Crash in [@ mozilla::gfx::MemWriter::write]
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | fixed |
| firefox123 | --- | fixed |
People
(Reporter: aosmond, Assigned: aosmond)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/d10d3586-99cd-42bc-8d64-8a6620231218
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 xul.dll mozilla::gfx::MemWriter::write gfx/2d/RecordedEvent.h:219
0 xul.dll mozilla::gfx::ElementStreamFormat<mozilla::gfx::MemWriter, mozilla::gfx::RecordedEvent::EventType>::Write gfx/2d/RecordingTypes.h:21
0 xul.dll mozilla::gfx::WriteElement gfx/2d/RecordingTypes.h:52
0 xul.dll mozilla::layers::CanvasDrawEventRecorder::WriteInternalEvent gfx/layers/CanvasDrawEventRecorder.cpp:150
0 xul.dll mozilla::layers::CanvasDrawEventRecorder::DropFreeBuffers gfx/layers/CanvasDrawEventRecorder.cpp:234
1 xul.dll mozilla::detail::RunnableMethodArguments<>::apply<nsMemoryReporterManager, nsresult const xpcom/threads/nsThreadUtils.h:1164
1 xul.dll std::invoke /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/type_traits:1524
1 xul.dll std::_Apply_impl /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/tuple:974
1 xul.dll std::apply /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/tuple:979
1 xul.dll mozilla::detail::RunnableMethodArguments<>::apply xpcom/threads/nsThreadUtils.h:1162
|
Assignee | |
Comment 1•2 years ago
|
||
Bug 1869822 landed but we still see this crash signature in nightly.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
Probably the null pointer is MemWriter::mPtr:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/2d/RecordedEvent.h#219
And mCurrentBuffer.Writer() does still exist:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/CanvasDrawEventRecorder.cpp#150
We know we can initialize it with a nullptr though:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/2d/RecordedEvent.h#252
As used here:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/CanvasDrawEventRecorder.cpp#217
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/CanvasDrawEventRecorder.cpp#223
DropFreeBuffers which triggers all of this could conceivably happen after one of the edge cases above.
|
|
Assignee | |
Comment 3•2 years ago
|
||
This is probably a consequence of bug 1869658 actually, just kicking the crash further down the line.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
If we have no buffer, we have no need to write the drop event, since nothing is supposed to be waiting on it:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/CanvasDrawEventRecorder.cpp#234
|
|
Assignee | |
Comment 5•2 years ago
|
||
The other path of using WriteInternalEvent is guarded checking for the sanity of the buffer:
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/CanvasDrawEventRecorder.cpp#156
|
|
Assignee | |
Comment 6•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
||
Comment 9•2 years ago
|
||
Set release status flags based on info from the regressing bug 1863914
|
||
Comment 10•2 years ago
|
||
:aosmond could you nominate this for a beta uplift?
|
|
Assignee | |
Comment 11•2 years ago
|
||
Comment on attachment 9369266 [details]
Bug 1870681 - Check for invalid buffers when clearing a canvas recorder's cached buffer pool.
Beta/Release Uplift Approval Request
- User impact if declined: Moderate volume content process crash
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Trivial change to avoid writing events to invalid buffers
- String changes made/needed:
- Is Android affected?: No
|
|
||
Comment 12•2 years ago
|
||
Comment on attachment 9369266 [details]
Bug 1870681 - Check for invalid buffers when clearing a canvas recorder's cached buffer pool.
Approved for 122.0b6
|
||
Comment 13•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
Description
•