Closed Bug 1757568 Opened 3 years ago Closed 3 years ago

SIGSEGV / SEGV_MAPERR in [@ moz_container_wayland_frame_callback_handler]

Categories

(Core :: Widget: Gtk, defect, P3)

Product:
Core
Component:
Widget: Gtk
Version:
Firefox 99
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox99 --- wontfix
firefox100 --- fixed

People

(Reporter: q23456yuiop, Assigned: stransky)

References

(Blocks 1 open bug)

Details

Crash Data

Attachments

(4 files, 1 obsolete file)

fnightly.log
38.80 KB, text/x-log
Details
fnightly_2.log
615.57 KB, text/x-log
Details
Bug 1757568 [Wayland] Don't crash when MozContainer is unmapped in moz_container_wayland_frame_callback_handler r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1757568 [Wayland] Always clear wayland frame callback in moz_container_wayland_frame_callback_handler() r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/2b46ba87-3b33-4dae-9210-166e00220301

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(wl_container->surface) (Should have surface if we're ready to draw)

Top 10 frames of crashing thread:

0 libxul.so moz_container_wayland_frame_callback_handler widget/gtk/MozContainerWayland.cpp:252
1 libxul.so RunnableFunction<void  ipc/chromium/src/base/task.h:324
2 libxul.so mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:770
3 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:467
4 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:85
5 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:306
6 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137
7 libxul.so nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:295
8 libxul.so XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:5731
9 libxul.so XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:5916

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: General → Widget: Gtk
Product: Firefox → Core

My environment is sway 1.7 with wlroots 0.15.1. Could this be somehow related?

Martin, could you take a look at this? See also bug 1744800.

Flags: needinfo?(stransky)

Do you know how that happens? If so, can you try to reproduce it with MOZ_LOG="Widget:5 WidgetPopup:5" env variable and attach the log here?
Thanks.

Flags: needinfo?(stransky) → needinfo?(q23456yuiop)
Attached file fnightly.log (obsolete) —
Flags: needinfo?(q23456yuiop)

(In reply to Martin Stránský [:stransky] (ni? me) from comment #4)

Do you know how that happens? If so, can you try to reproduce it with MOZ_LOG="Widget:5 WidgetPopup:5" env variable and attach the log here?
Thanks.

I'm not sure how this happens but the log is attached.

Attached file fnightly.log

See this instead as the old log wasn't one that ended with a crash.

Attachment #9266446 - Attachment is obsolete: true

Thanks, that explains it. Please run again with MOZ_LOG="Widget:5 WidgetPopup:5 WidgetWayland:5" and attach the log here when it crashes.
Thanks.

Flags: needinfo?(q23456yuiop)
Blocks: wayland-sway
Summary: SIGSEGV / SEGV_MAPERR in [@ moz_container_wayland_frame_callback_handler] → [Sway] SIGSEGV / SEGV_MAPERR in [@ moz_container_wayland_frame_callback_handler]
Attached file fnightly_2.log
Flags: needinfo?(q23456yuiop)

I had the same crash on KDE Wayland (5.24.3), so I guess this isn't specific to Sway. It happened when I closed a tab with a left-click on the X button, but I can't reproduce it. If anyone knows how to reproduce it, please post it here.

Version 100.0a1 for me, so adding this.

status-firefox100: --- → affected

Just repro'd on Ubuntu 21.10 running GNOME3: https://crash-stats.mozilla.org/report/index/2f7aeb8d-b20a-4f7b-8367-617d10220314
Happened while I was switching tabs?

Summary: [Sway] SIGSEGV / SEGV_MAPERR in [@ moz_container_wayland_frame_callback_handler] → SIGSEGV / SEGV_MAPERR in [@ moz_container_wayland_frame_callback_handler]

repro'd again, while I inadvertantly dragged a tab nowhere. I can't repro after restarting browser.

Martin, can we make that block wayland rather than wayland-sway? it's definitively NOT related to sway.

Flags: needinfo?(stransky)
Flags: needinfo?(stransky)
Priority: -- → P3
Flags: needinfo?(stransky)

I think the sequence is:

  1. moz_container_wayland_map_event -> moz_container_wayland_surface_create_locked() where wl_container->commit_to_parent is true
    so we call NS_DispatchToCurrentThread(moz_container_wayland_frame_callback_handler())

  2. moz_container_wayland_unmap, wl_container->surface is set to null

  3. moz_container_wayland_frame_callback_handler() is called from NS_DispatchToCurrentThread

Flags: needinfo?(stransky)
Assignee: nobody → stransky
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by stransky@redhat.com: https://hg.mozilla.org/integration/autoland/rev/91156d5a1f00 [Wayland] Don't crash when MozContainer is unmapped in moz_container_wayland_frame_callback_handler r=emilio

ni? for the phab reply. No rush either way tho

Flags: needinfo?(stransky)

https://hg.mozilla.org/mozilla-central/rev/91156d5a1f00

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox100: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
Flags: needinfo?(stransky)
Pushed by stransky@redhat.com: https://hg.mozilla.org/integration/autoland/rev/6889b3ebf318 [Wayland] Always clear wayland frame callback in moz_container_wayland_frame_callback_handler() r=emilio
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: