Closed Bug 1682858 Opened 3 years ago Closed 3 years ago

Crash in [@ Allocator<T>::realloc]

Categories

(Core :: Graphics: WebRender, defect)

Unspecified
Windows 10
defect

Tracking

()

RESOLVED FIXED
86 Branch
Tracking Status
firefox-esr78 --- disabled
firefox84 --- disabled
firefox85 --- disabled
firefox86 --- fixed

People

(Reporter: sg, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/58df6020-9bcf-40c6-a502-e84800201216

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 mozglue.dll static Allocator<MozJemallocBase>::realloc memory/build/malloc_decls.h:53
1 mozglue.dll replace_realloc memory/replace/phc/PHC.cpp:1271
2 xul.dll Texture::allocate gfx/wr/swgl/src/gl.cc:644
3 xul.dll set_tex_storage gfx/wr/swgl/src/gl.cc:1810
4 xul.dll SetTextureBuffer gfx/wr/swgl/src/gl.cc:2521
5 xul.dll swgl::swgl_fns::Context::set_texture_buffer gfx/wr/swgl/src/swgl_fns.rs:394
6 xul.dll webrender_bindings::swgl_bindings::{{impl}}::bind gfx/webrender_bindings/src/swgl_bindings.rs:1467
7 xul.dll webrender::renderer::Renderer::draw_frame gfx/wr/webrender/src/renderer.rs:5979
8 xul.dll webrender::renderer::Renderer::render_impl gfx/wr/webrender/src/renderer.rs:3439
9 xul.dll webrender::renderer::Renderer::update gfx/wr/webrender/src/renderer.rs:2755
Severity: -- → S2

Unfortunately, the crash signature is not very specific here, but all recent occurrences I looked at had similar stacks.

Sometimes the D3D11 compositor fails in BeginFrame due to device errors, which subsequently causes
MapTile to return a null buffer. In turn, this causes swgl_bindings to switch to internal allocation
of the buffer from a previously externally allocated one. We mistakenly kept around the old external
buffer in this case, so that when we go to allocate the internal buffer, it makes us try reallocing
the external one.

The fix for this is rather simple and just to make sure cleanup always unconditionally nulls out the
buffer, regardless of where it came from.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/769a8cb9a495
ensure texture buffer is always nulled out when toggling SHOULD_FREE flag. r=jrmuizel
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
No longer blocks: sw-wr-correctness
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: