crash in mozilla::layers::LayerManagerD3D10::VerifyBufferSize @ CDXGISwapChain::ResizeBuffers

RESOLVED INCOMPLETE

Status

()

Core
Graphics: Layers
--
critical
RESOLVED INCOMPLETE
5 years ago
a year ago

People

(Reporter: xtc4uall, Unassigned)

Tracking

(Blocks: 2 bugs, {crash})

Trunk
x86
Windows 7
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox27 ?, firefox28 affected, firefox29 affected, firefox32 affected)

Details

(Whiteboard: [tbird crash], crash signature)

Attachments

(1 attachment)

218.21 KB, application/x-zip-compressed
Details
(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-8d761b29-82b4-417c-b1e4-ec5312130811 .
 ============================================================= 

Frame 	Module 	Signature 	Source
0 	dxgi.dll 	CDXGISwapChain::ResizeBuffers(unsigned int,unsigned int,unsigned int,DXGI_FORMAT,unsigned int) 	
1 	xul.dll 	mozilla::layers::LayerManagerD3D10::VerifyBufferSize() 	gfx/layers/d3d10/LayerManagerD3D10.cpp
2 	xul.dll 	mozilla::layers::LayerManagerD3D10::SetupPipeline() 	gfx/layers/d3d10/LayerManagerD3D10.cpp
3 	xul.dll 	mozilla::layers::LayerManagerD3D10::Render(mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/d3d10/LayerManagerD3D10.cpp
4 	xul.dll 	mozilla::layers::LayerManagerD3D10::EndTransaction(void (*)(mozilla::layers::ThebesLayer *,gfxContext *,nsIntRegion const &,nsIntRegion const &,void *),void *,mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/d3d10/LayerManagerD3D10.cpp
5 	xul.dll 	mozilla::layers::LayerManagerD3D10::EndEmptyTransaction(mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/d3d10/LayerManagerD3D10.cpp
6 	xul.dll 	PresShell::Paint(nsView *,nsRegion const &,unsigned int) 	layout/base/nsPresShell.cpp
7 	xul.dll 	nsViewManager::Refresh(nsView *,nsIntRegion const &) 	view/src/nsViewManager.cpp
8 	xul.dll 	nsView::PaintWindow(nsIWidget *,nsIntRegion) 	view/src/nsView.cpp
9 	xul.dll 	nsWindow::OnPaint(HDC__ *,unsigned int) 	widget/windows/nsWindowGfx.cpp
10 	xul.dll 	nsWindow::ProcessMessage(unsigned int,unsigned int &,long &,long *) 	widget/windows/nsWindow.cpp
11 	xul.dll 	nsCOMPtr_base::assign_from_qi(nsQueryInterface,nsID const &) 	obj-firefox/xpcom/build/nsCOMPtr.cpp
12 	xul.dll 	nsWindow::WindowProcInternal(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
13 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
14 	xul.dll 	xul.dll@0x25b410 	
15 	xul.dll 	xul.dll@0x27ad70 	
16 	user32.dll 	InternalCallWinProc 	
17 	user32.dll 	NtUserGetDC 	
18 	user32.dll 	DispatchClientMessage 	
19 	user32.dll 	__fnDWORD 	
20 	ntdll.dll 	KiUserCallbackDispatcher 	
21 	ntdll.dll 	KiUserApcDispatcher 	
22 	xul.dll 	nsWindow::DispatchStarvedPaints(HWND__ *,long) 	widget/windows/nsWindow.cpp
23 	xul.dll 	nsWindow::DispatchPendingEvents() 	widget/windows/nsWindow.cpp
24 	xul.dll 	nsWindow::ProcessMessage(unsigned int,unsigned int &,long &,long *) 	widget/windows/nsWindow.cpp
25 	xul.dll 	nsWindow::WindowProcInternal(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
26 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
27 	xul.dll 	nsWindow::WindowProc(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
28 	user32.dll 	InternalCallWinProc 	
29 	user32.dll 	UserCallWinProcCheckWow 	
30 	user32.dll 	DispatchMessageWorker 	
31 	user32.dll 	DispatchMessageW 	
32 	xul.dll 	nsAppShell::ProcessNextNativeEvent(bool) 	widget/windows/nsAppShell.cpp
33 	xul.dll 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal *,bool,unsigned int) 	widget/xpwidgets/nsBaseAppShell.cpp
34 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
35 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	obj-firefox/xpcom/build/nsThreadUtils.cpp
36 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
37 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
38 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
39 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
40 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
41 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
42 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
43 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
44 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
45 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
46 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
47 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
48 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
49 	kernel32.dll 	BaseThreadInitThunk 	
50 	ntdll.dll 	__RtlUserThreadStart 	
51 	ntdll.dll 	_RtlUserThreadStart

