Closed Bug 1801888 Opened 1 year ago Closed 1 year ago

Crash in [@ nsWindow::Destroy]

Categories

(Core :: Widget: Gtk, defect, P3)

Product:
Core
Component:
Widget: Gtk
Platform:
Desktop
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- fixed

People

(Reporter: sefeng, Assigned: stransky)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1801888 [Linux] Allow to call nsWindow destructor from other threads if nsWindow is already destroyed r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/ecf9c3c1-d605-48fa-850f-4ced00221120

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread())

Top 10 frames of crashing thread:

0  libxul.so  nsWindow::Destroy  widget/gtk/nsWindow.cpp:581
1  libxul.so  nsWindow::~nsWindow  widget/gtk/nsWindow.cpp:456
2  libxul.so  nsWindow::~nsWindow  widget/gtk/nsWindow.cpp:450
3  libxul.so  nsBaseWidget::Release  widget/nsBaseWidget.cpp:132
4  libxul.so  mozilla::RefPtrTraits<nsWindow>::Release  mfbt/RefPtr.h:50
4  libxul.so  RefPtr<nsWindow>::ConstRemovingRefPtrTraits<nsWindow>::Release  mfbt/RefPtr.h:381
4  libxul.so  RefPtr<nsWindow>::~RefPtr  mfbt/RefPtr.h:81
4  libxul.so  mozilla::widget::GtkCompositorWidget::~GtkCompositorWidget  widget/gtk/GtkCompositorWidget.cpp:72
5  libxul.so  mozilla::widget::InProcessGtkCompositorWidget::~InProcessGtkCompositorWidget  widget/gtk/InProcessGtkCompositorWidget.h:16
6  libxul.so  mozilla::widget::CompositorWidget::Release  widget/CompositorWidget.h:90

Looks like we release nsWindow but keep compositor open. Then we delete compositor from compositor thread which also removes the nsWindow but from compositor thread.

Priority: -- → P3

I think the nsWindow is already destroyed but a reference is hold by GtkCompositorWidget() which is deleted by mozilla::Runnable::Release() in Compositor thread.

We may change the assert to ensure the window is actually destroyed in Main thread and nsWindow::~nsWindow called from Compositor only free empty nsWindow shell.

Assignee: nobody → stransky

We can delete nsWindow but reference to it is kept by GtkCompositorWidget and nsWindow destructor may be called from Compositor thread where GtkCompositorWidget may be deleted.
Allow such scenario if nsWindow is already an empty shell and only nsWindow memory is released from Compositor thread.

Pushed by stransky@redhat.com:
https://hg.mozilla.org/integration/autoland/rev/9cb7b98953cd
[Linux] Allow to call nsWindow destructor from other threads if nsWindow is already destroyed r=emilio

https://hg.mozilla.org/mozilla-central/rev/9cb7b98953cd

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox109: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch

The patch landed in nightly and beta is affected.
:stransky, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox108 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(stransky)
status-firefox108: affectedwontfix
Flags: needinfo?(stransky)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: