Closed Bug 1656727 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler]

Categories

(Core :: Widget: Gtk, defect, P2)

Product:
Core
Component:
Widget: Gtk
Version:
Firefox 81
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox81 --- disabled
firefox82 --- disabled
firefox83 --- fixed

People

(Reporter: matt.fagnani, Assigned: stransky)

References

(Blocks 1 open bug)

Details

Crash Data

Attachments

(2 files)

Bug 1656727 [Wayland] Check mDelayedCommitHandle before we use it, r?jhorak
47 bytes, text/x-phabricator-request
Details | Review
Bug 1656727 [Wayland] Track delayed commits globally, r?jhorak
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-0fc94f9c-f27f-42bc-94f0-ccbee0200802.

Top 10 frames of crashing thread:

0 libxul.so mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler widget/gtk/WindowSurfaceWayland.cpp:1189
1 libxul.so RunnableFunction<void  ipc/chromium/src/base/task.h:324
2 libxul.so {virtual override thunk} 
3 libxul.so nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:565
4 libxul.so nsTimerEvent::Run xpcom/threads/TimerThread.cpp:251
5 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
6 libxul.so mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
7 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
8 libxul.so nsThread::ThreadFunc xpcom/threads/nsThread.cpp:447
9 libnspr4.so _pt_root nsprpub/pr/src/pthreads/ptthread.c:201

I was using Firefox Nightly 81.0a1 (2020-8-1) on Wayland in Plasma 5.19.4 in Fedora Rawhide. I clicked on Help > About Nightly. An update to the second build of 81.0a1 (2020-8-1) was downloaded. I clicked on Restart. Firefox had a segmentation fault in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler at widget/gtk/WindowSurfaceWayland.cpp:1189 which was *mDelayedCommitHandle = nullptr;
The crash address was 0x0, so a null pointer dereference might have happened there.
This crash doesn't usually happen when I update Nightly as above, but I have seen crashes with this trace infrequently.

Blocks: wayland
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Assignee: nobody → stransky
Priority: -- → P2

Looks like we need to add more thread safe checks there.

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1d7a48a5e3fb
[Wayland] Check mDelayedCommitHandle before we use it, r=jhorak

https://hg.mozilla.org/mozilla-central/rev/1d7a48a5e3fb

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

I've seen two crashes with this trace when closing Nightly 81.0a1 (2020-8-12 and 2020-8-15) on Wayland in Plasma 5.19.4. https://crash-stats.mozilla.org/report/index/2dfb8545-00a0-4534-a8b9-307230200813 https://crash-stats.mozilla.org/report/index/860c75e5-9790-4b5e-ab0e-86e4d0200815 Those builds appeared to have the patch in comment 1 by Martin which looked like it should've avoided the null pointer dereference in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler. These crashes happened less than 10% of the time when closing Nightly on Wayland.

I had four tabs open in Nightly 83.0a1 (2020-9-25) on Wayland with WebRender compositing enabled in Plasma 5.19.5 in Fedora 33. When I closed one of the tabs, a segmentation fault occurred in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler with a trace like those I reported here https://crash-stats.mozilla.org/report/index/469200fd-119c-47ba-a078-3bcfd0200926 This problem might not be fixed. There are 27 reports with this signature from 82.0a1 and 3 from 83.0a1 https://crash-stats.mozilla.org/signature/?signature=mozilla%3A%3Awidget%3A%3AWindowSurfaceWayland%3A%3ADelayedCommitHandler&date=%3E%3D2020-03-26T07%3A19%3A00.000Z&date=%3C2020-09-26T07%3A19%3A00.000Z

status-firefox82: --- → affected
status-firefox83: --- → affected

The bug is still here.

Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---

Track delayed commits in a global list and don't store them in actual wayland surfaces.
When a delayed commit is called, check that the associated wayland surface is still valid.

(In reply to Martin Stránský [:stransky] from comment #8)

Created attachment 9179589 [details]
Bug 1656727 [Wayland] Track delayed commits globally, r?jhorak

Track delayed commits in a global list and don't store them in actual wayland surfaces.
When a delayed commit is called, check that the associated wayland surface is still valid.

This patch causes a popup regression - https://bugzilla.redhat.com/show_bug.cgi?id=1886243

Updated with the regression fixed.

Pushed by abutkovits@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f565fc1e59ad
[Wayland] Track delayed commits globally, r=jhorak

https://hg.mozilla.org/mozilla-central/rev/f565fc1e59ad

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.