Got this when switching Tabs.

per Crashstats happening across several Versions: https://crash-stats.mozilla.com/report/list?signature=CDXGISwapChain%3A%3AResizeBuffers%28unsigned+int%2C+unsigned+int%2C+unsigned+int%2C+DXGI_FORMAT%2C+unsigned+int%29&product=Firefox&product=Thunderbird&product=SeaMonkey&query_type=contains&range_unit=weeks&process_type=any&hang_type=crash&date=2013-08-11+10%3A00%3A00&range_value=1

Comment 1

5 years ago
It's correlated to the latest Direct2D version of Windows 7:
   100% (15/15) vs.  15% (8303/57000) d3d11.dll
         13% (2/15) vs.   2% (879/57000) 6.2.9200.16492
         87% (13/15) vs.  10% (5793/57000) 6.2.9200.16570
    100% (15/15) vs.  21% (12055/57000) d2d1.dll
        100% (15/15) vs.  12% (6638/57000) 6.2.9200.16492

Crash reports without the date:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=CDXGISwapChain%3A%3AResizeBuffers%28unsigned+int%2C+unsigned+int%2C+unsigned+int%2C+DXGI_FORMAT%2C+unsigned+int%29
Summary: crash in CDXGISwapChain::ResizeBuffers(unsigned int, unsigned int, unsigned int, DXGI_FORMAT, unsigned int) → crash in mozilla::layers::LayerManagerD3D10::VerifyBufferSize @ CDXGISwapChain::ResizeBuffers

Comment 2

4 years ago
Is is going ever to be fixed? It happens to me almost every day. I always open a lot of tabs and never close my browser. Usually it was always ok but this problem started to appear about a half a year ago. 

The problem works this way:
The browser window content starts becoming black. Resizing the window helps for a while, but not that much. If I drag and drop a tab to create a new browser window - that new window becomes completely blank (white) (impossible to see even the title bar). If I try to do anything with this blank window (resize, move, close) - the browser crashes immediately. Even if I don't create a new window from the tab, then the browser will work longer but will eventually crash anyway.
The only way to avoid crash is to open a new window (CTRL-N) and close the old ones. This prevents crash without browser restart.

Please fix it - it really annoys :(

Comment 3

4 years ago
You posted in the EMPTY crash bugs that they may be related, but the reports with the signature here do not look like OOM crashes to me so are probably different. They could still be related in some form, but I would think they are different at least in some way. In any case, the reports here have way more info.

Comment 4

4 years ago
The symptoms reported in comment 2 match very closely with OOM conditions being unable to allocation texture data.

Denis, do you have a crash report ID from within the past week or so that I can check for detailed memory information?
Flags: needinfo?(deniska666)

Comment 5

4 years ago
Note from MS docs on IDXGISwapChain::ResizeBuffers:

For swap chains that you created with DXGI_SWAP_CHAIN_FLAG_GDI_COMPATIBLE, before you call ResizeBuffers, also call IDXGISurface1::ReleaseDC on the swap chain's back-buffer surface to ensure that you have no outstanding GDI device contexts (DCs) open.

