Crash in [@ mozilla::detail::MutexImpl::lock | mozilla::layers::RemoteTextureMap::UnregisterTextureConsumer]
Categories
(Core :: Graphics, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox104 | --- | unaffected |
| firefox105 | --- | disabled |
| firefox106 | --- | verified |
People
(Reporter: aryx, Assigned: sotaro)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files, 1 obsolete file)
6 crashes from 3 different installations of Firefox 105.0a1 with oldest build ID 20220804094607. There was an isolated crash instance with 104.0a1 20220718065908
Crash report: https://crash-stats.mozilla.org/report/index/16ccdac5-90d0-4ec2-a6e1-0ba100220804
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 libsystem_pthread.dylib pthread_mutex_lock
1 libmozglue.dylib mozilla::detail::MutexImpl::lock mozglue/misc/Mutex_posix.cpp:118
2 XUL mozilla::layers::RemoteTextureMap::UnregisterTextureConsumer gfx/layers/RemoteTextureMap.cpp:284
3 XUL mozilla::layers::WebRenderImageHost::~WebRenderImageHost gfx/layers/wr/WebRenderImageHost.cpp:36
4 XUL mozilla::layers::WebRenderImageHost::~WebRenderImageHost gfx/layers/wr/WebRenderImageHost.cpp:36
5 XUL std::__1::__function::__func<mozilla::layers::WebRenderImageHost::UseRemoteTexture /builds/worker/fetches/clang/include/c++/v1/__functional/function.h:346
6 XUL std::__1::__deque_base<std::__1::pair<mozilla::layers::RemoteTextureId, std::__1::function<void /builds/worker/fetches/clang/include/c++/v1/deque:1231
7 XUL std::__1::__deque_base<std::__1::pair<mozilla::layers::RemoteTextureId, std::__1::function<void /builds/worker/fetches/clang/include/c++/v1/deque:1168
8 XUL std::__1::__tree<std::__1::__value_type<std::__1::pair<int, mozilla::layers::RemoteTextureOwnerId>, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureConsumer, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureConsumer> > >, std::__1::__map_value_compare<std::__1::pair<int, mozilla::layers::RemoteTextureOwnerId>, std::__1::__value_type<std::__1::pair<int, mozilla::layers::RemoteTextureOwnerId>, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureConsumer, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureConsumer> > >, std::__1::less<std::__1::pair<int, mozilla::layers::RemoteTextureOwnerId> >, true>, std::__1::allocator<std::__1::__value_type<std::__1::pair<int, mozilla::layers::RemoteTextureOwnerId>, mozilla::UniquePtr<mozilla::layers::RemoteTextureMap::TextureConsumer, mozilla::DefaultDelete<mozilla::layers::RemoteTextureMap::TextureConsumer> > > > >::destroy /builds/worker/fetches/clang/include/c++/v1/__tree:1803
9 XUL mozilla::layers::RemoteTextureMap::~RemoteTextureMap gfx/layers/RemoteTextureMap.cpp:140
|
||
Comment 1•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220824213405-024f1d0a67a3.
The bug appears to have been introduced in the following build range:
Start: c927b421edc70bbd8b8967aaa00f03356c45a35c (20220726134109)
End: fa22da3375db0f048e217376f6857e9c6b341d20 (20220726134357)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c927b421edc70bbd8b8967aaa00f03356c45a35c&tochange=fa22da3375db0f048e217376f6857e9c6b341d20
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1779681
:lsalzman, since you are the author of the regressor, bug 1779681, could you take a look?
For more information, please visit auto_nag documentation.
|
||
Comment 4•2 years ago
|
||
Sotaro, this looks like a null pointer deref when it is trying to access the RemoteTextureMap's mutex during shutdown?
|
Assignee | |
Comment 5•2 years ago
|
||
Yea, it seems like. I take the bug.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
When the crash happened, RemoteTextureMap held a last reference of WebRenderImageHost. It was weird. The reference by RemoteTextureMap had to be removed during CompositableTransactionParent(WebRenderBridgeParent) shutdown.
There is a case that WebRenderImageHost::OnReleased() is not called during the shutdown. It needs to be addressed.
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 12•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220827173411-0b115d7382af.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 13•2 years ago
|
||
The patch landed in nightly and beta is affected.
:sotaro, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox105towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 14•2 years ago
|
||
(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #13)
The patch landed in nightly and beta is affected.
:sotaro, is this bug important enough to require an uplift?
No, uplift is not necessary. It is enabled only on nightly.
|
||
Updated•2 years ago
|
Description
•