Crash in [@ libgdk-3.so.0] [@ gdk_window_invalidate_rect_full]
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox145 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | fixed |
People
(Reporter: matt.fagnani, Unassigned)
References
(Regression)
Details
(Keywords: regression, topcrash)
Crash Data
I ran Firefox 147.0a1 20251115204042 on Wayland in Plasma 6.5.2 in a Fedora 43 KDE installation. I had previously enabled the menu bar. I loaded two sites in two tabs. I clicked and held the first tab in the tab bar, and I tried to drag and drop it to the right of the second tab to switch their order. Firefox crashed, which the trace showed as in libgdk-3.so.0@0x28402. Using gdb /usr/lib64/libgdk-3.so.0, that address appeared to be in gdk_window_invalidate_rect_full
(gdb) l *0x28402
0x28402 is in gdk_window_invalidate_rect_full (../gdk/gdkwindow.c:4259).
4254 gboolean invalidate_children)
4255 {
4256 GdkRectangle window_rect;
4257 cairo_region_t *region;
4258
4259 g_return_if_fail (GDK_IS_WINDOW (window));
4260
4261 if (GDK_WINDOW_DESTROYED (window))
4262 return;
4263
I saw a crash Bug 2000419 which happened in the same way, but with a different trace. The crash address was 0xe5e5e5e5e5e5e5e5 so the memory might've been freed.
Crash report: https://crash-stats.mozilla.org/report/index/baca14b5-bef2-4de5-bfd9-db5180251116
Reason:
SIGSEGV / SI_KERNEL
Top 10 frames:
0 libgdk-3.so.0 libgdk-3.so.0@0x28402
1 libxul.so nsWindow::OnContainerSizeAllocate(_cairo_rectangle_int*) widget/gtk/nsWindow.cpp:4330
2 libxul.so size_allocate_cb(_GtkWidget*, _cairo_rectangle_int*) widget/gtk/nsWindow.cpp:8226
3 libgobject-2.0.so.0 libgobject-2.0.so.0@0x6c3b
4 libgobject-2.0.so.0 libgobject-2.0.so.0@0x25854
5 libgobject-2.0.so.0 libgobject-2.0.so.0@0x272b5
6 libgobject-2.0.so.0 libgobject-2.0.so.0@0x27527
7 libgobject-2.0.so.0 libgobject-2.0.so.0@0x275e2
8 libgtk-3.so.0 libgtk-3.so.0@0x2f0275
9 libgtk-3.so.0 libgtk-3.so.0@0x311648
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Comment 1•6 months ago
|
||
This type of crash happened also when a tab is dragged and dropped up or down to create a new window, and it seemed to happen about 50% of the time. When dragging the first tab right, the crash happened when the first tab was over the second tab, and it happened around 30-50% of the time. The problem seemed to start with 147.0a1 20251115204042 and didn't happen with 147.0a1 20251115092723. I bisected the problem to three patches for Bug 1998657. I couldn't tell which trace of this and Bug 2000419 was involved at each step since mozregression didn't show the crash reporter.
5:43.89 INFO: No more integration revisions, bisection finished.
5:43.89 INFO: Last good revision: 061e248612b319d078264101896a04a39fce80fb
5:43.89 INFO: First bad revision: 140faab7b8ed77bd14823ef49b958faf42daba12
5:43.89 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=061e248612b319d078264101896a04a39fce80fb&tochange=140faab7b8ed77bd14823ef49b958faf42daba12
|
||
Comment 2•6 months ago
|
||
:stransky, since you are the author of the regressor, bug 1998657, could you take a look?
For more information, please visit BugBot documentation.
|
|
Reporter | |
Comment 3•6 months ago
|
||
I reproduced this in the ASan build of 147.0a1 20251116092356 by dragging the first tab up to try to open a new window which had the same type of trace with the gtk, glib, and glibc functions and lines shown.
AddressSanitizer:DEADLYSIGNAL
==40024==ERROR: AddressSanitizer: SEGV on unknown address 0x000000095899 (pc 0x7b4235425402 bp 0x7ffd78576390 sp 0x7ffd78576350 T0)
==40024==The signal is caused by a READ memory access.
#0 0x7b4235425402 in gdk_window_invalidate_rect_full /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:4259:3
#1 0x7b4224fd411b in nsWindow::OnContainerSizeAllocate(_cairo_rectangle_int*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:4330:5
#2 0x7b4224ff00b5 in size_allocate_cb(_GtkWidget*, _cairo_rectangle_int*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8226:11
#3 0x7b42353a3c3b in g_closure_invoke /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:916:7
#4 0x7b42353c2854 in signal_emit_unlocked_R /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3976:8
#5 0x7b42353c42b5 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3535:7
#6 0x7b42353c4527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#7 0x7b42353c45e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#8 0x7b4231ef0275 in gtk_widget_size_allocate_with_baseline /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:6184:5
#9 0x7b4231f11648 in gtk_window_size_allocate /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwindow.c:7962:5
#10 0x7b42353a3b6e in g_closure_invoke /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:916:7
#11 0x7b42353c23b0 in signal_emit_unlocked_R /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3736:7
#12 0x7b42353c42b5 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3535:7
#13 0x7b42353c4527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#14 0x7b42353c45e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#15 0x7b4231ef0275 in gtk_widget_size_allocate_with_baseline /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:6184:5
#16 0x7b4231f11648 in gtk_window_size_allocate /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwindow.c:7962:5
#17 0x7b42353a3c3b in g_closure_invoke /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:916:7
#18 0x7b42353c23b0 in signal_emit_unlocked_R /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3736:7
#19 0x7b42353c42b5 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3535:7
#20 0x7b42353c4527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#21 0x7b42353c45e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#22 0x7b4231ef0275 in gtk_widget_size_allocate_with_baseline /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwidget.c:6184:5
#23 0x7b4231f12b64 in gtk_window_move_resize /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkwindow.c:10191:7
#24 0x7b42353c4411 in _g_closure_invoke_va /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:980:7
#25 0x7b42353c4411 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3439:8
#26 0x7b42353c4527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#27 0x7b42353c45e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#28 0x7b4231c9c4f7 in gtk_container_idle_sizer /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gtk/gtkcontainer.c:2066:7
#29 0x7b42353c4411 in _g_closure_invoke_va /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gclosure.c:980:7
#30 0x7b42353c4411 in signal_emit_valist_unlocked /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3439:8
#31 0x7b42353c4527 in g_signal_emit_valist /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3278:7
#32 0x7b42353c45e2 in g_signal_emit /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../gobject/gsignal.c:3598:3
#33 0x7b423541cb08 in _gdk_frame_clock_emit_layout /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkframeclock.c:651:3
#34 0x7b423541cb08 in gdk_frame_clock_paint_idle /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkframeclockidle.c:575:19
#35 0x7b423540899e in gdk_threads_dispatch /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdk.c:769:11
#36 0x7b423236444a /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:5298:15
#37 0x7b423235e2a2 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:3565:28
#38 0x7b423235e2a2 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4425:7
#39 0x7b42323671f7 /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4490:5
#40 0x7b42323673a2 in g_main_context_iteration /usr/src/debug/glib2-2.86.1-5.fc43.x86_64/redhat-linux-build/../glib/gmain.c:4556:12
#41 0x7b42250de8bd in nsAppShell::ProcessNextNativeEvent(bool) /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:577:26
#42 0x7b4224ef65d8 in DoProcessNextNativeEvent /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:135:17
#43 0x7b4224ef65d8 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:254:19
#44 0x7b4224ef701c in non-virtual thunk to nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp
#45 0x7b421b0b94f1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1103:10
#46 0x7b421b0c4918 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#47 0x7b421c5e8629 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#48 0x7b421c4f40d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:368:10