Nowhere in http://hg.mozilla.org/releases/mozilla-release/annotate/d20d499b219f/gfx/layers/d3d10/LayerManagerD3D10.cpp#l655 do I see us doing this. Can this be a problem?
Flags: needinfo?(bas)

Comment 6

4 years ago
Hi Benjamin, here is my latest crash report with ResizeBuffers error: https://crash-stats.mozilla.com/report/index/1e78caf6-bbf9-4a4d-8649-63a352131129
p.s. Sorry for my useless obscene language in the comment there... But it really frustrates, especially if you are actively browsing and searching for some info.
Flags: needinfo?(deniska666)

Comment 7

4 years ago
I tried to reproduce this issue today, and I succeeded: https://crash-stats.mozilla.com/report/index/df5dbdb6-9e33-47f0-a7b0-728d02131205
Again: lots of tabs, multiple windows, after some hours of usage, the content area started becoming black. I then created a new window from one of the tabs using drag-n-drop. The window was totally white (no controls visible at all). I tried to resize it, and the browser crashed immediately.

Comment 8

4 years ago
This is a todays crash with the same symptoms but without crashing thread identified: https://crash-stats.mozilla.com/report/index/d566010c-15a0-40a9-8493-6867a2131210
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #5)
> Note from MS docs on IDXGISwapChain::ResizeBuffers:
> 
> For swap chains that you created with DXGI_SWAP_CHAIN_FLAG_GDI_COMPATIBLE,
> before you call ResizeBuffers, also call IDXGISurface1::ReleaseDC on the
> swap chain's back-buffer surface to ensure that you have no outstanding GDI
> device contexts (DCs) open.
> 
> Nowhere in
> http://hg.mozilla.org/releases/mozilla-release/annotate/d20d499b219f/gfx/
> layers/d3d10/LayerManagerD3D10.cpp#l655 do I see us doing this. Can this be
> a problem?

In theory it shouldn't matter, since we also never do a GetDC. We should really just get rid of using this flags altogether, but I believe on some buggy driver it would cause some problems.
Flags: needinfo?(bas)
(In reply to Denis V from comment #7)
> I tried to reproduce this issue today, and I succeeded:
> https://crash-stats.mozilla.com/report/index/df5dbdb6-9e33-47f0-a7b0-
> 728d02131205
> Again: lots of tabs, multiple windows, after some hours of usage, the
> content area started becoming black. I then created a new window from one of
> the tabs using drag-n-drop. The window was totally white (no controls
> visible at all). I tried to resize it, and the browser crashed immediately.

It would be really good to know which error code we're getting from the ResizeBuffers call in this case.

Comment 11

4 years ago
We're not returning from ResizeBuffers; it's either calling ResizeBuffers on a null pointer or ResizeBuffers is itself crashing internally.
I just ran into this crash today after I put Nightly (Holly) in the background and then clicked on the taskbar to bring it back to the foreground... I'll attach my full WinDBG log in a moment, but here is what I have so far:

FAULTING_IP: 
dxgi!CDXGISwapChain::ResizeBuffers+13bf3
5fabc9a8 8b08            mov     ecx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 5fabc9a8 (dxgi!CDXGISwapChain::ResizeBuffers+0x00013bf3)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000001 ecx=00000004 edx=15fff630 esi=16a260a8 edi=16a260a0
eip=5fabc9a8 esp=15fff608 ebp=15fff6fc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
dxgi!CDXGISwapChain::ResizeBuffers+0x13bf3:
5fabc9a8 8b08            mov     ecx,dword ptr [eax]  ds:002b:00000000=????????

