Closed Bug 1824696 Opened 1 year ago Closed 1 year ago

Crash in [@ nsObserverService::EnsureValidCall | nsObserverService::RemoveObserver | ExpirationTrackerImpl<T>::ExpirationTrackerObserver::Destroy]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- fixed

People

(Reporter: gsvelto, Assigned: sotaro)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1824696 - Initialize gfxGradientCache in GPU process only when remote canvas is enabled
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/77ff61e5-8d01-4012-b0de-d89250230326

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  nsObserverService::EnsureValidCall const  xpcom/ds/nsObserverService.cpp:171
0  libxul.so  nsObserverService::RemoveObserver  xpcom/ds/nsObserverService.cpp:237
1  libxul.so  ExpirationTrackerImpl<mozilla::gfx::GradientCacheData,   xpcom/ds/nsExpirationTracker.h:424
1  libxul.so  ExpirationTrackerImpl<mozilla::gfx::GradientCacheData,   xpcom/ds/nsExpirationTracker.h:145
2  libxul.so  mozilla::gfx::GradientCache::~GradientCache  gfx/thebes/gfxGradientCache.cpp:121
2  libxul.so  mozilla::DefaultDelete<mozilla::gfx::GradientCache>::operator const  mfbt/UniquePtr.h:459
3  libxul.so  mozilla::UniquePtr<mozilla::gfx::GradientCache, mozilla::DefaultDelete<mozilla::gfx::GradientCache> >::reset  mfbt/UniquePtr.h:301
3  libxul.so  mozilla::UniquePtr<mozilla::gfx::GradientCache, mozilla::DefaultDelete<mozilla::gfx::GradientCache> >::~UniquePtr  mfbt/UniquePtr.h:249
3  libxul.so  mozilla::DataMutexBase<mozilla::UniquePtr<mozilla::gfx::GradientCache, mozilla::DefaultDelete<mozilla::gfx::GradientCache> >, mozilla::StaticMutexNameless>::~DataMutexBase  xpcom/threads/DataMutex.h:39
4  libc.so  libc.so@0x47f77

It seems like the GradientCache object is being destroyed in the CanvasRender thread, but the observer service can only be called in the main thread hence the crash. This crash signature was probably hidden in bug 1276919 before we introduced inlined function support to crash reports.

It is weird that GradientCache is destroyed in CanvasRender thread. GradientCache is created in GPUParent::Init() and it is destroyed in CompositorThreadHolder::Shutdown().

And in GPU process, GradientCache is used only by CanvasTranslator for remote canvas in Windows. Android does not use it.

Assignee: nobody → sotaro.ikeda.g
Status: NEW → ASSIGNED
Pushed by sikeda.birchill@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/19e54bc02198
Initialize gfxGradientCache in GPU process only when remote canvas is enabled r=gfx-reviewers,lsalzman

https://hg.mozilla.org/mozilla-central/rev/19e54bc02198

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox113: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

The patch landed in nightly and beta is affected.
:sotaro, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sotaro.ikeda.g)

Set set status-firefox112 to wontfix. Crash frequency is low. And it is still not clear yet how crash happened. The fix just stopped to create gfxGradientCache since gfxGradientCache is not used in GPU process on Android.

status-firefox112: fix-optionalwontfix
Flags: needinfo?(sotaro.ikeda.g)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: