Closed
Bug 898828
Opened 12 years ago
Closed 12 years ago
crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: scoobidiver, Assigned: nrc)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
|
2.28 MB,
text/plain
|
Details | |
|
4.41 KB,
patch
|
nical
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
It first showed up in 25.0a1/20130711. The regression range might be (low volume):
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=04d8c309fe72&tochange=dde4dcd6fa46
It's likely a regression from bug 858914.
Signature mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const&, nsIntRegion*, nsIntPoint*) More Reports Search
UUID 7565a647-6274-4168-82e0-06a232130726
Date Processed 2013-07-26 15:47:58.892898
Uptime 41
Last Crash 43 seconds before submission
Install Age 729 since version was first installed.
Install Time 2013-07-26 15:35:41
Product Firefox
Version 25.0a1
Build ID 20130726030203
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7 | 8
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x0
App Notes
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0dfa, AdapterSubsysID: 21cf17aa, AdapterDriverVersion: 9.18.13.2049
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
Frame Module Signature Source
0 xul.dll mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const &,nsIntRegion *,nsIntPoint *) gfx/layers/d3d11/TextureD3D11.cpp
1 xul.dll mozilla::layers::DeprecatedTextureHost::SwapTexturesImpl(mozilla::layers::SurfaceDescriptor const &,nsIntRegion *) obj-firefox/dist/include/mozilla/layers/TextureHost.h
2 xul.dll mozilla::layers::DeprecatedImageHostBuffered::Update(mozilla::layers::SurfaceDescriptor const &,mozilla::layers::SurfaceDescriptor *) gfx/layers/composite/ImageHost.cpp
More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Alayers%3A%3ADeprecatedTextureHostYCbCrD3D11%3A%3AUpdateImpl%28mozilla%3A%3Alayers%3A%3ASurfaceDescriptor+const%26%2C+nsIntRegion*%2C+nsIntPoint*%29
|
Reporter | |
Updated•12 years ago
|
Summary: crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const&, nsIntRegion*, nsIntPoint*) → crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl
>(low volume)
Just in case it isn't obvious, I'm only hitting it with OMTC enabled, which may explain the volume.
|
||
Comment 2•12 years ago
|
||
I just hit this issue in the latest Win64 Nightly with the following items in about:config set to true:
layers.acceleration.force-enabled
layers.offmainthreadcomposition.enabled
layers.offmainthreadcomposition.animate-opacity
layers.offmainthreadcomposition.animate-transform
layers.async-video.enabled
I tried to play an embedded Youtube video on http://www.noxarcana.com/ and Nightly crashed.
https://crash-stats.mozilla.com/report/index/2ab2d3de-a408-4c79-8d35-f2e882131015
|
||
Comment 3•12 years ago
|
||
I'm reliably hitting a very similar crash with e10s enabled running browser/base/content/test/general/browser_bug432599.js
xul.dll!mozilla::layers::DeprecatedTextureHostBasic::UpdateImpl(const mozilla::layers::SurfaceDescriptor & aImage, nsIntRegion * aRegion, nsIntPoint * __formal) Line 99 C++
> xul.dll!mozilla::layers::ContentHostDoubleBuffered::UpdateThebes(const mozilla::layers::ThebesBufferData & aData, const nsIntRegion & aUpdated, const nsIntRegion & aOldValidRegionBack, nsIntRegion * aUpdatedRegionBack) Line 508 C++
xul.dll!mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(const mozilla::layers::CompositableOperation & aEdit, std::vector<mozilla::layers::EditReply,std::allocator<mozilla::layers::EditReply> > & replyv) Line 178 C++
xul.dll!mozilla::layers::LayerTransactionParent::RecvUpdate(const nsTArray<mozilla::layers::Edit> & cset, const mozilla::layers::TargetConfig & targetConfig, const bool & isFirstPaint, nsTArray<mozilla::layers::EditReply> * reply) Line 414 C++
xul.dll!mozilla::layers::PLayerTransactionParent::OnMessageReceived(const IPC::Message & __msg, IPC::Message * & __reply) Line 550 + 0x24 bytes C++
xul.dll!mozilla::layers::PCompositorParent::OnMessageReceived(const IPC::Message & __msg, IPC::Message * & __reply) Line 413 + 0x9 bytes C++
xul.dll!mozilla::ipc::MessageChannel::DispatchSyncMessage(const IPC::Message & aMsg) Line 921 C++
which for now I'll assume is the same basic problem.
|
|
||
Comment 4•12 years ago
|
||
I'm getting this crash now while trying to order a Kindle Fire HDX 8.9 from Amazon.com (http://www.amazon.com/gp/product/B00BHJRYYS). The page loads fine, but the crash happens when I click on the 32GB option. I've attached a log from WinDBG, hopefully it is helpful.
FAULTING_IP:
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91 [c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp @ 503]
0fde5313 8b01 mov eax,dword ptr [ecx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0fde5313 (xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x00000091)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000360 ecx=00000000 edx=0c7ff948 esi=2bffe680 edi=30d50000
eip=0fde5313 esp=0c7ff910 ebp=0c7ff978 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x91:
0fde5313 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????
FAULTING_THREAD: 00046c54
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91 [c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp @ 503]
0fde5313 8b01 mov eax,dword ptr [ecx]
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: firefox.exe
FAULTING_LOCAL_VARIABLE_NAME: aRegion
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ_BEFORE_CALL
DEFAULT_BUCKET_ID: NULL_POINTER_READ_BEFORE_CALL
LAST_CONTROL_TRANSFER: from 0fd29b7f to 0fde5313
STACK_TEXT:
0c7ff978 0fd29b7f 247eb594 00000000 00000000 xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x91
0c7ff98c 0fd65626 247eb594 00000000 281d37c0 xul!mozilla::layers::DeprecatedTextureHost::SwapTexturesImpl+0x10
0c7ff9a0 0fd6577f 2bffe680 247eb594 0c7ffb10 xul!mozilla::layers::DeprecatedTextureHost::SwapTextures+0x13
0c7ff9b8 0fe7df1e 247eb594 0c7ffb10 0c7ffbc0 xul!mozilla::layers::DeprecatedImageHostBuffered::Update+0x31
0c7ffb4c 0feadce7 083616e4 247eb588 0c7ffb70 xul!mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate+0x155
0c7ffb80 0f73e304 0c7ffbc0 0c7ffbbc 0c7ffc1c xul!mozilla::layers::ImageBridgeParent::RecvUpdate+0x45
0c7ffbd4 0f6effa3 0c7ffc1c 0c7ffbec 0b565d40 xul!mozilla::layers::PImageBridgeParent::OnMessageReceived+0x52f
0c7ffbf0 0f6f2a22 0c7ffc1c 083615a0 5179e330 xul!mozilla::ipc::MessageChannel::DispatchSyncMessage+0x23
0c7ffc04 0f6f3419 0c7ffc1c 0c7ffd3c 0c7ffd3c xul!mozilla::ipc::MessageChannel::DispatchMessageW+0x23
0c7ffc48 0f6e1bd0 0c7ffc94 11339498 0c7ffc64 xul!mozilla::ipc::MessageChannel::OnMaybeDequeueOne+0xdf
0c7ffc58 0f6e4301 230993b0 0c7ffca0 0f6e6dcc xul!MessageLoop::RunTask+0x15
0c7ffc64 0f6e6dcc 0c7ffc7c 0c7ffd3c 06263740 xul!MessageLoop::DeferOrRunPendingTask+0x30
0c7ffca0 0f6e5352 00000000 0c7ffd3c 0c7ffd3c xul!MessageLoop::DoWork+0x7d
0c7ffcd0 0f6e2a05 017ffd3c d3a23db0 0a1de294 xul!base::MessagePumpDefault::Run+0x151
0c7ffd08 0f6e2ef7 0a1de280 00000001 00000500 xul!MessageLoop::RunHandler+0x51
0c7ffd28 0f6e977b 00000000 00000000 00000000 xul!MessageLoop::Run+0x19
0c7ffe14 0f6ded3f 0c7ffe28 77be495d 0a1de280 xul!base::Thread::ThreadMain+0xa6
0c7ffe1c 77be495d 0a1de280 0c7ffe6c 77e498ee xul!`anonymous namespace'::ThreadFunc+0xb
0c7ffe28 77e498ee 0a1de280 6998121c 00000000 KERNEL32!BaseThreadInitThunk+0xe
0c7ffe6c 77e498c4 ffffffff 77e3e0eb 00000000 ntdll!__RtlUserThreadStart+0x20
0c7ffe7c 00000000 0f6ded34 0a1de280 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp
FAULTING_SOURCE_FILE: c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp
FAULTING_SOURCE_LINE_NUMBER: 503
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: xul
IMAGE_NAME: xul.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 52ac6c2d
FAILURE_BUCKET_ID: NULL_POINTER_READ_BEFORE_CALL_c0000005_xul.dll!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl
BUCKET_ID: APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL_xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:null_pointer_read_before_call_c0000005_xul.dll!mozilla::layers::deprecatedtexturehostycbcrd3d11::updateimpl
FAILURE_ID_HASH: {acafa32b-1db4-f9ca-10de-6c5948a71bf6}
Followup: MachineOwner
|
|
||
Updated•12 years ago
|
status-firefox28:
--- → affected
status-firefox29:
--- → affected
|
|
||
Comment 5•12 years ago
|
||
This is still a pretty low volume crash bug, but I'm seeing it on more and more pages now. Most recently on http://www.polygon.com/2013/12/19/5226722/the-stomping-land-lets-you-tame-and-mount-up-to-14-dinosaur-species while trying to play the embedded video. Should we mark this as blocking OMTC since it only seems to happen when that is enabled?
I can reproduce this on a clean profile - except for settings listed below - by going to http://en.wikipedia.org/wiki/File:Typing_example.ogv and clicking on the video.
layers.async-video.enabled true
layers.offmainthreadcomposition.async-animations true
layers.offmainthreadcomposition.enabled true
plugin.allow.asyncdrawing true
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
|
|
Assignee | |
Comment 7•12 years ago
|
||
async video is not supported on Windows, so if this can only be repro'ed with layers.async-video.enabled true, then we should close this as invalid. Even better, we might want to just ignore that pref on Windows so we don't crash. Nical - is that as easy as it sounds?
Flags: needinfo?(nical.bugzilla)
|
|
||
Comment 8•12 years ago
|
||
I haven't tried to repro this w/o the async video set to true. But it makes sense now to see this crash based on what you said. Embedded videos are the only videos that seem to trigger the crash though, videos hosted on Vimeo and YouTube domains don't.
|
||
Comment 9•12 years ago
|
||
(In reply to Nick Cameron [:nrc] from comment #7)
> async video is not supported on Windows, so if this can only be repro'ed
> with layers.async-video.enabled true, then we should close this as invalid.
Yup, it'd be nice to have async-video on windows someday soon though, cause it's kinda cool.
> Even better, we might want to just ignore that pref on Windows so we don't
> crash. Nical - is that as easy as it sounds?
It is indeed.
Flags: needinfo?(nical.bugzilla)
|
|
Assignee | |
Comment 11•12 years ago
|
||
[Approval Request Comment]
Bug caused by (feature/regressing bug #): pref available but feature isn't
User impact if declined: a very small number of crashes for adventurous users
Testing completed (on m-c, etc.): we could let it marinate on m-c for a few days
Risk to taking this patch (and alternatives if risky): low
String or IDL/UUID changes made by this patch: none
Attachment #8350398 -
Flags: review?(nical.bugzilla)
Attachment #8350398 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•12 years ago
|
Attachment #8350398 -
Flags: review?(nical.bugzilla) → review+
|
|
Assignee | |
Comment 12•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
tracking-firefox28:
--- → ?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Attachment #8350398 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 14•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/97d982371403
Should we consider taking this on beta as well?
status-firefox26:
--- → wontfix
status-firefox27:
--- → affected
|
|
||
Comment 15•12 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #14)
> Should we consider taking this on beta as well?
Consider the following:
* Firefox 29: 0 crashes in the last 7 days
* Firefox 28: 0 crashes in the last 7 days
* Firefox 27: 3 crashes in the last 7 days from a single user
* Firefox 26: 3 crahses in the last 7 days from a single user
Given the first two points I think it's safe to call this verified fixed.
Given the last two points I would think the volume is low enough that we should just let it ride.
You need to log in
before you can comment on or make changes to this bug.
Description
•