#49 0x7b421c4f40d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#50 0x7b421c4f40d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#51 0x7b4224ef5ee6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
#52 0x7b42250de65b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
#53 0x7b4226e0d525 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:290:30
#54 0x7b422708b77f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5920:22
#55 0x7b422708d0d2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6175:8
#56 0x7b422708e183 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6248:21
#57 0x559971fdbb44 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:268:22
#58 0x559971fdbb44 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:532:16
#59 0x7f42376e05b4 in __libc_start_call_main /usr/src/debug/glibc-2.42-4.fc43.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#60 0x7f42376e0667 in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.42-4.fc43.x86_64/csu/../csu/libc-start.c:360:3
#61 0x559971ef5898 in _start (/tmp/firefox/firefox+0xc0898) (BuildId: 679844c1d205f0554c3a1b6cc9cef60c87c79da1)
==40024==Register values:
rax = 0x0000000000095899 rbx = 0x00007c8236aa6a40 rcx = 0x0000000000000017 rdx = 0x0000000000000000
rdi = 0x00007c8236aa6a40 rsi = 0x00007bc2369ecd20 rbp = 0x00007ffd78576390 rsp = 0x00007ffd78576350
r8 = 0x00007ce2374e54b4 r9 = 0x00000f6846aa7940 r10 = 0xf9f9f901f9f9f901 r11 = 0x00007f4237d37180
r12 = 0x00007b423579bca0 r13 = 0x00007ce2374e54b4 r14 = 0x0000000000000000 r15 = 0x00007ce2374e5280
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/debug/gtk3-3.24.51-2.fc43.x86_64/redhat-linux-build/../gdk/gdkwindow.c:4259:3 in gdk_window_invalidate_rect_full
==40024==ABORTING
Exiting due to channel error.
I've seen crashes in libgdk-3.so.0@0x28402 / gdk_window_invalidate_rect_full happening in the same ways which had different traces below frame 0 like in https://crash-stats.mozilla.org/report/index/7c798256-b29f-425d-9f30-b8db80251116
0 libgdk-3.so.0 libgdk-3.so.0@0x28402 context
1 libxul.so mozilla::widget::WindowSurfaceCairo::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&)::$_0::operator()() const widget/gtk/WindowSurfaceCairo.cpp:68 inlined
1 libxul.so mozilla::detail::RunnableFunction<mozilla::widget::WindowSurfaceCairo::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&)::$_0>::Run() xpcom/threads/nsThreadUtils.h:549 frame_pointer
2 libxul.so mozilla::RunnableTask::Run() xpcom/threads/TaskController.cpp:705 inlined
2 libxul.so mozilla::TaskController::RunTask(mozilla::Task*) xpcom/threads/TaskController.cpp:196 inlined
2 libxul.so mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:1325 inlined
2 libxul.so mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:1148 cfi
3 libxul.so mozilla::TaskController::ProcessPendingMTTask(bool) xpcom/threads/TaskController.cpp:641 cfi
4 libxul.so mozilla::TaskController::TaskController()::$_1::operator()() const xpcom/threads/TaskController.cpp:336 inlined
4 libxul.so mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() xpcom/threads/nsThreadUtils.h:549 inlined
4 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1164 inlined
4 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:461 cfi
5 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:107 cfi
6 libxul.so MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:368 inlined
6 libxul.so MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:361 inlined
6 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:343 inlined
6 libxul.so nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:152 cfi
7 libxul.so nsAppShell::Run() widget/gtk/nsAppShell.cpp:555 cfi
8 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:290 cfi
9 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5920 cfi
10 libxul.so XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:6175 cfi
11 libxul.so XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:6248 cfi
12 firefox-bin do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:268 inlined
12 firefox-bin main browser/app/nsBrowserApp.cpp:532 cfi
Ø 13 libc.so.6 libc.so.6@0x35b4 cfi
Ø 14 libc.so.6 libc.so.6@0x3667 frame_pointer
15 firefox-bin mozilla::PrintfTarget::cvt_ll(long, int, int, int, int, int, char const*) mozglue/misc/Printf.cpp inlined
15 firefox-bin mozilla::PrintfTarget::appendIntDec(long) mozglue/misc/Printf.cpp:217 scan
16 firefox-bin _start cfi
|
|
||
Comment 4•6 months ago
|
||
The bug has a crash signature, thus the bug will be considered confirmed.
|
|
||
Comment 5•6 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
|
||
Comment 6•6 months ago
|
||
Fixed by backout.
Description
•