Closed Bug 1208071 Opened 9 years ago Closed 9 years ago

abort crash in mozilla::layers::PImageBridgeChild::Write

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 + fixed
firefox43 --- fixed
firefox44 --- fixed

People

(Reporter: kairo, Assigned: nical)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Make sure we never add a texture in a weird state to a transaction (beta)
(deleted), patch
sotaro
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
[Tracking Requested - why for this release]:

This bug was filed from the Socorro interface and is 
report bp-aa8091d3-7e50-43af-94a4-5581a2150924.
=============================================================

Strack Trace:
0 	mozglue.dll 	mozalloc_abort(char const* const) 	memory/mozalloc/mozalloc_abort.cpp
1 	xul.dll 	NS_DebugBreak 	xpcom/base/nsDebugImpl.cpp
2 	xul.dll 	mozilla::layers::PImageBridgeChild::Write(mozilla::layers::PCompositableChild*, IPC::Message*, bool) 	obj-firefox/ipc/ipdl/PImageBridgeChild.cpp
3 	xul.dll 	mozilla::layers::PImageBridgeChild::Write(mozilla::layers::CompositableOperation const&, IPC::Message*) 	obj-firefox/ipc/ipdl/PImageBridgeChild.cpp
4 	xul.dll 	mozilla::layers::PImageBridgeChild::SendUpdateNoSwap(nsTArray<mozilla::layers::CompositableOperation> const&) 	obj-firefox/ipc/ipdl/PImageBridgeChild.cpp
5 	xul.dll 	mozilla::layers::ImageBridgeChild::EndTransaction() 	gfx/layers/ipc/ImageBridgeChild.cpp
6 	xul.dll 	mozilla::ipc::MessageChannel::MaybeHandleError(mozilla::ipc::HasResultCodes::Result, IPC::Message const&, char const*) 	ipc/glue/MessageChannel.cpp
7 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c
8 	xul.dll 	nsTArray_Impl<mozilla::layers::ImageClientSingle::Buffer, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) 	xpcom/glue/nsTArray.h
9 	xul.dll 	nsTArray_Impl<mozilla::layers::ImageClientSingle::Buffer, nsTArrayInfallibleAllocator>::Clear() 	xpcom/glue/nsTArray.h
10 	xul.dll 	mozilla::layers::ImageClientSingle::FlushAllImages(mozilla::layers::AsyncTransactionWaiter*) 	gfx/layers/client/ImageClient.cpp
11 	xul.dll 	mozilla::layers::FlushAllImagesSync 	gfx/layers/ipc/ImageBridgeChild.cpp
12 	xul.dll 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc


This seems to have started spiking in 42, both Dev Edition and Beta 1, and is now the #3 with 2.2% of all 42 Beta 1 crashes.
auto PImageBridgeChild::Write(
...
            NS_RUNTIMEABORT("actor has been |delete|d");
Depends on: 1207220
:nical, this is a top crasher on beta, so let's follow up on this or the blocking bug you entered without waiting too long.
Flags: needinfo?(nical.bugzilla)
The stacks are a bit odd (I can't imagine how destroying a TextureChild could cause EndTransaction further down the stack, so I don't trust stack frames above the EndTransaction parent).
This patch attempts to paper over the issue by making sure we do have a valid actor when we add it to the transaction. It should always be the case but It's not going to be easy to find out what puts us in this state this late in beta, so hopefully this will remove the crash.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)
Attachment #8667889 - Flags: review?(sotaro.ikeda.g)
No longer depends on: 1207220
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1207220
Attachment #8667889 - Flags: review?(sotaro.ikeda.g) → review+
Comment on attachment 8667889 [details] [diff] [review]
Make sure we never add a texture in a weird state to a transaction (beta)

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: top crash
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: rather low. The patch is simple.
[String/UUID change made/needed]:
Attachment #8667889 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/bc3d04197a9b
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Comment on attachment 8667889 [details] [diff] [review]
Make sure we never add a texture in a weird state to a transaction (beta)

Taking it, should be in b3 or b4.
Attachment #8667889 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Carsten Book [:Tomcat] from comment #8)
> https://hg.mozilla.org/releases/mozilla-beta/rev/3da1f59bedfa

landed by nical, but since pulsebot does not mark bugs in aurora/beta i did the marking now
(In reply to Carsten Book [:Tomcat] from comment #9)
> landed by nical, but since pulsebot does not mark bugs in aurora/beta i did
> the marking now

oops sorry, spoiled by the habbit of letting pulsebot do work for me :)
Looks like you forgot aurora here :)
tracking-firefox42: ?+
Flags: needinfo?(nical.bugzilla)
Attachment #8667889 - Flags: approval-mozilla-aurora?
Comment on attachment 8667889 [details] [diff] [review]
Make sure we never add a texture in a weird state to a transaction (beta)

Thanks!
Attachment #8667889 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Blocks: 1215195
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: