Closed Bug 1682329 Opened 4 months ago Closed 2 months ago

Crash in [@ mozilla::gfx::CrossProcessPaint::QueueDependencies]

Categories

(Core :: Graphics, defect)

Firefox 85
All
Windows 10
defect

Tracking

()

RESOLVED FIXED
87 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- disabled
firefox86 --- disabled
firefox87 --- fixed

People

(Reporter: emilghitta, Assigned: mattwoodrow)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regressionwindow-wanted)

Crash Data

Attachments

(1 file)

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/aaf4c562-3b8b-436d-a095-3304f0201214

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::gfx::CrossProcessPaint::QueueDependencies gfx/ipc/CrossProcessPaint.cpp:374
1 xul.dll static mozilla::gfx::CrossProcessPaint::Start gfx/ipc/CrossProcessPaint.cpp:308
2 xul.dll mozilla::layout::RemotePrintJobParent::RecvProcessPage layout/printing/ipc/RemotePrintJobParent.cpp:130
3 xul.dll mozilla::layout::PRemotePrintJobParent::OnMessageReceived ipc/ipdl/PRemotePrintJobParent.cpp:301
4 xul.dll mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:6710
5 xul.dll mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2077
6 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:739
7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
8 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:109
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327

Affected Versions

  • Firefox 85.0a1 (BuildId:20201214091023)

Affected Platforms

  • Windows 10 64bit.

Unaffected Platforms

  • macOS 10.13
  • Ubuntu 20.04

Preconditions

  • Have the following prefs enabled: gfx.webrender.all & fission.autostart

Steps to reproduce

  1. Launch Firefox
  2. Access the following link
  3. Hit CTRL + P in order to open the print preview.
  4. Select the "Save to PDF destination" (I don't think if the destination is relevant. I have managed to reproduce this with OneNote for Windows 10 as well).
  5. Click "Save" or "Print".
  6. Click on "Cancel" while the "Printing..." progress is displayed.

Expected results

  • The print job is canceled successfully and Firefox is stable.

Actual result

  • Firefox crashes.

Regression Range

  • This seems to be a regression. I'll search for this asap.

Additional Notes

  • [Suggested Severity] S2

Update:

This seems to occur only on my main browser profile (tried to reproduce this crash with fresh profiles but failed to do so) Anca just managed to reproduce this issue on a fresh profile. It seem that All print destinations are affected.

  • This is reproducible with both gfx.webrender.all enabled or disabled
  • This is reproducible only with fission.autostart enabled

about:support info (available only with mozilla accounts).

QA Whiteboard: [qa-regression-triage]

Core|Graphics seems like a better fit, given the crash location (gfx/ipc/CrossProcessPaint.cpp). --> reclassifying

The crash address is 0x1a8 (a value near null), for this line

    RefPtr<dom::WindowGlobalParent> wgp =
        browser->GetBrowsingContext()->GetCurrentWindowGlobal();

https://searchfox.org/mozilla-central/rev/8883276967d39918e2ce64e873afdd432fb406ca/gfx/ipc/CrossProcessPaint.cpp#362,374-375

It looks like there's a null-deref happening here, so maybe browser might be null, or maybe browser->GetBrowsingContext() is null.

mattwoodrow, maybe you could take a look? (searchfox blame shows that you did some refactoring in the neighborhood in bug 1662336 a couple months back.)

Component: Layout → Graphics
Flags: needinfo?(matt.woodrow)
Blocks: gfx-triage
Severity: -- → S2
No longer blocks: gfx-triage
Assignee: nobody → matt.woodrow
Status: NEW → ASSIGNED
Flags: needinfo?(matt.woodrow)
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d634fe78018
Null check BrowserParent since it can have gone away mid-screenshot. r=emilio
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

Calling this disabled for 86 based on comment 1 (fission only crash)

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.