crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl

VERIFIED FIXED in Firefox 28

Status

()

Core
Graphics: Layers
--
critical
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: nrc)

Tracking

({crash, regression})

25 Branch
mozilla29
All
Windows 7
crash, regression
Points:
---

Firefox Tracking Flags

(firefox24 unaffected, firefox25 wontfix, firefox26 wontfix, firefox27 affected, firefox28+ verified, firefox29 verified)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
It first showed up in 25.0a1/20130711. The regression range might be (low volume):
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=04d8c309fe72&tochange=dde4dcd6fa46
It's likely a regression from bug 858914.

Signature 	mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const&, nsIntRegion*, nsIntPoint*) More Reports Search
UUID 	7565a647-6274-4168-82e0-06a232130726
Date Processed	2013-07-26 15:47:58.892898
Uptime	41
Last Crash	43 seconds before submission
Install Age 	729 since version was first installed.
Install Time 	2013-07-26 15:35:41
Product 	Firefox
Version 	25.0a1
Build ID 	20130726030203
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 42 stepping 7 | 8
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x0
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0dfa, AdapterSubsysID: 21cf17aa, AdapterDriverVersion: 9.18.13.2049
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const &,nsIntRegion *,nsIntPoint *) 	gfx/layers/d3d11/TextureD3D11.cpp
1 	xul.dll 	mozilla::layers::DeprecatedTextureHost::SwapTexturesImpl(mozilla::layers::SurfaceDescriptor const &,nsIntRegion *) 	obj-firefox/dist/include/mozilla/layers/TextureHost.h
2 	xul.dll 	mozilla::layers::DeprecatedImageHostBuffered::Update(mozilla::layers::SurfaceDescriptor const &,mozilla::layers::SurfaceDescriptor *) 	gfx/layers/composite/ImageHost.cpp

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Alayers%3A%3ADeprecatedTextureHostYCbCrD3D11%3A%3AUpdateImpl%28mozilla%3A%3Alayers%3A%3ASurfaceDescriptor+const%26%2C+nsIntRegion*%2C+nsIntPoint*%29
(Reporter)

Updated

4 years ago
Summary: crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl(mozilla::layers::SurfaceDescriptor const&, nsIntRegion*, nsIntPoint*) → crash in mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl

Comment 1

4 years ago
>(low volume)

Just in case it isn't obvious, I'm only hitting it with OMTC enabled, which may explain the volume.
I just hit this issue in the latest Win64 Nightly with the following items in about:config set to true:

layers.acceleration.force-enabled
layers.offmainthreadcomposition.enabled
layers.offmainthreadcomposition.animate-opacity
layers.offmainthreadcomposition.animate-transform
layers.async-video.enabled 

I tried to play an embedded Youtube video on http://www.noxarcana.com/ and Nightly crashed.

https://crash-stats.mozilla.com/report/index/2ab2d3de-a408-4c79-8d35-f2e882131015
I'm reliably hitting a very similar crash with e10s enabled running browser/base/content/test/general/browser_bug432599.js

 	xul.dll!mozilla::layers::DeprecatedTextureHostBasic::UpdateImpl(const mozilla::layers::SurfaceDescriptor & aImage, nsIntRegion * aRegion, nsIntPoint * __formal)  Line 99	C++
>	xul.dll!mozilla::layers::ContentHostDoubleBuffered::UpdateThebes(const mozilla::layers::ThebesBufferData & aData, const nsIntRegion & aUpdated, const nsIntRegion & aOldValidRegionBack, nsIntRegion * aUpdatedRegionBack)  Line 508	C++
 	xul.dll!mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(const mozilla::layers::CompositableOperation & aEdit, std::vector<mozilla::layers::EditReply,std::allocator<mozilla::layers::EditReply> > & replyv)  Line 178	C++
 	xul.dll!mozilla::layers::LayerTransactionParent::RecvUpdate(const nsTArray<mozilla::layers::Edit> & cset, const mozilla::layers::TargetConfig & targetConfig, const bool & isFirstPaint, nsTArray<mozilla::layers::EditReply> * reply)  Line 414	C++
 	xul.dll!mozilla::layers::PLayerTransactionParent::OnMessageReceived(const IPC::Message & __msg, IPC::Message * & __reply)  Line 550 + 0x24 bytes	C++
 	xul.dll!mozilla::layers::PCompositorParent::OnMessageReceived(const IPC::Message & __msg, IPC::Message * & __reply)  Line 413 + 0x9 bytes	C++
 	xul.dll!mozilla::ipc::MessageChannel::DispatchSyncMessage(const IPC::Message & aMsg)  Line 921	C++

which for now I'll assume is the same basic problem.
Created attachment 8348556 [details]
WinDBG Log File

I'm getting this crash now while trying to order a Kindle Fire HDX 8.9 from Amazon.com (http://www.amazon.com/gp/product/B00BHJRYYS). The page loads fine, but the crash happens when I click on the 32GB option. I've attached a log from WinDBG, hopefully it is helpful. 

FAULTING_IP: 
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91 [c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp @ 503]
0fde5313 8b01            mov     eax,dword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0fde5313 (xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x00000091)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000360 ecx=00000000 edx=0c7ff948 esi=2bffe680 edi=30d50000
eip=0fde5313 esp=0c7ff910 ebp=0c7ff978 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x91:
0fde5313 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????

FAULTING_THREAD:  00046c54

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000 

FOLLOWUP_IP: 
xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91 [c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp @ 503]
0fde5313 8b01            mov     eax,dword ptr [ecx]

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

FAULTING_LOCAL_VARIABLE_NAME:  aRegion

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ_BEFORE_CALL

DEFAULT_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL

LAST_CONTROL_TRANSFER:  from 0fd29b7f to 0fde5313

STACK_TEXT:  
0c7ff978 0fd29b7f 247eb594 00000000 00000000 xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+0x91
0c7ff98c 0fd65626 247eb594 00000000 281d37c0 xul!mozilla::layers::DeprecatedTextureHost::SwapTexturesImpl+0x10
0c7ff9a0 0fd6577f 2bffe680 247eb594 0c7ffb10 xul!mozilla::layers::DeprecatedTextureHost::SwapTextures+0x13
0c7ff9b8 0fe7df1e 247eb594 0c7ffb10 0c7ffbc0 xul!mozilla::layers::DeprecatedImageHostBuffered::Update+0x31
0c7ffb4c 0feadce7 083616e4 247eb588 0c7ffb70 xul!mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate+0x155
0c7ffb80 0f73e304 0c7ffbc0 0c7ffbbc 0c7ffc1c xul!mozilla::layers::ImageBridgeParent::RecvUpdate+0x45
0c7ffbd4 0f6effa3 0c7ffc1c 0c7ffbec 0b565d40 xul!mozilla::layers::PImageBridgeParent::OnMessageReceived+0x52f
0c7ffbf0 0f6f2a22 0c7ffc1c 083615a0 5179e330 xul!mozilla::ipc::MessageChannel::DispatchSyncMessage+0x23
0c7ffc04 0f6f3419 0c7ffc1c 0c7ffd3c 0c7ffd3c xul!mozilla::ipc::MessageChannel::DispatchMessageW+0x23
0c7ffc48 0f6e1bd0 0c7ffc94 11339498 0c7ffc64 xul!mozilla::ipc::MessageChannel::OnMaybeDequeueOne+0xdf
0c7ffc58 0f6e4301 230993b0 0c7ffca0 0f6e6dcc xul!MessageLoop::RunTask+0x15
0c7ffc64 0f6e6dcc 0c7ffc7c 0c7ffd3c 06263740 xul!MessageLoop::DeferOrRunPendingTask+0x30
0c7ffca0 0f6e5352 00000000 0c7ffd3c 0c7ffd3c xul!MessageLoop::DoWork+0x7d
0c7ffcd0 0f6e2a05 017ffd3c d3a23db0 0a1de294 xul!base::MessagePumpDefault::Run+0x151
0c7ffd08 0f6e2ef7 0a1de280 00000001 00000500 xul!MessageLoop::RunHandler+0x51
0c7ffd28 0f6e977b 00000000 00000000 00000000 xul!MessageLoop::Run+0x19
0c7ffe14 0f6ded3f 0c7ffe28 77be495d 0a1de280 xul!base::Thread::ThreadMain+0xa6
0c7ffe1c 77be495d 0a1de280 0c7ffe6c 77e498ee xul!`anonymous namespace'::ThreadFunc+0xb
0c7ffe28 77e498ee 0a1de280 6998121c 00000000 KERNEL32!BaseThreadInitThunk+0xe
0c7ffe6c 77e498c4 ffffffff 77e3e0eb 00000000 ntdll!__RtlUserThreadStart+0x20
0c7ffe7c 00000000 0f6ded34 0a1de280 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp

FAULTING_SOURCE_FILE:  c:\builds\moz2_slave\h-w32-ntly-0000000000000000000\build\gfx\layers\d3d11\textured3d11.cpp

FAULTING_SOURCE_LINE_NUMBER:  503

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xul

IMAGE_NAME:  xul.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  52ac6c2d

FAILURE_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL_c0000005_xul.dll!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl

BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL_xul!mozilla::layers::DeprecatedTextureHostYCbCrD3D11::UpdateImpl+91

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:null_pointer_read_before_call_c0000005_xul.dll!mozilla::layers::deprecatedtexturehostycbcrd3d11::updateimpl

FAILURE_ID_HASH:  {acafa32b-1db4-f9ca-10de-6c5948a71bf6}

Followup: MachineOwner
status-firefox28: --- → affected
status-firefox29: --- → affected
This is still a pretty low volume crash bug, but I'm seeing it on more and more pages now. Most recently on http://www.polygon.com/2013/12/19/5226722/the-stomping-land-lets-you-tame-and-mount-up-to-14-dinosaur-species while trying to play the embedded video. Should we mark this as blocking OMTC since it only seems to happen when that is enabled?

Comment 6

4 years ago
I can reproduce this on a clean profile - except for settings listed below - by going to http://en.wikipedia.org/wiki/File:Typing_example.ogv and clicking on the video.

layers.async-video.enabled	true
layers.offmainthreadcomposition.async-animations	true
layers.offmainthreadcomposition.enabled	true
plugin.allow.asyncdrawing	true

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
(Assignee)

Comment 7

4 years ago
async video is not supported on Windows, so if this can only be repro'ed with layers.async-video.enabled true, then we should close this as invalid. Even better, we might want to just ignore that pref on Windows so we don't crash. Nical - is that as easy as it sounds?
Flags: needinfo?(nical.bugzilla)
I haven't tried to repro this w/o the async video set to true. But it makes sense now to see this crash based on what you said. Embedded videos are the only videos that seem to trigger the crash though, videos hosted on Vimeo and YouTube domains don't.
(In reply to Nick Cameron [:nrc] from comment #7)
> async video is not supported on Windows, so if this can only be repro'ed
> with layers.async-video.enabled true, then we should close this as invalid.

Yup, it'd be nice to have async-video on windows someday soon though, cause it's kinda cool.

> Even better, we might want to just ignore that pref on Windows so we don't
> crash. Nical - is that as easy as it sounds?

It is indeed.
Flags: needinfo?(nical.bugzilla)
(Assignee)

Comment 10

4 years ago
Cool. Patch coming up then.
Assignee: nobody → ncameron
(Assignee)

Comment 11

4 years ago
Created attachment 8350398 [details] [diff] [review]
override the async video pref on Windows

[Approval Request Comment]
Bug caused by (feature/regressing bug #): pref available but feature isn't
User impact if declined: a very small number of crashes for adventurous users
Testing completed (on m-c, etc.): we could let it marinate on m-c for a few days
Risk to taking this patch (and alternatives if risky): low
String or IDL/UUID changes made by this patch: none
Attachment #8350398 - Flags: review?(nical.bugzilla)
Attachment #8350398 - Flags: approval-mozilla-aurora?

Updated

4 years ago
Attachment #8350398 - Flags: review?(nical.bugzilla) → review+
(Assignee)

Comment 12

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c62c04ddca0
(Assignee)

Updated

4 years ago
tracking-firefox28: --- → ?
https://hg.mozilla.org/mozilla-central/rev/4c62c04ddca0
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
status-firefox29: affected → fixed
tracking-firefox28: ? → +
Attachment #8350398 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/97d982371403

Should we consider taking this on beta as well?
status-firefox25: affected → wontfix
status-firefox26: --- → wontfix
status-firefox27: --- → affected
status-firefox28: affected → fixed
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #14)
> Should we consider taking this on beta as well?

Consider the following:
 * Firefox 29: 0 crashes in the last 7 days
 * Firefox 28: 0 crashes in the last 7 days
 * Firefox 27: 3 crashes in the last 7 days from a single user
 * Firefox 26: 3 crahses in the last 7 days from a single user

Given the first two points I think it's safe to call this verified fixed.
Given the last two points I would think the volume is low enough that we should just let it ride.
Status: RESOLVED → VERIFIED
status-firefox28: fixed → verified
status-firefox29: fixed → verified
You need to log in before you can comment on or make changes to this bug.