Closed Bug 2000419 Opened 6 months ago Closed 6 months ago

Crash in [@ libgdk-3.so.0] [@ gdk_window_get_position ]

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Version:
Firefox 147
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox145 --- unaffected
firefox146 --- unaffected
firefox147 --- fixed

People

(Reporter: matt.fagnani, Unassigned)

References

(Regression)

Details

(Keywords: regression)

Crash Data

I ran Firefox 147.0a1 20251115204042 on Wayland in Plasma 6.5.2 in a Fedora 43 KDE installation. I had previously enabled the menu bar. I loaded two sites in two tabs. I clicked and held the first tab in the tab bar, and I tried to drag and drop it to the right of the second tab to switch their order. Firefox crashed, which the trace showed as in libgdk-3.so.0@0x22e4f. Using gdb /usr/lib64/libgdk-3.so.0, that address appeared to be in gdk_window_get_position.

(gdb) l *0x22e4f
0x22e4f is in gdk_window_get_position (../gdk/gdkwindow.c:2407).
2402 void
2403 gdk_window_get_position (GdkWindow *window,
2404 gint *x,
2405 gint *y)
2406 {
2407 g_return_if_fail (GDK_IS_WINDOW (window));
2408
2409 if (x)
2410 *x = window->x;
2411 if (y)

This was the first such crash I've seen.

Crash report: https://crash-stats.mozilla.org/report/index/f799d6fc-35f4-4962-b6fb-ed9bf0251116

Reason:

SIGSEGV / SI_KERNEL

Top 10 frames:

0  libgdk-3.so.0  libgdk-3.so.0@0x22e4f
1  libxul.so  nsWindow::RecomputeBoundsWayland(bool)::$_0::operator()(_GdkWindow*) const  widget/gtk/nsWindow.cpp:3478
1  libxul.so  nsWindow::RecomputeBoundsWayland(bool)  widget/gtk/nsWindow.cpp:3485
2  libxul.so  nsWindow::RecomputeBounds(bool, bool)  widget/gtk/nsWindow.cpp:3535
3  libxul.so  nsWindow::MaybeRecomputeBounds()  widget/gtk/nsWindow.cpp:4353
4  libxul.so  nsWindow::OnExposeEvent(_cairo*)  widget/gtk/nsWindow.cpp:4088
5  libxul.so  draw_window_of_widget(_GtkWidget*, _GdkWindow*, _cairo*)  widget/gtk/nsWindow.cpp:8187
5  libxul.so  expose_event_cb(_GtkWidget*, _cairo*)  widget/gtk/nsWindow.cpp:8195
6  libgtk-3.so.0  libgtk-3.so.0@0x1abc9
7  libgtk-3.so.0  libgtk-3.so.0@0x2e0ed5
Crash Signature: [@ libgdk-3.so.0 ] [@ gdk_window_get_position ]
See Also: → 2000425
Summary: Crash in [@ libgdk-3.so.0] → Crash in [@ libgdk-3.so.0] [@ gdk_window_get_position ]

This type of crash happened also when a tab is dragged and dropped up or down to create a new window, and it seemed to happen about 50% of the time. When dragging the first tab right, the crash happened when the first tab was over the second tab, and it happened around 30-50% of the time. The problem seemed to start with 147.0a1 20251115204042 and didn't happen with 147.0a1 20251115092723. I bisected the problem to three patches for Bug 1998657. I couldn't tell which trace of this and Bug 2000425 was involved at each step since mozregression didn't show the crash reporter.

5:43.89 INFO: No more integration revisions, bisection finished.
5:43.89 INFO: Last good revision: 061e248612b319d078264101896a04a39fce80fb
5:43.89 INFO: First bad revision: 140faab7b8ed77bd14823ef49b958faf42daba12
5:43.89 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=061e248612b319d078264101896a04a39fce80fb&tochange=140faab7b8ed77bd14823ef49b958faf42daba12

Keywords: regression
Regressed by: 1998657

:stransky, since you are the author of the regressor, bug 1998657, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(stransky)

I reproduced this in the ASan build of 147.0a1 20251116092356 by dragging the first tab right to try to switch the tab order which had the same type of trace with the gtk, glib, and glibc functions and lines shown.

JavaScript error: , line 0: uncaught exception: SessionFileInternal.getWriter() called too early! Please read the session file from disk first.
JavaScript error: resource://gre/modules/PromiseWorker.sys.mjs, line 75: Error: Could not get children of /home/matt/.cache/mozilla/firefox/mj65s2ao.default-release/thumbnails': directory does not exist (NS_ERROR_FILE_NOT_FOUND) JavaScript warning: resource://gre/modules/Troubleshoot.sys.mjs, line 723: WebGL context was lost. JavaScript warning: resource://gre/modules/Troubleshoot.sys.mjs, line 723: WebGL context was lost. JavaScript error: resource://gre/modules/PromiseWorker.sys.mjs, line 75: Error: Could not get children of /home/matt/.cache/mozilla/firefox/mj65s2ao.default-release/thumbnails': directory does not exist (NS_ERROR_FILE_NOT_FOUND)
AddressSanitizer:DEADLYSIGNAL

==40293==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000b4b80 (pc 0x7baf0d32fe4f bp 0x7ffc6849f690 sp 0x7ffc6849f670 T0)
==40293==The signal is caused by a READ memory access.
#0 0x7baf0d32fe4f in gdk_window_get_position /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:2407:3
#1 0x7baefcf17598 in operator() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:3478:5
#2 0x7baefcf17598 in nsWindow::RecomputeBoundsWayland(bool) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:3485:17
#3 0x7baefcf18054 in nsWindow::RecomputeBounds(bool, bool) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:3535:5
#4 0x7baefcf21fac in nsWindow::MaybeRecomputeBounds() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:4353:5
#5 0x7baefcf1f25f in nsWindow::OnExposeEvent(_cairo*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:4088:3
#6 0x7baefcf45c54 in draw_window_of_widget(_GtkWidget*, _GdkWindow*, _cairo*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8187:15
#7 0x7baefcf40327 in expose_event_cb(_GtkWidget*, _cairo*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8195:3
#8 0x7baf09c1abc9 in _gtk_marshal_BOOLEAN__BOXED /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/gtk/gtkmarshalers.c:84:14
#9 0x7baf09ee0ed5 in _gtk_marshal_BOOLEAN__BOXED /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/gtk/gtkmarshalers.c:70:3
#10 0x7baf09ee0ed5 in gtk_widget_draw_marshaller /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:953:3
#11 0x7faf0eb2bc3b in g_closure_invoke /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:916:7
#12 0x7faf0eb4a279 in signal_emit_unlocked_R /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3903:8
#13 0x7faf0eb4ba8b in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3548:7
#14 0x7faf0eb4c527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#15 0x7faf0eb4c5e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#16 0x7baf09ef0f98 in gtk_widget_draw_internal /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:7084:11
#17 0x7baf09ca1d7e in gtk_container_propagate_draw /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkcontainer.c:3854:3
#18 0x7baf09ca1e9b in gtk_container_draw /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkcontainer.c:3674:7
#19 0x7baf09ef0e7a in gtk_widget_draw_internal /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:7091:11
#20 0x7baf09ca1d7e in gtk_container_propagate_draw /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkcontainer.c:3854:3
#21 0x7baf09ca1e9b in gtk_container_draw /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkcontainer.c:3674:7
#22 0x7baf09ef0e7a in gtk_widget_draw_internal /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:7091:11
#23 0x7baf09eff26f in gtk_widget_render /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:17628:3
#24 0x7baf09d8b952 /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkmain.c:1847:9
#25 0x7baf09d8b952 in gtk_main_do_event /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkmain.c:1694:1
#26 0x7baf0d31f0b6 in _gdk_event_emit /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkevents.c:73:6
#27 0x7baf0d31f0b6 in _gdk_event_emit /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkevents.c:67:1
#28 0x7baf0d33125d in _gdk_window_process_updates_recurse_helper /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:3874:7
#29 0x7baf0d336bd3 in gdk_window_process_updates_internal /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:4020:11
#30 0x7baf0d336df0 in gdk_window_process_updates_with_mode /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:4215:11
#31 0x7baf0d336df0 in gdk_window_process_updates_with_mode /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:4186:1
#32 0x7faf0eb4c411 in _g_closure_invoke_va /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:980:7
#33 0x7faf0eb4c411 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3439:8
#34 0x7faf0eb4c527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#35 0x7faf0eb4c5e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#36 0x7baf0d32cb77 in _gdk_frame_clock_emit_paint /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkframeclock.c:657:3
#37 0x7baf0d32cb77 in gdk_frame_clock_paint_idle /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkframeclockidle.c:597:19
#38 0x7baf0d31899e in gdk_threads_dispatch /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdk.c:769:11
#39 0x7baf0a36444a /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:5298:15
#40 0x7baf0a35e2a2 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:3565:28
#41 0x7baf0a35e2a2 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4425:7
#42 0x7baf0a3671f7 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4490:5
#43 0x7baf0a3673a2 in g_main_context_iteration /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4556:12
#44 0x7baefd02e8bd in nsAppShell::ProcessNextNativeEvent(bool) /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:577:26
#45 0x7baefce465d8 in DoProcessNextNativeEvent /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:135:17
#46 0x7baefce465d8 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:254:19
#47 0x7baefce4701c in non-virtual thunk to nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp
#48 0x7baef30094f1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1103:10
#49 0x7baef3014918 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#50 0x7baef4538629 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7baef44440d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:368:10
#52 0x7baef44440d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#53 0x7baef44440d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#54 0x7baefce45ee6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#55 0x7baefd02e65b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
#56 0x7baefed5d525 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:290:30
#57 0x7baefefdb77f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5920:22
#58 0x7baefefdd0d2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6175:8
#59 0x7baefefde183 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6248:21
#60 0x55e3d6996b44 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:268:22
#61 0x55e3d6996b44 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:532:16
#62 0x7faf0f6085b4 in __libc_start_call_main /usr/src/debug/glibc-2.42-4.fc43.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#63 0x7faf0f608667 in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.42-4.fc43.x86_64/csu/../csu/libc-start.c:360:3
#64 0x55e3d68b0898 in _start (/tmp/firefox/firefox+0xc0898) (BuildId: 679844c1d205f0554c3a1b6cc9cef60c87c79da1)

==40293==Register values:
rax = 0x00000000000b4b80 rbx = 0x00007cef0efe9a40 rcx = 0x00000f7661ae96e5 rdx = 0x00007baf0d78b724
rdi = 0x00007cef0efe9a40 rsi = 0x00007c2f0e9ecca0 rbp = 0x00007ffc6849f690 rsp = 0x00007ffc6849f670
r8 = 0x00000f75e1af16e4 r9 = 0x0000000000000000 r10 = 0x00000f75e1af16e5 r11 = 0x0000000000000000
r12 = 0x00007baf0d78b724 r13 = 0x00007baf0d78b720 r14 = 0x00007baf0d78b720 r15 = 0x00007baf0d78b700
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:2407:3 in gdk_window_get_position
==40293==ABORTING
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.

The bug has a crash signature, thus the bug will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox145: --- → unaffected
status-firefox146: --- → unaffected
status-firefox147: --- → fixed
status-firefox-esr115: --- → unaffected
status-firefox-esr140: --- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch
Flags: needinfo?(stransky)
You need to log in before you can comment on or make changes to this bug.