Closed Bug 1691344 Opened 3 years ago Closed 3 years ago

Crash in [@ CContext::ID3D11DeviceContext_Map_<T>]

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1696325
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- disabled
firefox86 --- disabled
firefox87 --- disabled
firefox88 --- fixed

People

(Reporter: aryx, Assigned: sotaro)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

All crashes on Windows 7, >90% with x86 builds. 20-30 crash reports per beta. This started when Software Webrender got activated for Windows and Linux users in early Beta (bug 1689186) => setting status for Firefox 86 as disabled.

Crash report: https://crash-stats.mozilla.org/report/index/bbdef46d-2de6-4224-b97d-70a450210207

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 d3d11.dll static long __stdcall CContext::ID3D11DeviceContext_Map_<3> 
1 xul.dll xul.dll@0x155847a 
2 xul.dll xul.dll@0x155662b 
3 xul.dll xul.dll@0x38ba0f1 
4 xul.dll xul.dll@0x38cd6c9 
5 xul.dll xul.dll@0x4394a6a 
6 xul.dll xul.dll@0x437e713 
7 xul.dll xul.dll@0x437cac2 
8 xul.dll xul.dll@0x156202e 
9 xul.dll xul.dll@0x1561ab9

Reports seem to have SW-WR enabled. Matt, this looks like something going wrong in the mapping code in RcD3D11SWGL compositor?

Severity: -- → S3
Flags: needinfo?(matt.woodrow)
Priority: -- → P3
Depends on: 1690491
Flags: needinfo?(matt.woodrow)
Crash Signature: [@ CContext::ID3D11DeviceContext_Map_<T>] → [@ CContext::ID3D11DeviceContext_Map_<T>] [@ CContext::TID3D11DeviceContext_Map_<T>]

Is fuzz bug 1603880 crashing in CreateDirect3D11SurfaceFromDXGISurface possible related to this crash? Both bugs have the same [@ CContext::TID3D11DeviceContext_Map_<T>] crash signature.

Crash Signature: [@ CContext::ID3D11DeviceContext_Map_<T>] [@ CContext::TID3D11DeviceContext_Map_<T>] → [@ CContext::ID3D11DeviceContext_Map_<T>] [@ CContext::TID3D11DeviceContext_Map_<T>]
status-firefox88: --- → ?
See Also: → 1603880

It looks like maybe here the context or mStagintTexture is somehow null in some of the crash stacks I am looking at: https://hg.mozilla.org/releases/mozilla-beta/file/c850f93582ef95f2ca5dd2a1f37e3d475fa05cd7/gfx/webrender_bindings/RenderCompositorD3D11SWGL.cpp#l322

At least, the crash address is 0x31, which suspects a read off of something that originally started as a null pointer, for example: https://crash-stats.mozilla.org/report/index/24a9ae43-1c33-4ce3-8f25-664a20210303

Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(matt.woodrow)

I am going to look into it.

Flags: needinfo?(sotaro.ikeda.g)
Assignee: nobody → sotaro.ikeda.g

The following crash seemed happen in D3D11YCbCrImage::GetAsSourceSurface().
https://crash-stats.mozilla.org/report/index/5be67fd3-913f-44d6-96a4-b2bc50210208

Depends on: 1696325
Depends on: 1696331
Flags: needinfo?(matt.woodrow)

The CContext::TID3D11DeviceContext_Map_<T> signature happens on Windows 10.

OS: Windows 7 → Windows

Crashes seemed to be addressed on nightly.

Same build as bug 1696325 landed in, nothing else looks interesting to have fixed it.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.