Minefield 64-bit crash of NVIDIA driver [@ nvwgf2umx.dll@0x56f71a ]

RESOLVED FIXED in mozilla2.0b8

Status

()

defect
--
critical
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: marcia, Assigned: m_kato)

Tracking

(Blocks 1 bug, {crash, regression, topcrash})

Trunk
mozilla2.0b8
x86_64
Windows 7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta8+)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

Seen while reviewing crash stats for trunk. Seems to only affect Windows 7 and is probably some sort of driver issue? Started showing up in crash stats using 2010111000 build. Many of the comments mention some kind of interaction with flash.

Frame 	Module 	Signature [Expand] 	Source
0 	nvwgf2umx.dll 	nvwgf2umx.dll@0x56f71a 	
1 	nvwgf2umx.dll 	nvwgf2umx.dll@0x12cfa9 	
2 	nvwgf2umx.dll 	nvwgf2umx.dll@0x113e10 	
3 	nvwgf2umx.dll 	nvwgf2umx.dll@0x1493c8 	
4 	nvwgf2umx.dll 	nvwgf2umx.dll@0x1864ab 	
5 	nvwgf2umx.dll 	nvwgf2umx.dll@0x1493c8 	
6 	nvwgf2umx.dll 	nvwgf2umx.dll@0x1641c4
Adding kev. Would be good to have a contact at Nvidia to talk to about this issue since I believe it is one of their drivers that may be involved with the crash.
blocking2.0: --- → ?
Does not seem to be Nvidia related.

Same issue with ATI card (same result on same site with Nvidia and ATI -> crash)
http://crash-stats.mozilla.com/report/index/bp-a8236f4e-cc93-4b59-b40b-06cd82101111
Summary: Firefox/4.0b8pre crash in [@ nvwgf2umx.dll@0x56f71a ] → Firefox/4.0b8pre crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ]
It is a mega top crasher, there are about 500 crashes/buildday/signature.

4.0b8pre/20101110043309 : works
4.0b8pre/20101110140021 : fails
As there is no changeset associated to 4.0b8pre/20101110140021, an accurate regression range can not be determined.
Here is a larger regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=df1d1ff6b489&tochange=0f17e5f1eb01
Keywords: regression
Hardware: x86 → x86_64
Summary: Firefox/4.0b8pre crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ] → Firefox/4.0b8pre crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ] on Win x64
> As there is no changeset associated to 4.0b8pre/20101110140021
I was misleaded because now Minefield 64-bit can submit crash reports.
Here is the regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5f427b7d7b60&tochange=85b93f3ea9d1
Summary: Firefox/4.0b8pre crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ] on Win x64 → Firefox/4.0b8pre 64-bit crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ]
Summary: Firefox/4.0b8pre 64-bit crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ] → Firefox/4.0b8pre 64-bit crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ], [@ atidxx64.dll@0x2b4270 ]
Summary: Firefox/4.0b8pre 64-bit crash in [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ], [@ atidxx64.dll@0x2b4270 ] → Firefox/4.0b8pre 64-bit crash of ATI and NVIDIA drivers [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ], [@ atidxx64.dll@0x2b4270 ], [@ atidxx64.dll@0x2a23f0 ]
Blocks: 611606
Summary: Firefox/4.0b8pre 64-bit crash of ATI and NVIDIA drivers [@ nvwgf2umx.dll@0x56f71a ], [@ nvwgf2umx.dll@0x52a71a ], [@ atidxx64.dll@0x267910 ], [@ atidxx64.dll@0x2b4270 ], [@ atidxx64.dll@0x2a23f0 ] → Minefield 64-bit crash of NVIDIA driver [@ nvwgf2umx.dll@0x56f71a ]
adding joe from gfx
roc's push is the one that changed graphics stuff the most, though I don't think any of it touched low level code, just setup.  Do we have symbols for any of these crashes?  The crash in comment #2 has absolutely zero symbols, which is strange.
non-hardware acceleration issue is bug 611970.

In CairoImageD3D10::SetData, data.pSysMem is invalid pointer.

0:000> .frame 18
18 00000000`0038ddb0 000007fe`e376a5d5
0:000> x
00000000`0038de50 this = 0x00000000`17028640
00000000`0038de58 aData = 0x00000000`0038e110
00000000`0038ddf0 data = struct D3D10_SUBRESOURCE_DATA
00000000`0038de00 desc = struct CD3D10_TEXTURE2D_DESC
0:000> dt data
Local var @ 0x38ddf0 Type D3D10_SUBRESOURCE_DATA
   +0x000 pSysMem          : 0xffffffff`02add7ec
   +0x008 SysMemPitch      : 0xfffff39c
   +0x00c SysMemSlicePitch : 0

stack is
00000000`0038ddb0 000007fe`e376a5d5 xul!mozilla::layers::CairoImageD3D10::SetData+0x244
00000000`0038de50 000007fe`e376ac86 xul!nsPluginInstanceOwner::SetCurrentImage+0x135
00000000`0038deb0 000007fe`e303ae2a xul!nsPluginInstanceOwner::InvalidateRect+0x62
00000000`0038df30 000007fe`e3036223 xul!nsNPAPIPluginInstance::InvalidateRect+0x9a
00000000`0038df80 000007fe`e3205232 xul!mozilla::plugins::parent::_invalidaterect+0xcf
00000000`0038dff0 000007fe`e3207213 xul!mozilla::plugins::PluginInstanceParent::RecvNPN_InvalidateRect+0x12
00000000`0038e020 000007fe`e3267742 xul!mozilla::plugins::PluginInstanceParent::RecvShow+0x28b
00000000`0038e0b0 000007fe`e324ba14 xul!mozilla::plugins::PPluginInstanceParent::OnMessageReceived+0x25e
00000000`0038e210 000007fe`e323f3ca xul!mozilla::plugins::PPluginModuleParent::OnMessageReceived+0x90
00000000`0038e300 000007fe`e323a852 xul!mozilla::ipc::SyncChannel::OnDispatchMessage+0x142
00000000`0038e3a0 000007fe`e324fa89 xul!mozilla::ipc::RPCChannel::Call+0x992
00000000`0038e790 000007fe`e32123ad xul!mozilla::plugins::PPluginModuleParent::CallPPluginInstanceConstructor+0x2c1
00000000`0038e8f0 000007fe`e303b79b xul!mozilla::plugins::PluginModuleParent::NPP_New+0x271
00000000`0038e9b0 000007fe`e305928c xul!nsNPAPIPluginInstance::InitializePlugin+0x37f
00000000`0038eab0 000007fe`e305d9ab xul!nsPluginHost::TrySetUpPluginInstance+0x5f4
00000000`0038ef50 000007fe`e3058166 xul!nsPluginHost::SetUpPluginInstance+0x37
00000000`0038efd0 000007fe`e305d969 xul!nsPluginHost::DoInstantiateEmbeddedPlugin+0x9d2
00000000`0038f280 000007fe`e376c1e7 xul!nsPluginHost::InstantiateEmbeddedPlugin+0x11
00000000`0038f2c0 000007fe`e3774203 xul!nsObjectFrame::InstantiatePlugin+0x1eb
00000000`0038f330 000007fe`e4637d46 xul!nsObjectFrame::Instantiate+0x283
00000000`0038f3e0 000007fe`e46387b4 xul!nsObjectLoadingContent::Instantiate+0x1ca
00000000`0038f490 000007fe`e4360974 xul!nsAsyncInstantiateEvent::Run+0x13c
00000000`0038f540 000007fe`e33f3bfc xul!nsThread::ProcessNextEvent+0x1cc
00000000`0038f5a0 000007fe`e322da8f xul!NS_ProcessNextEvent_P+0x58
00000000`0038f5e0 000007fe`e438d4a2 xul!mozilla::ipc::MessagePump::Run+0x11f
00000000`0038f650 000007fe`e438e503 xul!MessageLoop::RunHandler+0x3a
00000000`0038f680 000007fe`e423e88f xul!MessageLoop::Run+0x23
00000000`0038f6e0 000007fe`e415eb36 xul!nsBaseAppShell::Run+0x53
00000000`0038f720 000007fe`e2ebfc0e xul!nsAppStartup::Run+0x7e
00000000`0038f760 00000001`3fa71da5 xul!XRE_main+0x2652
00000000`0038fb40 00000001`3fa72030 firefox!NS_internal_main+0x2dd
00000000`0038fba0 00000001`3fa75db2 firefox!wmain+0x160
00000000`0038fc10 00000001`3fa75c0e firefox!__tmainCRTStartup+0x192
00000000`0038fc80 00000000`76cdbe3d firefox!wmainCRTStartup+0xe
00000000`0038fcb0 00000000`77026a51 kernel32!BaseThreadInitThunk+0xd
00000000`0038fce0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
maybe, this is a regression of bug 596451 (async plugin rendering)
This is compiler bug.