FAULTING_THREAD:  00090158

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000 

FOLLOWUP_IP: 
dxgi!CDXGISwapChain::ResizeBuffers+13bf3
5fabc9a8 8b08            mov     ecx,dword ptr [eax]

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ_BEFORE_CALL

DEFAULT_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL

LAST_CONTROL_TRANSFER:  from 10748fd8 to 5fabc9a8

STACK_TEXT:  
15fff6fc 10748fd8 16a260a0 00000001 00000780 dxgi!CDXGISwapChain::ResizeBuffers+0x13bf3
15fff760 1098b3f0 0929e410 15fff820 0929e600 xul!mozilla::layers::CompositorD3D11::VerifyBufferSize+0x8f
15fff780 1098b4b6 0929e410 1d6bcc00 0929e600 xul!mozilla::layers::CompositorD3D11::UpdateRenderTarget+0x17
15fff7e0 10cd34b0 0929e634 00000000 0929e600 xul!mozilla::layers::CompositorD3D11::BeginFrame+0x3b
15fff85c 10cd3700 0ae46000 15fff8d8 1d6771a8 xul!mozilla::layers::LayerManagerComposite::Render+0x191
15fff8bc 1078d146 00000000 00000000 00000000 xul!mozilla::layers::LayerManagerComposite::EndTransaction+0xb9
15fff8cc 10aac87e 00000000 15fffa0c 1d677000 xul!mozilla::layers::LayerManagerComposite::EndEmptyTransaction+0x1a
15fff90c 10aac8e1 1d677000 0baa5660 10020205 xul!mozilla::layers::CompositorParent::CompositeInTransaction+0xfa
15fff918 10020205 15fffa0c 0a630e38 15fff934 xul!mozilla::layers::CompositorParent::Composite+0x1e
15fff928 10022982 0baa5660 15fff96c 10023851 xul!MessageLoop::RunTask+0x15
15fff934 10023851 15fff948 0ae437e0 0ae437f0 xul!MessageLoop::DeferOrRunPendingTask+0x30
15fff96c 100238c7 0ae437f0 00000000 15fffa0c xul!MessageLoop::DoDelayedWork+0x7d
15fff9a0 10021150 00fffa0c 78742503 0ae22ce4 xul!base::MessagePumpDefault::Run+0x64
15fff9d8 10021630 0ae22cd0 00000001 00000500 xul!MessageLoop::RunHandler+0x51
15fff9f8 10027eac 00000000 00000000 00000000 xul!MessageLoop::Run+0x19
15fffae4 1001d3c0 15fffaf8 77be495d 0ae22cd0 xul!base::Thread::ThreadMain+0xa6
15fffaec 77be495d 0ae22cd0 15fffb3c 77e498ee xul!`anonymous namespace'::ThreadFunc+0xb
15fffaf8 77e498ee 0ae22cd0 3572548f 00000000 KERNEL32!BaseThreadInitThunk+0xe
15fffb3c 77e498c4 ffffffff 77e3e0d2 00000000 ntdll!__RtlUserThreadStart+0x20
15fffb4c 00000000 1001d3b5 0ae22cd0 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  dxgi!CDXGISwapChain::ResizeBuffers+13bf3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: dxgi

IMAGE_NAME:  dxgi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  524d37dd

FAILURE_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL_c0000005_dxgi.dll!CDXGISwapChain::ResizeBuffers

BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL_dxgi!CDXGISwapChain::ResizeBuffers+13bf3

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:null_pointer_read_before_call_c0000005_dxgi.dll!cdxgiswapchain::resizebuffers

FAILURE_ID_HASH:  {201cecda-ed06-f98d-ed84-d54eeb55485e}

Followup: MachineOwner
status-firefox27: --- → ?
status-firefox28: --- → affected
status-firefox29: --- → affected

Comment 14

4 years ago
FF 28.0a2 (2013-12-31), Win7/64

https://crash-stats.mozilla.com/report/index/e85b3ee0-e610-4424-8a34-0c0742131231

Displaying one tab containing very large animated GIF (366,949 KB)

Comment 15

4 years ago
#107 crash for FF 26

Updated

4 years ago
Blocks: 998605

Comment 16

4 years ago
It will be soon a year since the bug was created, and no reaction, no fix. You, guys, play dirty tricks with the UI (remember those ugly 29 ui changes), but pay no attention to stability. Firefox is becoming a buggy awkward monster :(

Comment 17

4 years ago
Finally, I've been having this bug for a while and trying to track down the bug report. I've just had my first crash on Firefox 29.0: https://crash-stats.mozilla.com/report/index/3ed70f7b-2542-4df5-ab60-bb3ba2140507

Same symptoms as Denis V reports - window content randomly blacking out as page is scrolled/tabs switched/window resized. This then leads to missing elements of the page and window chrome, right up to the entire window - including the windows borders - rendering in flat white.

There was no contention for RAM. Firefox was using ~2GB.

I'll try and keep process explorer open to check GPU memory in future.
I think bug 1018729 is a dupe and has STR
Depends on: 1018729

Comment 19

4 years ago
My symptoms: the content area becomes black; interacting with the content makes it alternate between showing properly and changing back to black.

Importantly, once it starts happening, it will not stop; it's like something gets corrupted and stays corrupted until a crash (or a preemptive restart).

When the black starts to happen, the crash is usually very easy to trigger: restore and maximize the browser a couple of times and bang. But often it survives a couple of resizes. I do not know of any steps to reliably make the black appear. Haven't noticed any correlation either; it seems to start out of the blue.

Also interesting is that after a crash, the session restore is almost guaranteed to fail to restore the last couple of tabs I opened.

My crash reports already link to this bug, so I presume they are easy to find.

Comment 20

4 years ago
My SO's Firefox beta 32.0 crashed like this:

bp-72809541-7617-44df-bc6c-953732140731	31/07/2014	06:39 p.m.
status-firefox32: --- → affected

Comment 21

4 years ago
With h/w acceleration disabled, very similar symptoms appear, but never end in a crash. They look like this: http://screencast.com/t/pBaZS7WtbNs (fast forward to 0:30). Sounds like it could be part of the same underlying problem.

This crash is now in the top 50 crashers for Firefox 31.

Updated

3 years ago
Whiteboard: [tbird crash]

Updated

3 years ago
See Also: → bug 1131879

Comment 22

3 years ago
Reminder, bug 1018729 has a testcase.

Related to comment 21, this signature highly correlates to reenabling of HWA in Thunderbird 29 per bug 1131879 comment 9.    However, the user of bp-07580f2c-c4c8-4110-bbb2-0a7d42150220 (and other crashes with this signature) couldn't stop his crashing by setting preference to true for gfx.direct2d.disabled and layers.acceleration.disabled

Other issues with ResizeBuffers - https://bugzilla.mozilla.org/buglist.cgi?f1=short_desc&o3=substring&list_id=12023739&v3=graphics&o1=nowordssubstr&j2=OR&classification=Client%20Software&classification=Components&f4=keywords&chfieldto=Now&query_format=advanced&chfieldfrom=2013-01-01&f3=component&f2=OP&o4=substring&longdesc=ResizeBuffers&longdesc_type=anywordssubstr&product=Core&product=Firefox - some have been fixed since this bug report was filed
Blocks: 1086611

Updated

3 years ago
Blocks: 1195947

Updated

2 years ago
Crash Signature: [@ CDXGISwapChain::ResizeBuffers(unsigned int, unsigned int, unsigned int, DXGI_FORMAT, unsigned int)] → [@ CDXGISwapChain::ResizeBuffers(unsigned int, unsigned int, unsigned int, DXGI_FORMAT, unsigned int)] [@ CDXGISwapChain::ResizeBuffers]
In Firefox there are no reports beyond Firefox 47. We still have crashes with the current Thunderbird 45.3.0 (2 reports since release) but I expect these will go away once Thunderbird 52 builds are released. For these reasons I don't see much point in keeping this report open. Please reopen this bug report if you are able to reproduce this crash in a current Firefox version or a Thunderbird daily build.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.