Open Bug 1946570 Opened 8 months ago Updated 15 days ago

Crash in [@ geckoservo::glue::Servo_AnimationValue_GetOpacity] from CompositorAnimationStorage::StoreAnimatedValue

Categories

(Core :: CSS Transitions and Animations, defect, P2)

Product:
Core
Component:
CSS Transitions and Animations
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox135 --- unaffected
firefox136 --- disabled
firefox137 --- disabled
firefox138 --- disabled
firefox139 --- disabled

People

(Reporter: mccr8, Assigned: boris, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

Bug 1946570 - Add an error handling if there is no base styles.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/ddf37614-f990-4119-a7cb-ae01b0250206

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  geckoservo::glue::Servo_AnimationValue_GetOpacity(enum2$<style::properties::g...  servo/ports/geckolib/glue.rs:777
1  xul.dll  mozilla::layers::CompositorAnimationStorage::StoreAnimatedValue(nsCSSProperty...  gfx/layers/CompositorAnimationStorage.cpp:249
2  xul.dll  mozilla::layers::CompositorAnimationStorage::SampleAnimations::<lambda_0>::op...  gfx/layers/CompositorAnimationStorage.cpp:358
3  xul.dll  mozilla::layers::APZCTreeManager::CallWithMapLock(mozilla::layers::Compositor...  gfx/layers/apz/src/APZCTreeManager.h:636
3  xul.dll  mozilla::layers::APZSampler::CallWithMapLock(mozilla::layers::CompositorAnima...  gfx/layers/apz/public/APZSampler.h:115
3  xul.dll  mozilla::layers::CompositorAnimationStorage::SampleAnimations(mozilla::layers...  gfx/layers/CompositorAnimationStorage.cpp:414
4  xul.dll  mozilla::layers::OMTASampler::SampleAnimations(mozilla::TimeStamp const&, moz...  gfx/layers/wr/OMTASampler.cpp:128
4  xul.dll  mozilla::layers::OMTASampler::Sample(mozilla::wr::TransactionWrapper&)  gfx/layers/wr/OMTASampler.cpp:115
4  xul.dll  mozilla::layers::OMTASampler::Sample(mozilla::wr::WrWindowId const&, mozilla:...  gfx/layers/wr/OMTASampler.cpp:68
4  xul.dll  omta_sample(mozilla::wr::WrWindowId, mozilla::wr::Transaction*)  gfx/layers/wr/OMTASampler.cpp:245

Null deref, low but steady volume. All of the recent crashes have the same stack.

Crash is here:

      SetAnimatedValue(aId, aAnimatedValueEntry,
                       Servo_AnimationValue_GetOpacity(aAnimationValues[0]));

I'm guessing aAnimationValues[0] is null?

Summary: Crash in [@ geckoservo::glue::Servo_AnimationValue_GetOpacity] → Crash in [@ geckoservo::glue::Servo_AnimationValue_GetOpacity] from CompositorAnimationStorage::StoreAnimatedValue

Based on crash-stats, it looks like it is a regression in 136, but I only see it in Nightly, so maybe this is related to a Nightly-only feature.

status-firefox135: --- → unaffected
status-firefox136: --- → affected
status-firefox137: --- → affected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
Keywords: regression

First build with this crash is 20250125093830. Here is the regression range for that build, though the volume is low enough it is hard to know if that is the exact build.

Botond, any chance this could be related to bug 1932985? That talks about animation and I see APZ in the stack here. That's in the regression range. Thanks.

Flags: needinfo?(botond)

(In reply to Andrew McCreight [:mccr8] from comment #2)

Botond, any chance this could be related to bug 1932985?

I don't think so; that bug is about a different kind of animation (APZ animations) than the one this code is concerned with (OMTA animations).

I think this is more likely to be a regression from bug 1817303 ("Enable scroll-driven animations on Nightly"). That landed on 2025-01-24, just before this started appearing, and would have caused the codepaths in CompositorAnimationStorage.cpp that we see in the stack trace run in new scenarios that haven't been exercised out in the wild before.

Flags: needinfo?(botond)
Regressed by: 1817303

Is it possible to get any test case for this? Otherwise, an easy way is to check the length of aAnimationValues array first.

I guess we hit this case: https://searchfox.org/mozilla-central/rev/bc00d156c8a5452689cd66cbce30fe10c6594977/gfx/layers/CompositorAnimationStorage.cpp#394, and for some reasons we don't have base style in aAnimationValues. This may be a corner case (or perhaps it's fine to avoid storing any animations), and so just skipping it if AnimationValue is empty may be fine.

Almost all of the crashes have a URL that starts with something like https://globoplay.globo.com/ which looks like a Brazilian streaming site. I'm not sure if you can access it without a subscription or not.

It seems it is possible that we don't have any base style when the reason of
sample result is SampleResult::Reason::ScrollToDelayPhase. If so,
we dump the warning and skip the storing.

(In reply to Andrew McCreight [:mccr8] from comment #5)

Almost all of the crashes have a URL that starts with something like https://globoplay.globo.com/ which looks like a Brazilian streaming site. I'm not sure if you can access it without a subscription or not.

Thanks. Let me try a simple error handling patch to avoid this crash.

Assignee: nobody → boris.chiou
Status: NEW → ASSIGNED

The severity field is not set for this bug.
:emilio, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)
Severity: -- → S3
Flags: needinfo?(emilio)
Priority: -- → P2

(In reply to Botond Ballo [:botond] from comment #3)

I think this is more likely to be a regression from bug 1817303 ("Enable scroll-driven animations on Nightly")

Based on this^ (and observed recent crash volume which includes 136 nightly, 137 nightly, and 138 nightly but no crashes on any beta/release versions: I think we can assume that this^ assessment is correct and this is scroll-driven-animations (or another recently-added pref-controlled feature that's got a nightly-only guard).

--> 137:disabled, 138:affected

status-firefox137: affecteddisabled
status-firefox138: --- → affected
See Also: → 1958289
See Also: → 1978491

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

:boris, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(boris.chiou)
Keywords: topcrash

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #10)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

:boris, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Keep S3 for now. Scroll driven animations is in our top priority next year so we will handle this soon.

If this is still top crash in the following versions, we could revisit this earlier.

Flags: needinfo?(boris.chiou)

I got this crash: https://crash-stats.mozilla.org/report/index/5ada49cd-7a28-4f50-abdd-5eda10251014#tab-bugzilla

100% repro STR:

  1. Go to https://eloverblik.dk/
  2. Click on the big green button that says "Log in"
  3. Boom.

The site is from bug 1929723.

Flags: needinfo?(boris.chiou)
See Also: → 1929723
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: