988548 - crash in graphics driver (mostly Intel, sometimes NVidia) coming from CanvasRenderingContext2D::DrawImage

Status: RESOLVED DUPLICATE of bug 973264

(Core :: Graphics: Canvas2D, defect)

Description

[juan becerra [:juanb]]

This bug was filed from the Socorro interface and is 
report bp-e44dd355-7677-4034-a53a-c29122140326.
=============================================================

We are seeing a large number of crashes with this signature, and there are a lot of related signatures that start with "igd10umd32.dll@" in the explosiveness reports in Firefox 29 (beta).

I am adding all the related signatures coming up in the explosiveness reports for Fx29.


0 	igd10umd32.dll 	iSTD::FastMemCopy_SSE2_movntdq_movdqa(void *,void const *,unsigned int) 	
1 	igd10umd32.dll 	iSTD::FastMemCopy(void *,void const *,unsigned int) 	
2 	igd10umd32.dll 	iSTD::FastCpuBlt(unsigned char *,unsigned long,unsigned char *,unsigned long,unsigned long,unsigned long) 	
3 	igd10umd32.dll 	D3D10::CDevice::PerformSubresourceUpdate(D3D10::CResource *,unsigned int,D3D10_DDI_BOX const *,unsigned char * &,unsigned char * &,unsigned int,unsigned int,unsigned int,unsigned int) 	
4 	igd10umd32.dll 	D3D10::CDevice::ResourceUpdateSubResourceUP(D3D10::CResource *,unsigned int,D3D10_DDI_BOX const *,void const *,unsigned int,unsigned int,int) 	
5 	igd10umd32.dll 	D3D10::CResource::InitializeTextureData(D3D10_DDIARG_SUBRESOURCE_UP *) 	
6 	igd10umd32.dll 	D3D10::CResource::Initialize<D3D10DDIARG_CREATERESOURCE const >(D3D10DDIARG_CREATERESOURCE const *,D3D10::CResource *) 	
7 	igd10umd32.dll 	D3D10::CResource2D<D3D10::CGfxResource>::Create<D3D10DDIARG_CREATERESOURCE>(D3D10DDIARG_CREATERESOURCE const *,D3D10DDI_HRTRESOURCE,D3D10::CResource *,D3D10::CDevice *,D3D10::CResource2D<D3D10::CGfxResource> * &,bool) 	
8 	igd10umd32.dll 	D3D10::CResource::CreateSpecificResource<D3D10::CGfxResource,D3D10DDIARG_CREATERESOURCE>(D3D10DDIARG_CREATERESOURCE const *,D3D10DDI_HRTRESOURCE,D3D10::CResource *,D3D10::CDevice *,D3D10::CResource * &,bool) 	
9 	igd10umd32.dll 	D3D10::CResource::CreateResource<D3D10DDIARG_CREATERESOURCE>(D3D10DDIARG_CREATERESOURCE const *,D3D10DDI_HRTRESOURCE,D3D10::CResource *,D3D10::CDevice *,D3D10::CResource * &,bool) 	
10 	igd10umd32.dll 	D3D10::CDevice::CreateResource(D3D10DDIARG_CREATERESOURCE const *,D3D10DDI_HRTRESOURCE,D3D10::CResource *) 	
11 	igd10umd32.dll 	D3D10API::CreateResource10(D3D10DDI_HDEVICE,D3D10DDIARG_CREATERESOURCE const *,D3D10DDI_HRESOURCE,D3D10DDI_HRTRESOURCE) 	
12 	d3d11.dll 	CResource<ID3D11Texture3D>::CLS::FinalConstruct(CContext *,D3D11DDIARG_CREATERESOURCE const *,SD3D11SharedResourceCreationArgs *,SD3D11CrossLayerData *,D3D10DDI_HRTRESOURCE) 	
13 	d3d11.dll 	TCLSWrappers<CTexture2D>::CLSFinalConstructFn(CTexture2D::CLS *,CContext *,CTexture2D::TConstructorArgs const *) 	
14 	d3d11.dll 	CLayeredObjectWithCLS<CTexture2D>::FinalConstruct(CTexture2D::TConstructorArgs const &,_GUID const &,void * *,CLayeredObjectWithCLS<CTexture2D>::SInfo const *) 	
15 	d3d11.dll 	CLayeredObjectWithCLS<CTexture2D>::CreateInstance(CTexture2D::TConstructorArgs &,void *,void *,_GUID const &,void * *,CLayeredObjectWithCLS<CTexture2D>::SInfo const *) 	
16 	d3d11.dll 	CDevice::CreateLayeredChild(unsigned int,void const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &,void * *) 	
17 	d3d11.dll 	CBridgeImpl<ID3D11LayeredDevice,ID3D11LayeredDevice,CLayeredObject<CDevice> >::CreateLayeredChild(unsigned int,void const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &,void * *) 	
18 	d3d11.dll 	CD3D11LayeredChild<ID3D11DeviceChild,NDXGI::CDevice,64>::FinalConstruct(ED3D11DeviceChildType,SLayeredArgs const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &) 	
19 	d3d11.dll 	NDXGI::CResource::FinalConstruct(NDXGI::CResource::TConstructorArgs const &) 	
20 	d3d11.dll 	NDXGI::CDevice::CreateLayeredChild(unsigned int,void const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &,void * *) 	
21 	d3d11.dll 	CBridgeImpl<ID3D11LayeredDevice,ID3D11LayeredDevice,CLayeredObject<NDXGI::CDevice> >::CreateLayeredChild(unsigned int,void const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &,void * *) 	
22 	d3d11.dll 	NOutermost::CDeviceChild::FinalConstruct(NOutermost::CDeviceChild::TConstructorArgs const &) 	
23 	d3d11.dll 	CUseCountedObject<NOutermost::CDeviceChild>::CUseCountedObject<NOutermost::CDeviceChild>(void *,NOutermost::CDeviceChild::TConstructorArgs const &,NOutermost::CDevice *,_GUID const &,void * *) 	
24 	d3d11.dll 	CUseCountedObject<NOutermost::CDeviceChild>::CreateInstance(NOutermost::CDeviceChild::TConstructorArgs const &,NOutermost::CDevice *,void *,void *,_GUID const &,void * *) 	
25 	d3d11.dll 	NOutermost::CDevice::CreateLayeredChild(unsigned int,void const *,unsigned long,ID3D11LayeredUseCounted *,_GUID const &,void * *) 	
26 	d3d11.dll 	CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredTexture2DCreationArgs>(unsigned int,SD3D11LayeredTexture2DCreationArgs *,ID3D11LayeredUseCounted *,_GUID const &,void * *,bool) 	
27 	d3d11.dll 	CDevice::CreateTexture2D_Worker(D3D11_TEXTURE2D_DESC const *,D3D11_SUBRESOURCE_DATA const *,int,ID3D11Texture2D * *,SD3D11SharedResourceCreationArgs *,bool) 	
28 	d3d11.dll 	CDevice::CreateTexture2D(D3D11_TEXTURE2D_DESC const *,D3D11_SUBRESOURCE_DATA const *,ID3D11Texture2D * *) 	
29 	d2d1.dll 	d2d1.dll@0x2cf3d6 	
30 	d2d1.dll 	d2d1.dll@0x2d1207 	
31 	d2d1.dll 	d2d1.dll@0x2cd0f5 	
32 	d2d1.dll 	d2d1.dll@0x2ccce2 	
33 	d2d1.dll 	d2d1.dll@0x2408f0 	
34 	d2d1.dll 	d2d1.dll@0x23d224 	
35 	d2d1.dll 	d2d1.dll@0x229612 	
36 	d2d1.dll 	d2d1.dll@0x21ca8b 	
37 	gkmedias.dll 	mozilla::gfx::DrawTargetD2D::GetBitmapForSurface(mozilla::gfx::SourceSurface *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> &) 	gfx/2d/DrawTargetD2D.cpp
38 	gkmedias.dll 	mozilla::gfx::DrawTargetD2D::DrawSurface(mozilla::gfx::SourceSurface *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::DrawSurfaceOptions const &,mozilla::gfx::DrawOptions const &) 	gfx/2d/DrawTargetD2D.cpp
39 	xul.dll 	mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElement const &,double,double,double,double,double,double,double,double,unsigned char,mozilla::ErrorResult &) 	content/canvas/src/CanvasRenderingContext2D.cpp
40 	xul.dll 	mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElement const &,double,double,double,double,double,double,double,double,mozilla::ErrorResult &) 	obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h
41 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::drawImage 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp
42 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::genericMethod 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp
43 		@0x5307b74 	
44 		@0x1765d4d8 	
45 		@0x53070b9 	
46 		@0x1222b6b0 	
47 		@0xc217539 	
48 	mozjs.dll 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
49 	mozjs.dll 	js::jit::EnterBaselineMethod(JSContext *,js::RunState &) 	js/src/jit/BaselineJIT.cpp
50 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
51 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
52 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
53 	mozjs.dll 	JS::Call(JSContext *,JS::Value,JS::Value,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
54 	xul.dll 	mozilla::dom::FrameRequestCallback::Call(JSContext *,JS::Handle<JS::Value>,double,mozilla::ErrorResult &) 	obj-firefox/dom/bindings/WindowBinding.cpp
55 	xul.dll 	mozilla::dom::FrameRequestCallback::Call(double,mozilla::ErrorResult &,mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/WindowBinding.h
56 	xul.dll 	nsRefreshDriver::Tick(__int64,mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
57 	xul.dll 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp
58 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
59 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
60 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
61 	ntdll.dll 	NtSetEvent 	
62 	nss3.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c
63 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
64 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
65 	xul.dll 	_SEH_epilog4 	
66 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
67 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
68 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
69 	nss3.dll 	nss3.dll@0x7960 	
70 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
71 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
72 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
73 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
74 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
75 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
76 	kernel32.dll 	BaseThreadInitThunk 	
77 	ntdll.dll 	__RtlUserThreadStart 	
78 	ntdll.dll 	_RtlUserThreadStart

Comment 1

[juan becerra [:juanb]]

Most of the installations affected are in Windows 7 (~90%), and most of the URLs where this happens (and where people have commented this happens) are yahoo.com related. From the list of URLs:

Total Count URL
956         https://www.yahoo.com/
54 	    http://ca.yahoo.com/
30          http://in.yahoo.com/
29 	    https://www.yahoo.com/?ilc=1

Comment 2

[Robert Kaiser]

The iSTD::FastMemCopy_SSE2_movntdq_movdqa signature exists with very low volume in previous versions, but spiked hugely in 29, the other signatures actually only exist in 29+ at all.

Comment 3

[Robert Kaiser]

I summed up the crash value of those in yesterday's data and saw that this ends up being the #1 crash on 29 that way, it also is very probably the main reason why overall crash volume of 29 is worse than 28.

Naveed, can you please have someone from the Graphics team take a look at this?

It's canvas2d calling D2D, crashing in the graphics driver (mostly Intel, sometimes NVidia), on Windows 7/8/8.1 (maybe also Vista).

Comment 4

[Robert Kaiser]

OK, I found that we also have some NVidia driver crashes in our 28->29 regression list that show the same kind of stack coming from CanvasRenderingContext2D::DrawImage. Reflecting that in bug summary and signatures.

Comment 5

[Robert Kaiser]

Looks like bug 986146 has the same kind of stack and a possible way to reproduce!

Comment 6

[Robert Kaiser]

Bah, I'm already mixing up JS and GFX leaders... ;-)

Milan, can you please have someone from the Graphics team take a look at this?

This is the #1 regression from 28 to 29 on Beta, happening with canvas2d calling D2D, crashing in the graphics driver (mostly Intel, sometimes NVidia), on Windows 7/8/8.1 (maybe also Vista), URLs mostly point to Yahoo.

Comment 7

[Bas Schouten (:bas.schouten)]

As somebody mentioned from the sites earlier. The reports also show a lot of people talking about logging into Yahoo, I wonder if this is related to the Yahoo Toolbar or something that was added to the Yahoo website. Do we have a yahoo account we can try to use to repro?

Comment 8

[Bas Schouten (:bas.schouten)]

I suspect this might be a dupe of bug 973264. We should try testing with the r+'ed patch there.

Comment 9

[Robert Kaiser]

(In reply to Bas Schouten (:bas.schouten) from comment #8)
> I suspect this might be a dupe of bug 973264. We should try testing with the
> r+'ed patch there.

The STR in bug 986146 are something where we can try to reproduce (and not on Yahoo, BTW) but the bug here is filed on the large crash volume on 29, to "test" if the patch helps there, we'll need to uplift to beta.

Comment 10

[Bas Schouten (:bas.schouten)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #9)
> (In reply to Bas Schouten (:bas.schouten) from comment #8)
> > I suspect this might be a dupe of bug 973264. We should try testing with the
> > r+'ed patch there.
> 
> The STR in bug 986146 are something where we can try to reproduce (and not
> on Yahoo, BTW) but the bug here is filed on the large crash volume on 29, to
> "test" if the patch helps there, we'll need to uplift to beta.

The patch is a little involved for beta. So at the very least we need to get some good testing on other branches. I think there's a fairly good chance it fixes things though.

Comment 11

[Robert Kaiser]

(In reply to Bas Schouten (:bas.schouten) from comment #10)
> The patch is a little involved for beta. So at the very least we need to get
> some good testing on other branches. I think there's a fairly good chance it
> fixes things though.

Well, we at least will need to have this landed on Nightly for a few days and see https://crash-stats.mozilla.com/search/?signature=~iSTD%3A%3AFastMemCopy_SSE2_movntdq_movdqa&version=31.0a1&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform not listing post-landing builds in the build ID facet. If that works, we have data confirmation.
When it landed on Nightly, we can also can have the guy in bug 986146 test and see if he still can reproduce.

Comment 12

[Sylvestre Ledru [:Sylvestre]]

I am stating the obvious but it would be nice to have this fixed for 29. FYI, beta 5 is going to build next Thursday.

Comment 13

[Robert Kaiser]

From all the searches I have done on Nightly data, it doesn't look like this is fixed in yesterday's Nightly, even though bug 973264 should have been included there. I'll do more searches in the next days and have asked the reporter of bug 986146 to try if it's fixed on Nightly.

Comment 14

[Lukas Blakk [:lsblakk] use ?needinfo]

Can we get a comment with an update about this bug's volume and any correlations if available?

Comment 15

[Robert Kaiser]

(In reply to Lukas Blakk [:lsblakk] from comment #14)
> Can we get a comment with an update about this bug's volume and any
> correlations if available?

https://crash-stats.mozilla.com/topcrasher_ranks_bybug/?bug_number=988548 says none of the signatures in here do appear in any versions where bug 973264 has landed, and bug 986146 confirms that the reproducible way for this bug has been fixed as well, so I'm duping this to the bug that has the actual patch that landed. Also setting flags for the branches to verified to get it off the radars.