1750017 - Core dump on Linux Nightly under X11 when moving a window in to become a tab in another window.

Status: RESOLVED FIXED

(Core :: Widget: Gtk, defect, P2)

Description

[Chris Siebenmann]

Reproduction: start Firefox Nightly in a clean profile. Open a second window with Ctrl-N. Grab the titlebar and move the second window to become a tab in the first one. Firefox Nightly dumps core. I am using fvwm on 64-bit Fedora 34 on Intel integrated graphics (i7-8700K) on a 4k display.

Mozregression narrows this to https://hg.mozilla.org/integration/autoland/rev/841415a89add828287f52888deab7c107316f095, which is a commit for bug 1743821 that changes when things are released.

Comment 1

[Chris Siebenmann]

Manually backing out that changeset and building Trunk from source results in a Firefox that doesn't reproduce this problem (the backout is done with hg backout --no-commit 841415a89add828287f52888deab7c107316f095).

Comment 2

[Chris Siebenmann]

Running current Trunk under gdb with run --sync -no-remote (with a clean profile, and trying to turn on the environment variable but having it apparently ignored), I get:

(firefox:1957521): Gdk-ERROR **: 11:32:12.795: The program 'firefox' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadWindow (invalid Window parameter)'.
  (Details: serial 9825 error_code 3 request_code 129 (SHAPE) minor_code 2)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Thread 1 "firefox" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff5a9eb6f in g_log_writer_default () from /lib64/libglib-2.0.so.0
(gdb) where
#0  0x00007ffff5a9eb6f in g_log_writer_default () at /lib64/libglib-2.0.so.0
#1  0x00007ffff5a99f43 in g_log_structured_array () at /lib64/libglib-2.0.so.0
#2  0x00007ffff5a9a143 in g_log_structured_standard ()
    at /lib64/libglib-2.0.so.0
#3  0x00007ffff6323b34 in gdk_x_error.lto_priv () at /lib64/libgdk-3.so.0
#4  0x00007ffff6184a84 in _XError () at /lib64/libX11.so.6
#5  0x00007ffff6184b87 in handle_error () at /lib64/libX11.so.6
#6  0x00007ffff6184c25 in handle_response () at /lib64/libX11.so.6
#7  0x00007ffff61864dd in _XReply () at /lib64/libX11.so.6
#8  0x00007ffff617965f in XSync () at /lib64/libX11.so.6
#9  0x00007ffff61796ff in _XSyncFunction.lto_priv.0 () at /lib64/libX11.so.6
#10 0x00007ffff0a02899 in mozilla::widget::WindowSurfaceX11Image::~WindowSurfaceX11Image() (this=0x7fffb68396a0)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/WindowSurfaceX11Image.cpp:47
#11 mozilla::widget::WindowSurfaceX11Image::~WindowSurfaceX11Image()
    (this=0x7fffb68396a0)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/WindowSurfaceX11Image.cpp:40
#12 0x00007ffff0a00726 in mozilla::widget::WindowSurface::Release()
    (this=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/widget/WindowSurface.h:19
#13 mozilla::RefPtrTraits<mozilla::widget::WindowSurface>::Release(mozilla::widget::WindowSurface*) (aPtr=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:50
#14 RefPtr<mozilla::widget::WindowSurface>::ConstRemovingRefPtrTraits<mozilla::widget::WindowSurface>::Release(mozilla::widget::WindowSurface*)
    (aPtr=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:381
#15 RefPtr<mozilla::widget::WindowSurface>::assign_assuming_AddRef(mozilla::widget::WindowSurface*) (this=0x7fffbaec22a0, aNewPtr=0x0)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:69
#16 RefPtr<mozilla::widget::WindowSurface>::operator=(decltype(nullptr))
    (this=0x7fffbaec22a0)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:168
#17 mozilla::widget::WindowSurfaceProvider::CleanupWindowSurface()
    (this=0x7fffbaec22a0)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/WindowSurfaceProvider.cpp:93
#18 mozilla::widget::WindowSurfaceProvider::~WindowSurfaceProvider()
    (this=0x7fffbaec22a0)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/WindowSurfaceProvider.cpp:59
#19 0x00007ffff09f7daf in mozilla::widget::GtkCompositorWidget::~GtkCompositorWidget() (this=0x7fffbaec2240)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/GtkCompositorWidget.cpp:60
--Type <RET> for more, q to quit, c to continue without paging--
#20 0x00007ffff09fd391 in mozilla::widget::InProcessGtkCompositorWidget::~InProcessGtkCompositorWidget() (this=0x7fffbaec2240)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/InProcessGtkCompositorWidget.h:16
#21 0x00007fffeed4fbc2 in mozilla::widget::CompositorWidget::Release()
    (this=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/widget/CompositorWidget.h:89
#22 mozilla::RefPtrTraits<mozilla::widget::CompositorWidget>::Release(mozilla::widget::CompositorWidget*) (aPtr=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:50
