Open Bug 1756349 Opened 2 years ago Updated 2 years ago

[wayland] More strongly assert MozContainer invariants.

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- wontfix
firefox100 --- disabled

People

(Reporter: emilio, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

In bug 1754789, Robert mentions that ready_to_draw should never be true if surface is null, however that can happen.

STR:

  • Apply incoming patch.
  • On KWin-on-wayland, open a bunch of tabs.
  • Quickly detach those tabs from the tab bar into their own window.
  • Repeat until Firefox crashes with the following stack:
Assertion failure: wl_container->surface (Should have surface if we're ready to draw), at /home/emilio/src/moz/gecko-4/widget/gtk/MozContainerWayland.cpp:227
#01: moz_container_wayland_frame_callback_handler(void*, wl_callback*, unsigned int) (/home/emilio/src/moz/gecko-4/widget/gtk/MozContainerWayland.cpp:226)
#02: RunnableFunction<void (*)(void*, wl_callback*, unsigned int), mozilla::Tuple<_MozContainer*, std::nullptr_t, int> >::Run() (/home/emilio/src/moz/gecko-4/ipc/chromium/src/base/task.h:325)
#03: mozilla::RunnableTask::Run() (/home/emilio/src/moz/gecko-4/xpcom/threads/TaskController.cpp:468)
#04: mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) (/home/emilio/src/moz/gecko-4/xpcom/threads/TaskController.cpp:770)
#05: mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) (/home/emilio/src/moz/gecko-4/xpcom/threads/TaskController.cpp:0)
#06: mozilla::TaskController::ProcessPendingMTTask(bool) (/home/emilio/src/moz/gecko-4/xpcom/threads/TaskController.cpp:390)
#07: mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() (/home/emilio/src/moz/gecko-4/obj-debug/dist/include/nsThreadUtils.h:532)
#08: nsThread::ProcessNextEvent(bool, bool*) (/home/emilio/src/moz/gecko-4/xpcom/threads/nsThread.cpp:1177)
#09: NS_ProcessNextEvent(nsIThread*, bool) (/home/emilio/src/moz/gecko-4/xpcom/threads/nsThreadUtils.cpp:467)
#10: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/emilio/src/moz/gecko-4/ipc/glue/MessagePump.cpp:85)
#11: MessageLoop::RunInternal() (/home/emilio/src/moz/gecko-4/ipc/chromium/src/base/message_loop.cc:0)
#12: MessageLoop::Run() (/home/emilio/src/moz/gecko-4/ipc/chromium/src/base/message_loop.cc:307)
#13: nsBaseAppShell::Run() (/home/emilio/src/moz/gecko-4/widget/nsBaseAppShell.cpp:139)
#14: nsAppStartup::Run() (/home/emilio/src/moz/gecko-4/toolkit/components/startup/nsAppStartup.cpp:296)
#15: XREMain::XRE_mainRun() (/home/emilio/src/moz/gecko-4/toolkit/xre/nsAppRunner.cpp:5731)
#16: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/home/emilio/src/moz/gecko-4/toolkit/xre/nsAppRunner.cpp:5916)
#17: XRE_main(int, char**, mozilla::BootstrapConfig const&) (/home/emilio/src/moz/gecko-4/toolkit/xre/nsAppRunner.cpp:5975)
#18: main (/home/emilio/src/moz/gecko-4/browser/app/nsBrowserApp.cpp:395)
#19: ??? (/lib64/libc.so.6 + 0x2d590)
#20: __libc_start_main (/lib64/libc.so.6 + 0x2d649)
#21: ??? (/home/emilio/src/moz/gecko-4/obj-debug/dist/bin/firefox + 0x41899)
#22: ??? (???:???)

I also got (only once) a UAF-ish looking crash from this stack:

Stack:
#01: nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*) (/home/emilio/src/moz/gecko-4/toolkit/profile/nsProfileLock.cpp:0)
#02: WasmTrapHandler(int, siginfo_t*, void*) (/home/emilio/src/moz/gecko-4/js/src/wasm/WasmSignalHandlers.cpp:0)
#03: ??? (/lib64/libc.so.6 + 0x42ae0)
#04: ??? (/lib64/libwayland-client.so.0 + 0x6937)
#05: ??? (/lib64/libwayland-client.so.0 + 0x6a15)
#06: wl_proxy_marshal (/lib64/libwayland-client.so.0 + 0xabe9)
#07: mozilla::widget::WindowSurfaceWaylandMB::Commit(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) (/home/emilio/src/moz/gecko-4/widget/gtk/WindowSurfaceWaylandMultiBuffer.cpp:293)
#08: mozilla::widget::WindowSurfaceWaylandMB::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) (/home/emilio/src/moz/gecko-4/widget/gtk/WindowSurfaceWaylandMultiBuffer.cpp:247)
#09: mozilla::widget::WindowSurfaceProvider::EndRemoteDrawingInRegion(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) (/home/emilio/src/moz/gecko-4/widget/gtk/WindowSurfaceProvider.cpp:169)
#10: mozilla::wr::RenderCompositorSWGL::CommitMappedBuffer(bool) (/home/emilio/src/moz/gecko-4/gfx/webrender_bindings/RenderCompositorSWGL.cpp:240)
#11: mozilla::wr::RenderCompositorSWGL::EndFrame(nsTArray<mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> > const&) (/home/emilio/src/moz/gecko-4/gfx/webrender_bindings/RenderCompositorSWGL.cpp:253)
#12: mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) (/home/emilio/src/moz/gecko-4/gfx/webrender_bindings/RendererOGL.cpp:214)
#13: mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) (/home/emilio/src/moz/gecko-4/gfx/webrender_bindings/RenderThread.cpp:0)
#14: mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) (/home/emilio/src/moz/gecko-4/gfx/webrender_bindings/RenderThread.cpp:385)
#15: mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() (/home/emilio/src/moz/gecko-4/obj-debug/dist/include/nsThreadUtils.h:1203)
#16: nsThread::ProcessNextEvent(bool, bool*) (/home/emilio/src/moz/gecko-4/xpcom/threads/nsThread.cpp:1168)
#17: NS_ProcessNextEvent(nsIThread*, bool) (/home/emilio/src/moz/gecko-4/xpcom/threads/nsThreadUtils.cpp:467)
#18: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (/home/emilio/src/moz/gecko-4/ipc/glue/MessagePump.cpp:0)
#19: MessageLoop::RunInternal() (/home/emilio/src/moz/gecko-4/ipc/chromium/src/base/message_loop.cc:0)
#20: MessageLoop::Run() (/home/emilio/src/moz/gecko-4/ipc/chromium/src/base/message_loop.cc:307)
#21: nsThread::ThreadFunc(void*) (/home/emilio/src/moz/gecko-4/xpcom/threads/nsThread.cpp:391)
#22: _pt_root (/home/emilio/src/moz/gecko-4/nsprpub/pr/src/pthreads/ptthread.c:204)
#23: set_alt_signal_stack_and_start(PthreadCreateParams*) (/home/emilio/src/moz/gecko-4/toolkit/crashreporter/pthread_create_interposer/pthread_create_interposer.cpp:80)
#24: ??? (/lib64/libc.so.6 + 0x910b7)
#25: ??? (/lib64/libc.so.6 + 0x116800)
#26: ??? (???:???)

It seems to me that this dispatch doesn't guarantee that the surface hasn't been already unmapped.

Blocks: 1756350

Set release status flags based on info from the regressing bug 1733055

status-firefox97: --- → affected
status-firefox98: --- → affected
status-firefox99: --- → affected
status-firefox-esr91: --- → unaffected
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.