0:000> u xul!mozilla::gfx::SharedDIBSurface::InitSurface
xul!mozilla::gfx::SharedDIBSurface::InitSurface:
000007fe`e33e7a38 488bc4          mov     rax,rsp
000007fe`e33e7a3b 53              push    rbx
000007fe`e33e7a3c 4883ec30        sub     rsp,30h
000007fe`e33e7a40 488bd9          mov     rbx,rcx
000007fe`e33e7a43 418d48ff        lea     ecx,[r8-1]
000007fe`e33e7a47 448bda          mov     r11d,edx
000007fe`e33e7a4a 4533d2          xor     r10d,r10d
000007fe`e33e7a4d 41f7db          neg     r11d
000007fe`e33e7a50 895008          mov     dword ptr [rax+8],edx
000007fe`e33e7a53 488b5360        mov     rdx,qword ptr [rbx+60h]
000007fe`e33e7a57 41c1e302        shl     r11d,2
000007fe`e33e7a5b 453aca          cmp     r9b,r10b
000007fe`e33e7a5e 410f94c2        sete    r10b
000007fe`e33e7a62 4489400c        mov     dword ptr [rax+0Ch],r8d
000007fe`e33e7a66 4c8d4008        lea     r8,[rax+8]
000007fe`e33e7a6a 410fafcb        imul    ecx,r11d <--- 32-bit calculation
000007fe`e33e7a6e 482bd1          sub     rdx,rcx  <--- 64-bit calculation without sign conversion!!!!!
000007fe`e33e7a71 488bcb          mov     rcx,rbx
000007fe`e33e7a74 458bcb          mov     r9d,r11d
000007fe`e33e7a77 448950e8        mov     dword ptr [rax-18h],r10d

I am working new fix for this.
Assignee: nobody → m_kato
Ahh, this isn't compiler bug.  aHeight is PRUint32, we need to cast to signed.
Duplicate of this bug: 611970
also, does SysMemPitch supports negative value? SysMemPitch is UINT.

0:000> dt xul!D3D10_SUBRESOURCE_DATA
   +0x000 pSysMem          : Ptr64 Void
   +0x008 SysMemPitch      : Uint4B
   +0x00c SysMemSlicePitch : Uint4B
Depends on: 611970
Posted patch test patch (obsolete) — Splinter Review
Use top-to-bottom DIB

This is testing on try server.
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/m_kato@ga2.so-net.ne.jp-13d9bf11bdab
Will bug 611595 be fixed by this? Bas, this is likely the cause of most of the D3D crashes we've been seeing.
We need to get this fixed before beta 8 can ship; our crashiness is way up because of it.
blocking2.0: ? → beta8+
Posted patch fix v1Splinter Review
Attachment #490530 - Attachment is obsolete: true
Attachment #490816 - Flags: review?(benjamin)
this fix is also include bug 611970's fix.
Status: NEW → ASSIGNED
(In reply to comment #14)
> Will bug 611595 be fixed by this? Bas, this is likely the cause of most of the
> D3D crashes we've been seeing.

No.  bug 611595 seems to be that mManager->device() is null... I don't know why device() is null.
Attachment #490816 - Flags: review?(benjamin) → review+
Duplicate of this bug: 612803
http://hg.mozilla.org/mozilla-central/rev/21fa0a3a8c5a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Duplicate of this bug: 611612
Duplicate of this bug: 611613
Duplicate of this bug: 611614
Duplicate of this bug: 611714
Duplicate of this bug: 612017
Duplicate of this bug: 611610
Makoto: I see one instance of an ATI crash still occurring using the 20101119 build - http://crash-stats.mozilla.com/report/index/36b867c2-86f6-49df-a858-5ed722101119. Should I file a new bug for this occurrence?
> Makoto: I see one instance of an ATI crash still occurring using the 20101119
> build -
> http://crash-stats.mozilla.com/report/index/36b867c2-86f6-49df-
> a858-5ed722101119.
> Should I file a new bug for this occurrence?
This one happens in a 32-bit build. So it is not related to the fixing of this bug. You can file a new bug but there have been only two crashes for the last 3 days.
Crash Signature: [@ nvwgf2umx.dll@0x56f71a ]
You need to log in before you can comment on or make changes to this bug.