#23 RefPtr<mozilla::widget::CompositorWidget>::ConstRemovingRefPtrTraits<mozilla::widget::CompositorWidget>::Release(mozilla::widget::CompositorWidget*)
    (aPtr=0x7ffff7900020)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:381
#24 RefPtr<mozilla::widget::CompositorWidget>::assign_assuming_AddRef(mozilla::widget::CompositorWidget*) (this=0x7fffb3fdd938, aNewPtr=0x0)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:69
#25 RefPtr<mozilla::widget::CompositorWidget>::operator=(decltype(nullptr))
    (this=0x7fffb3fdd938)
    at /data/code/mozilla-hg/build-objdir/dist/include/mozilla/RefPtr.h:168
#26 mozilla::layers::InProcessCompositorSession::Shutdown()
    (this=0x7fffb3fdd900)
    at /data/code/mozilla-hg/mozilla-central/gfx/ipc/InProcessCompositorSession.cpp:92
#27 0x00007ffff094d6ad in nsBaseWidget::DestroyCompositor() (this=
    0x7fffae3c8000)
    at /data/code/mozilla-hg/mozilla-central/widget/nsBaseWidget.cpp:365
#28 0x00007ffff09b4f89 in nsWindow::Destroy() (this=0x7fffae3c8000)
    at /data/code/mozilla-hg/mozilla-central/widget/gtk/nsWindow.cpp:592
#29 0x00007ffff0942d96 in DestroyWidgetRunnable::Run() (this=0x7fffb1f7cf40)
    at /data/code/mozilla-hg/mozilla-central/view/nsView.cpp:120
#30 0x00007fffedcdbef9 in mozilla::RunnableTask::Run() (this=0x7fffb0f26700)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/TaskController.cpp:468
#31 0x00007fffedcc2840 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)
    (this=this@entry=0x7fffdc473280, aProofOfLock=...)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/TaskController.cpp:771
#32 0x00007fffedcc1919 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)
    (this=this@entry=0x7fffdc473280, aProofOfLock=...)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/TaskController.cpp:607
#33 0x00007fffedcc1b0f in mozilla::TaskController::ProcessPendingMTTask(bool)
    (this=0x7fffdc473280, aMayWait=false)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/TaskController.cpp:39--Type <RET> for more, q to quit, c to continue without paging--
1
#34 0x00007fffedcd7a32 in mozilla::TaskController::InitializeInternal()::$_0::operator()() const (this=<optimized out>)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/TaskController.cpp:124
#35 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() (this=<optimized out>)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/nsThreadUtils.h:531
#36 0x00007fffedccdfc0 in nsThread::ProcessNextEvent(bool, bool*)
    (this=0x7ffff78e4430, aMayWait=<optimized out>, aResult=0x7fffffffc14f)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/nsThread.cpp:1195
#37 0x00007fffedcd2068 in NS_ProcessNextEvent(nsIThread*, bool)
    (aThread=0x7ffff7900020, aThread@entry=0x7ffff78e4430, aMayWait=false)
    at /data/code/mozilla-hg/mozilla-central/xpcom/threads/nsThreadUtils.cpp:467
#38 0x00007fffee3e38e8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffdc452180, aDelegate=0x7ffff788c200)
    at /data/code/mozilla-hg/mozilla-central/ipc/glue/MessagePump.cpp:85
#39 0x00007fffee35ed56 in MessageLoop::RunInternal() (this=0x3)
    at /data/code/mozilla-hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:331
#40 MessageLoop::RunHandler() (this=0x3)
    at /data/code/mozilla-hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:324
#41 MessageLoop::Run() (this=0x3)
    at /data/code/mozilla-hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:306
#42 0x00007ffff0989819 in nsBaseAppShell::Run() (this=0x7fffdc4ca0a0)
    at /data/code/mozilla-hg/mozilla-central/widget/nsBaseAppShell.cpp:137
#43 0x00007ffff222ad07 in nsAppStartup::Run() (this=0x7fffdc137790)
    at /data/code/mozilla-hg/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:295
#44 0x00007ffff231509e in XREMain::XRE_mainRun() (this=this@entry=
    0x7fffffffc480)
    at /data/code/mozilla-hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:5348
#45 0x00007ffff23158b4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)
    (this=this@entry=0x7fffffffc480, argc=argc@entry=3, argv=argv@entry=0x7fffffffd728, aConfig=...)
    at /data/code/mozilla-hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:5533
#46 0x00007ffff2315c0a in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=3, argv=0x3, aConfig=...)
    at /data/code/mozilla-hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:5592
#47 0x000055555557b586 in do_main(int, char**, char**)
    (argc=3, argv=0x7fffffffd728, envp=0x7fffffffd748)
    at /data/code/mozilla-hg/mozilla-central/browser/app/nsBrowserApp.cpp:225
#48 main(int, char**, char**)
    (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffd748)
--Type <RET> for more, q to quit, c to continue without paging--
    at /data/code/mozilla-hg/mozilla-central/browser/app/nsBrowserApp.cpp:395

Comment 3

[Darkspirit]

4 months ago, I could reproduce such a BadWindow XShape crash with GPU process on Nvidia: bug 1730991
From the reports, it seems to occur now even without GPU process and without Nvidia.

Comment 4

[Martin Stránský [:stransky] (ni? me)]

Will look at it on Monday.

Comment 5

[Chris Siebenmann]

If I run the picom or xcompmgr composition managers in my fvwm-based session, this crash doesn't happen. I can start one, run Firefox, have it work, Ctrl-C the program to stop it to revert to the same fvwm environment but without a composition manager, and re-run Firefox and get the crash.

Comment 9

[Martin Stránský [:stransky] (ni? me)]

Attachment: Bug 1750017 [Linux] Don't set shape mask to released drawable, r?lsalzman

Don't clear shape mask with XShapeCombineMask(), it's not needed and target darawable may be already deleted.

Comment 10

[Martin Stránský [:stransky] (ni? me)]

This affects non-compositing screens only.

Comment 11

[Pulsebot]

Pushed by stransky@redhat.com:
https://hg.mozilla.org/integration/autoland/rev/c0f80b6e8df2
[Linux] Don't set shape mask to released drawable, r=lsalzman

Comment 12

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/c0f80b6e8df2

Comment 13

[zlice]

When was/will this be merged ? I ask because https://bugzilla.mozilla.org/show_bug.cgi?id=1749805 is a dupe but I am still getting crashes without any report screen or dump and just had one where I could not interact with my desktop (but saw other windows being updated behind firefox) and had to switch to a terminal session to kill the browser.

Comment 14

[Darkspirit]

Does this crash still occur with https://nightly.mozilla.org?

Comment 15

[zlice]

I'm on 98.0a1 (2022-01-18) (64-bit)

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:stransky, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 17

[Darkspirit]

(In reply to zlice from comment #15)

I'm on 98.0a1 (2022-01-18) (64-bit)

Does the remaining unknown crash still occur after setting media.cubeb.sandbox_v2 to false on about:config and restarting Nightly? (bug 1750810)

Comment 18

[Martin Stránský [:stransky] (ni? me)]

Comment on attachment 9259385 [details]
Bug 1750017 [Linux] Don't set shape mask to released drawable, r?lsalzman

Beta/Release Uplift Approval Request

• User impact if declined: Crashes on X11 on non-compositing screen when window is closed.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Removed redundant X11 code. It's not needed and causes such crash due to invalid window handle.
• String changes made/needed:

Comment 19

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9259385 [details]
Bug 1750017 [Linux] Don't set shape mask to released drawable, r?lsalzman

Approved for 97.0b7.

Chris, Beta builds with this fix should be available late Sunday/early Monday. If you have a chance, can you please check and see if the crashes are resolved for you after that? Otherwise, a current Nightly build should also have the fix if you wanted to try that out. Thanks!

Comment 20

[Chris Siebenmann]

A personal build made from Trunk no longer has this problem for me (and hasn't for some days). I just pulled and tested the current Nightly and it also seems to be fixed there.

Comment 21

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1d5456745c20