Closed Bug 952116 Opened 11 years ago Closed 11 years ago

crash in mozilla::TimeDuration::operator>(mozilla::TimeDuration const&)

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Version:
28 Branch
Platform:
x86
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox27 --- unaffected
firefox28 + verified
firefox29 --- verified

People

(Reporter: jimm, Assigned: ajones)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Add mutex around APZC::CancelAnimation;
974 bytes, patch
kats
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
0 	xul.dll 	mozilla::TimeDuration::operator>(mozilla::TimeDuration const &) 	obj-firefox/dist/include/mozilla/TimeStamp.h
1 	xul.dll 	mozilla::layers::AsyncPanZoomController::UpdateAnimation(mozilla::TimeStamp const &) 	gfx/layers/ipc/AsyncPanZoomController.cpp
2 	xul.dll 	mozilla::layers::AsyncPanZoomController::SampleContentTransformForFrame(mozilla::TimeStamp const &,mozilla::layers::ViewTransform *,mozilla::gfx::PointTyped<mozilla::ScreenPixel> &) 	gfx/layers/ipc/AsyncPanZoomController.cpp
3 	xul.dll 	mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::TimeStamp,mozilla::layers::Layer *,bool *) 	gfx/layers/composite/AsyncCompositionManager.cpp
4 	xul.dll 	mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::TimeStamp,mozilla::layers::Layer *,bool *) 	gfx/layers/composite/AsyncCompositionManager.cpp
5 	xul.dll 	mozilla::layers::AsyncCompositionManager::ApplyAsyncContentTransformToTree(mozilla::TimeStamp,mozilla::layers::Layer *,bool *) 	gfx/layers/composite/AsyncCompositionManager.cpp
6 	xul.dll 	mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp) 	gfx/layers/composite/AsyncCompositionManager.cpp
7 	xul.dll 	mozilla::layers::CompositorParent::CompositeInTransaction() 	gfx/layers/ipc/CompositorParent.cpp
8 	xul.dll 	mozilla::layers::CompositorParent::Composite() 	gfx/layers/ipc/CompositorParent.cpp
9 	xul.dll 	MessageLoop::RunTask(Task *) 	ipc/chromium/src/base/message_loop.cc
10 	xul.dll 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 	ipc/chromium/src/base/message_loop.cc
11 	xul.dll 	MessageLoop::DoDelayedWork(base::TimeTicks *) 	ipc/chromium/src/base/message_loop.cc
12 	xul.dll 	base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 	ipc/chromium/src/base/message_pump_default.cc
13 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
14 	xul.dll 	MessageLoop::Run()

This bug was filed from the Socorro interface and is 
report bp-091217d4-41e2-41a9-b539-424602131216.
=============================================================
mAnimation can be nulled out on the input-receiving thread (i.e. the gecko thread) while the compositor thread is trying to query it via SampleContentTransformForFrame.

Anthony, do you have some cycles to look into this?
Blocks: 839911
Flags: needinfo?(ajones)
(I suspect all that needs to be done here is wrap the body CancelAnimation() inside a mMonitor lock, but it would be nice to have STR and verify the fix)
mAnimation is only being accessed in StartAnimation, CancelAnimation and UpdateAnimation. CancelAnimation is missing a mutex so I'll just add one.
Flags: needinfo?(ajones)
Assignee: nobody → ajones
Status: NEW → ASSIGNED
Comment on attachment 8350240 [details] [diff] [review]
Add mutex around APZC::CancelAnimation;

Review of attachment 8350240 [details] [diff] [review]:
-----------------------------------------------------------------

At some point we need to properly lock the state changes too. But that's a different bug for a different day.
Attachment #8350240 - Flags: review?(bugmail.mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/de90cb114d46
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
It looks like this crash has shown up in Firefox 28 too.  Should we request Aurora approval?
Blocks: metrov1backlog
status-firefox27: --- → unaffected
status-firefox28: --- → affected
status-firefox29: --- → fixed
tracking-firefox28: --- → ?
Keywords: regression
Whiteboard: [triage]
Version: 26 Branch → 28 Branch
Comment on attachment 8350240 [details] [diff] [review]
Add mutex around APZC::CancelAnimation;

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 839911
User impact if declined: occasional crashes
Testing completed (on m-c, etc.): fix is unconfirmed as of yet
Risk to taking this patch (and alternatives if risky): pretty low risk. even if this patch doesn't fix the crash it fixes an obvious bug in the code
String or IDL/UUID changes made by this patch: none
Attachment #8350240 - Flags: approval-mozilla-aurora?
No longer blocks: metrov1backlog
Whiteboard: [triage]
Attachment #8350240 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: