Closed Bug 1656727 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler]


(Core :: Widget: Gtk, defect, P2)

Firefox 81



81 Branch
Tracking Status
firefox81 --- disabled
firefox82 --- disabled
firefox83 --- fixed


(Reporter: matt.fagnani, Assigned: stransky)


(Blocks 1 open bug)


Crash Data


(2 files)

This bug is for crash report bp-0fc94f9c-f27f-42bc-94f0-ccbee0200802.

Top 10 frames of crashing thread:

0 mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler widget/gtk/WindowSurfaceWayland.cpp:1189
1 RunnableFunction<void  ipc/chromium/src/base/task.h:324
2 {virtual override thunk} 
3 nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:565
4 nsTimerEvent::Run xpcom/threads/TimerThread.cpp:251
5 nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
6 mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
7 MessageLoop::Run ipc/chromium/src/base/
8 nsThread::ThreadFunc xpcom/threads/nsThread.cpp:447
9 _pt_root nsprpub/pr/src/pthreads/ptthread.c:201

I was using Firefox Nightly 81.0a1 (2020-8-1) on Wayland in Plasma 5.19.4 in Fedora Rawhide. I clicked on Help > About Nightly. An update to the second build of 81.0a1 (2020-8-1) was downloaded. I clicked on Restart. Firefox had a segmentation fault in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler at widget/gtk/WindowSurfaceWayland.cpp:1189 which was *mDelayedCommitHandle = nullptr;
The crash address was 0x0, so a null pointer dereference might have happened there.
This crash doesn't usually happen when I update Nightly as above, but I have seen crashes with this trace infrequently.

Blocks: wayland
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Assignee: nobody → stransky
Priority: -- → P2

Looks like we need to add more thread safe checks there.

Pushed by
[Wayland] Check mDelayedCommitHandle before we use it, r=jhorak
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

I've seen two crashes with this trace when closing Nightly 81.0a1 (2020-8-12 and 2020-8-15) on Wayland in Plasma 5.19.4. Those builds appeared to have the patch in comment 1 by Martin which looked like it should've avoided the null pointer dereference in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler. These crashes happened less than 10% of the time when closing Nightly on Wayland.

I had four tabs open in Nightly 83.0a1 (2020-9-25) on Wayland with WebRender compositing enabled in Plasma 5.19.5 in Fedora 33. When I closed one of the tabs, a segmentation fault occurred in mozilla::widget::WindowSurfaceWayland::DelayedCommitHandler with a trace like those I reported here This problem might not be fixed. There are 27 reports with this signature from 82.0a1 and 3 from 83.0a1

The bug is still here.

Ever confirmed: true
Resolution: FIXED → ---

Track delayed commits in a global list and don't store them in actual wayland surfaces.
When a delayed commit is called, check that the associated wayland surface is still valid.

(In reply to Martin Stránský [:stransky] from comment #8)

Created attachment 9179589 [details]
Bug 1656727 [Wayland] Track delayed commits globally, r?jhorak

Track delayed commits in a global list and don't store them in actual wayland surfaces.
When a delayed commit is called, check that the associated wayland surface is still valid.

This patch causes a popup regression -

Updated with the regression fixed.

Pushed by
[Wayland] Track delayed commits globally, r=jhorak
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.