Closed Bug 1730832 Opened 3 months ago Closed 3 months ago

Crash in [@ mozilla::nsDisplayList::PaintRoot]

Categories

(Core :: Layout, defect)

defect

Tracking

()

RESOLVED FIXED
94 Branch
Fission Milestone MVP
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox92 --- unaffected
firefox93 --- unaffected
firefox94 blocking fixed

People

(Reporter: pascalc, Assigned: smaug)

References

(Regression)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/568ec6fb-d48f-4947-a007-f69370210915

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL mozilla::nsDisplayList::PaintRoot layout/painting/nsDisplayList.cpp:2383
1 XUL nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:3445
2 XUL mozilla::PresShell::Paint layout/base/PresShell.cpp:6382
3 XUL nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:467
4 XUL nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:402
5 XUL nsViewManager::ProcessPendingUpdates view/nsViewManager.cpp:980
6 XUL nsViewManager::WillPaintWindow view/nsViewManager.cpp:633
7 XUL nsView::WillPaintWindow view/nsView.cpp:1051
8 XUL mozilla::widget::PuppetWidget::Paint widget/PuppetWidget.cpp:997
9 XUL mozilla::widget::PuppetWidget::WidgetPaintTask::Run widget/PuppetWidget.cpp:985

Crashes started with build 20210913213224, the crash affects all OSes.
All crashes seem to have Fission enabled.
Changelog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e8a29c8f1e095884077d52166404a854fba86280&tochange=b50ef8e31c4c2dd8993366c68c2f6f87e5a4f68a

The crash hits in the when nsDocShell::Cast(docShell)->GetColorMatrix(); gets called. There are few backend changes in the regression range: Bug 1728413 touches docShell as does bug 1727514 but the latter is target at documents featuring media elements which doesn't align with the urls in the crash reports. I cannot reproduce the crash by visiting e.g. https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial/Drawing_text#a_filltext_example and going back and forward.

Flags: needinfo?(peterv)
See Also: → 1730525
See Also: → 1730630

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #2)

The crash hits in the when nsDocShell::Cast(docShell)->GetColorMatrix(); gets called. There are few backend changes in the regression range: Bug 1728413 touches docShell as does bug 1727514 but the latter is target at documents featuring media elements which doesn't align with the urls in the crash reports. I cannot reproduce the crash by visiting e.g. https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial/Drawing_text#a_filltext_example and going back and forward.

The fact that bug 1727514 removes an "MOZ_ASSERT(mPresContext->GetContainerWeak())" and GetContainerWeak is one way of getting a docshell from a prescontext makes me thing bug 1727514 might be the change to look at.

Flags: needinfo?(peterv) → needinfo?(bugs)
Regressed by: 1727514
QA Whiteboard: [qa-regression-triage]

Olli, this is a top crash on nightly. Given that we don't have a patch yet to fix it, I think we should consider backing out the regressor, wdyt?

QA Whiteboard: [qa-regression-triage]

Possibly yes. This is not a new crash though.

Flags: needinfo?(bugs)

Bug 1727514 was backed out and we haven't seen any crashes since the Nightly respin.

Assignee: nobody → bugs
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
You need to log in before you can comment on or make changes to this bug.