Crash in [@ mozilla::layers::CanvasTranslator::SetDataSurfaceBuffer]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
| firefox123 | --- | fixed |
People
(Reporter: lorenzofersteam, Assigned: lsalzman)
References
(Regression)
Details
(Keywords: regression)
Crash Data
Attachments
(2 files)
Hi. Started from the Nighlty downloaded the 22 December 2023 (but applied the next day), Firefox started to crash when loading certain sites as youtube (page with video, but not YT main page and it seems not the shorts page), gmail, and some pages on some other sites.
Crash report page link 2 other recent bugs in this component, but fix for that should be already in, and I wasn't affected by the formed crash at all
The difference is that these crashed were reported in Windows, while this is on ArchLinux distribution.
URL that trigger the crash for me : https://www.youtube.com/watch?v=XfTWgMgknpY
(Follow the original autogenerated report from the crash site)
Crash report: https://crash-stats.mozilla.org/report/index/5dfbcd5e-f156-489b-bab8-4a69b0231224
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(mHeader->readerState == State::Paused)
Top 10 frames of crashing thread:
0 libxul.so mozilla::layers::CanvasTranslator::SetDataSurfaceBuffer gfx/layers/ipc/CanvasTranslator.cpp:276
1 libxul.so mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void const xpcom/threads/nsThreadUtils.h:1164
1 libxul.so std::__invoke_impl<void, mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/invoke.h:60
1 libxul.so std::__invoke<mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/invoke.h:95
1 libxul.so std::__apply_impl<mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/tuple:1678
1 libxul.so std::apply<mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/tuple:1687
1 libxul.so mozilla::detail::RunnableMethodArguments<mozilla::UniquePtr<int, mozilla::detail::FileHandleDeleter>&&, unsigned long>::apply<mozilla::layers::CanvasTranslator, void xpcom/threads/nsThreadUtils.h:1162
1 libxul.so mozilla::detail::RunnableMethodImpl<mozilla::layers::CanvasTranslator*, void xpcom/threads/nsThreadUtils.h:1213
2 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1193
2 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:480
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 1•1 year ago
|
||
Manually installing build 20231221170215, all pages works again
|
|
Reporter | |
Comment 2•1 year ago
|
||
Did a mozregression and got this result:
2023-12-25T14:05:26.401000: INFO : Narrowed integration regression window from [70f0875a, 18ab68ff] (3 builds) to [70f0875a, 92e647ae] (2 builds) (~1 steps left)
2023-12-25T14:05:27.934000: DEBUG : Found commit message:
Bug 1871467 - Remove unnecessary CanvasTranslator locking. r=aosmond CLOSED TREE
Differential Revision: https://phabricator.services.mozilla.com/D197112
2023-12-25T14:05:27.934000: DEBUG : Did not find a branch, checking all integration branches
2023-12-25T14:05:27.936000: INFO : The bisection is done.
2023-12-25T14:05:27.937000: INFO : Stopped
Issue wasn't reproduced with a default prefix, but doing the regression test using the original prefix using the clone method (from mozregression-gui) allow to reproduce. Either it require a good amount of tabs open (I have 2 windows with a lot of tabs each) or an setting or an extensions are required to trig this.
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
:lsalzman, since you are the author of the regressor, bug 1871467, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 4•1 year ago
|
||
I want to say, it's unclear to me if all bug 1871467 changes are backed into a single autoland build, or there is an autoland build for Differential Revisions. Codes seems to suggest the first, and in this case I don't know if the commit reported (removing locking) is the one actually responsible for these issues or one of the 2 other commits.
|
Assignee | |
Comment 5•1 year ago
|
||
It seems that locking has side-effect other than synchronization for
some backends, such as mapping data into readable/writeable memory. We
need to leave the lock calls in place, but so long as we leave
ALLOC_MANUAL_SYNCHRONIZATION in place for D2D, we will avoid created
a KeyedMutex which should still avoid synchronization overheads.
Meanwhile, incidental finding that a bug was caused by 1861605,
meaning KeyedMutexes stopped getting properly initialized in any case.
This fixes that too.
|
||
Updated•1 year ago
|
|
|
||
Comment 6•1 year ago
|
||
Set release status flags based on info from the regressing bug 1871467
|
||
Comment 8•1 year ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 9•1 year ago
|
||
|
||
Comment 10•1 year ago
|
||
|
||
Comment 11•1 year ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•11 months ago
|
Description
•