur]

More of this on latest beta: 17edae69-3da0-4e75-9f73-6e3ad0200930

Comment 14

[Martin Stránský [:stransky] (ni? me)]

This should be fixed now in latest nightly.