Closed Bug 1870683 Opened 11 months ago Closed 11 months ago

Crash in [@ mozilla::layers::CanvasTranslator::SetDataSurfaceBuffer]

Categories

(Core :: Graphics: Canvas2D, defect, P3)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- unaffected
firefox122 --- fixed
firefox123 --- fixed

People

(Reporter: aosmond, Assigned: aosmond)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1870683 - Ensure CanvasChild::EnsureDataSurfaceShmem checks for uninitialized state.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/ba288d38-04f2-4080-9d08-d90ab0231217

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(mHeader->readerState == State::Paused)

Top 10 frames of crashing thread:

0  xul.dll  mozilla::layers::CanvasTranslator::SetDataSurfaceBuffer  gfx/layers/ipc/CanvasTranslator.cpp:246
1  xul.dll  mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<void*, mozilla::detail::FileHandleDeleter>&&, unsigned long long>::apply<mozilla::layers::CanvasTranslator, void  const  xpcom/threads/nsThreadUtils.h:1213
1  xul.dll  std::invoke  /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/type_traits:1534
1  xul.dll  std::_Apply_impl  /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/tuple:974
1  xul.dll  std::apply  /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/tuple:979
1  xul.dll  mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<void*, mozilla::detail::FileHandleDeleter>&&, unsigned long long>::apply  xpcom/threads/nsThreadUtils.h:1162
1  xul.dll  mozilla::detail::RunnableMethodImpl<mozilla::layers::CanvasTranslator*, void   xpcom/threads/nsThreadUtils.h:1213
2  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1193
2  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:480
3  xul.dll  mozilla::ipc::MessagePumpForNonMainThreads::Run  ipc/glue/MessagePump.cpp:300
Flags: needinfo?(bobowencode)

Bug 1869659 landed to fix this, but we are still seeing some crashes with this signature.

status-firefox121: --- → unaffected
status-firefox122: --- → affected
status-firefox123: --- → affected

I wonder if we hit some sort of race and set the state to Processing when we should have remained Paused?
https://searchfox.org/mozilla-central/rev/91cc8848427fdbbeb324e6ca56a0d08d32d3c308/gfx/layers/ipc/CanvasTranslator.cpp#445

Flags: needinfo?(aosmond)

I believe this has a similar root cause as bug 1869661. We failed to initialize the CanvasChild, and it appears we can in theory create a RecordedTextureData with it and try to read it back.

Assignee: nobody → aosmond
Severity: -- → S3
Flags: needinfo?(bobowencode)
Flags: needinfo?(aosmond)
Priority: -- → P3
Depends on: 1869661

If we fail to create CanvasChild::mRecorder, we shouldn't attempt to
readback a recording surface that never got created.

Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/986bbc7b49b1 Ensure CanvasChild::EnsureDataSurfaceShmem checks for uninitialized state. r=gfx-reviewers,lsalzman
Keywords: regression
Regressed by: 1863914

https://hg.mozilla.org/mozilla-central/rev/986bbc7b49b1

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox123: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

Set release status flags based on info from the regressing bug 1863914

status-firefox-esr115: --- → unaffected

:aosmond could you nominate this for a beta uplift?

Flags: needinfo?(aosmond)

Maybe this was expected, but the crashes on Nightly have continued even after the patch landed. The assertion is the same, too.

I don't have an explanation for the current crashes.

Looks like bug 1871811 resolved the remaining crashes under this signature.

Comment on attachment 9369279 [details]
Bug 1870683 - Ensure CanvasChild::EnsureDataSurfaceShmem checks for uninitialized state.

Beta/Release Uplift Approval Request

  • User impact if declined: Moderate volume content process crash
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial check to fail if we have a null recorder
  • String changes made/needed:
  • Is Android affected?: No
Flags: needinfo?(aosmond)
Attachment #9369279 - Flags: approval-mozilla-beta?

Comment on attachment 9369279 [details]
Bug 1870683 - Ensure CanvasChild::EnsureDataSurfaceShmem checks for uninitialized state.

Approved for 122.0b6

Attachment #9369279 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: