Closed Bug 1828726 Opened 2 years ago Closed 2 years ago

Crash in [@ MacIOSurface::~MacIOSurface]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1827340
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- unaffected
firefox113 --- affected
firefox114 --- affected

People

(Reporter: aryx, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, topcrash)

Crash Data

11 crash reports for Firefox 114 (Nightly) and 113 (Beta) on macOS versions 10.12-10.14.

Crash report: https://crash-stats.mozilla.org/report/index/13535f8f-77fe-4a5e-9656-691f10230418

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(!IsLocked()) (Destroying locked surface)

Top 10 frames of crashing thread:

0  XUL  MacIOSurface::~MacIOSurface  gfx/2d/MacIOSurface.cpp:31
1  XUL  mozilla::detail::RefCounted<MacIOSurface,  const  mfbt/RefCounted.h:255
1  XUL  mozilla::RefPtrTraits<MacIOSurface>::Release  mfbt/RefPtr.h:54
1  XUL  RefPtr<MacIOSurface>::ConstRemovingRefPtrTraits<MacIOSurface>::Release  mfbt/RefPtr.h:420
1  XUL  RefPtr<MacIOSurface>::~RefPtr  mfbt/RefPtr.h:85
1  XUL  RefPtr<MacIOSurface>::~RefPtr  mfbt/RefPtr.h:83
1  XUL  mozilla::wr::RenderMacIOSurfaceTextureHost::~RenderMacIOSurfaceTextureHost  gfx/webrender_bindings/RenderMacIOSurfaceTextureHost.cpp:50
2  XUL  mozilla::wr::RenderMacIOSurfaceTextureHost::~RenderMacIOSurfaceTextureHost  gfx/webrender_bindings/RenderMacIOSurfaceTextureHost.cpp:47
2  XUL  mozilla::wr::RenderMacIOSurfaceTextureHost::~RenderMacIOSurfaceTextureHost  gfx/webrender_bindings/RenderMacIOSurfaceTextureHost.cpp:47
3  XUL  mozilla::wr::RenderTextureHost::Release  gfx/webrender_bindings/RenderTextureHost.h:42

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 5 desktop browser crashes on Mac on beta

:bhood, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bhood)
Keywords: topcrash
Blocks: wr-mac

Sotaro, is this something you might have any ideas about?

Flags: needinfo?(sotaro.ikeda.g)

MacIOSurface of RenderMacIOSurfaceTextureHost is locked by RenderTextureHostSWGL::UpdatePlanes(). And it is unlocked by RenderTextureHostSWGL::UnlockSWGL(). It is used only wit software WebRender.

Then it seemed that there was a case that locked MacIOSurface was not unlocked.

:lsalzman, do you know if there could be a case that the UnlockSWGL() is not called.

Flags: needinfo?(lsalzman)

This might be similar to Bug 1827340.

Sounds bad, so S2.
+bradwerth

Severity: -- → S2
Flags: needinfo?(bwerth)
Flags: needinfo?(bhood)

I don't know if I can contribute much here. It seems there are only a few ways that we could fail to pair a LockSWGL call with a UnlockSWGL call:

One way this could happen is if, within the WR compositor, we call ExternalImageHandler.lock but don't call 'unlock'. Looking through the callsites it seems like it all matches up, but there's some strangeness. save_capture does a loop followed by a loop over deferred_images, locking in the first loop and unlocking in the second. It's weird, but there's no way for the Vec to change between loops. And in Renderer.prepare_gpu_cache we do our locks on a Vec of frame.deferred_resolves, but then do the unlocks on a HashMap of texture_resolver.external_images which should have all the indices of the deferred_resolves, but it's not validated there. It looks like it checks out, but the safety guarantee is not obvious.

Another way this could happen is if there is a call to set_external_image_handler between the calls to lock and unlock, but I can't find any evidence of such a thing.

Flags: needinfo?(bwerth)

(In reply to Sotaro Ikeda [:sotaro] from comment #5)

This might be similar to Bug 1827340.

Bug 1827340 fix might address the problem.

Flags: needinfo?(sotaro.ikeda.g)

Sotaro, is this possibly related to bug 1812982 too, where we seem to have cases where picture-in-picture causes the same external image to be locked multiple times in a single frame? That seems to at bottom be caused by a RenderBufferTextureHost being created only once for multiple windows using the same image, which screws up all the locking?

Flags: needinfo?(lsalzman)

(In reply to Sotaro Ikeda [:sotaro] from comment #5)

This might be similar to Bug 1827340.

Bug 1827340 seemed to address the problem on beta.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1827340
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.