Open Bug 1339008 Opened 8 years ago Updated 2 years ago

Assertion failure in mozilla::gfx::CopyRect

Categories

(Core :: Graphics, defect, P5)

Product:
Core
Component:
Graphics
Version:
51 Branch
Platform:
Other
NetBSD
Type:
defect

Tracking

()

People

(Reporter: martin, Unassigned)

References

Details

(Whiteboard: [gfx-noted])

On NetBSD/sparc64 (so big endian) and a native display (radeon based) that says in xdpyinfo: red, green, blue masks: 0xff0000, 0xff00, 0xff I got this crash once (and couldn't yet reproduce it): #0 0xffffffffbfddb474 in mozilla::gfx::CopyRect (aSrc=aSrc@entry=0xffffffff92abc200, aDest=aDest@entry=0xffffffff96cde980, aSrcRect=..., aDestPoint=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/DataSurfaceHelpers.cpp:323 #1 0xffffffffbfde81f8 in mozilla::gfx::GetDataSurfaceInRect (aSurface=aSurface@entry=0xffffffff91fc9bc0, aSurfaceRect=..., aDestRect=..., aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:438 #2 0xffffffffbfdf362c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface (this=this@entry=0xffffffff96e4d2f0, aInputEnumIndex=aInputEnumIndex@entry=0, aRect=..., aFormatHint=aFormatHint@entry=mozilla::gfx::FilterNodeSoftware::CAN_HANDLE_A8, aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE, aTransparencyPaddedSourceRect=0x0) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:744 #3 0xffffffffbfdf50c8 in mozilla::gfx::FilterNodeTransformSoftware::Render (this=0xffffffff96e4d2f0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:1100 #4 0xffffffffbfde8cb8 in mozilla::gfx::FilterNodeSoftware::GetOutput (this=0xffffffff96e4d2f0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:613 #5 0xffffffffbfdf37d0 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface (this=this@entry=0xffffffff933d0fb0, aInputEnumIndex=aInputEnumIndex@entry=0, aRect=..., aFormatHint=aFormatHint@entry=mozilla::gfx::FilterNodeSoftware::CAN_HANDLE_A8, aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE, aTransparencyPaddedSourceRect=0x0) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:714 #6 0xffffffffbfdf4864 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render (this=0xffffffff933d0fb0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:3183 #7 0xffffffffbfde8cb8 in mozilla::gfx::FilterNodeSoftware::GetOutput (this=0xffffffff933d0fb0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:613 #8 0xffffffffbfdf37d0 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface (this=this@entry=0xffffffff933f5970, aInputEnumIndex=aInputEnumIndex@entry=0, aRect=..., aFormatHint=aFormatHint@entry=mozilla::gfx::FilterNodeSoftware::CAN_HANDLE_A8, aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE, aTransparencyPaddedSourceRect=0x0) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:714 #9 0xffffffffbfdf3d40 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render (this=0xffffffff933f5970, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:1767 #10 0xffffffffbfde8cb8 in mozilla::gfx::FilterNodeSoftware::GetOutput (this=0xffffffff933f5970, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:613 #11 0xffffffffbfdf37d0 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface (this=this@entry=0xffffffff933d15e0, aInputEnumIndex=aInputEnumIndex@entry=0, aRect=..., aFormatHint=aFormatHint@entry=mozilla::gfx::FilterNodeSoftware::CAN_HANDLE_A8, aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE, aTransparencyPaddedSourceRect=0x0) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:714 #12 0xffffffffbfdf47c4 in mozilla::gfx::FilterNodePremultiplySoftware::Render (this=0xffffffff933d15e0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:3154 #13 0xffffffffbfde8cb8 in mozilla::gfx::FilterNodeSoftware::GetOutput (this=0xffffffff933d15e0, aRect=...) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/gfx/2d/FilterNodeSoftware.cpp:613 #14 0xffffffffbfdf37d0 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface (this=this@entry=0xffffffff93dd0620, aInputEnumIndex=aInputEnumIndex@entry=1, aRect=..., aFormatHint=aFormatHint@entry=mozilla::gfx::FilterNodeSoftware::NEED_COLOR_CHANNELS, aEdgeMode=aEdgeMode@entry=mozilla::gfx::EDGE_MODE_NONE, aTransparencyPaddedSourceRect=0x0) (gdb) list 318 if (aSrcRect.Overflows() || 319 IntRect(aDestPoint, aSrcRect.Size()).Overflows()) { 320 MOZ_CRASH("GFX: we should never be getting invalid rects at this point"); 321 } 322 323 MOZ_RELEASE_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), 324 "GFX: different surface formats"); 325 MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), 326 "GFX: source rect too big for source surface"); 327 MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(IntRect(aDestPoint, aSrcRect.Size())), (so hitting the "different surface formats" assertion) Sorry for the incomplete backtrace, gdb was in a local window and the X server was not happy while the stopped process locking something in there (I guess). (gdb) p *aSrc $1 = (mozilla::gfx::DataSourceSurfaceWrapper) {<mozilla::gfx::DataSourceSurface> = {<mozilla::gfx::SourceSurface> = {<mozilla::external::AtomicRefCounted<mozilla::gfx::SourceSurface>> = {<mozilla::detail::RefCounted<mozilla::gfx::SourceSurface, (mozilla::detail::RefCountAtomicity)0>> = { mRefCnt = {<mozilla::detail::AtomicBaseIncDec<unsigned long, (mozilla::MemoryOrdering)2>> = {<mozilla::detail::AtomicBase<unsigned long, (mozilla::MemoryOrdering)2>> = {mValue = {<std::__atomic_base<unsigned long>> = {static _S_alignment = 8, _M_i = 1}, <No data fields>}}, <No data fields>}, <No data fields>}}, <No data fields>}, _vptr.SourceSurface = 0xffffffffc32227a8 <vtable for mozilla::gfx::DataSourceSurfaceWrapper+16>, mUserData = {count = 0, entries = 0x0}}, mIsMapped = false}, mSurface = {mRawPtr = 0xffffffff921f56d0}} (gdb) p *aDest $2 = (mozilla::gfx::SourceSurfaceAlignedRawData) {<mozilla::gfx::DataSourceSurface> = {<mozilla::gfx::SourceSurface> = {<mozilla::external::AtomicRefCounted<mozilla::gfx::SourceSurface>> = {<mozilla::detail::RefCounted<mozilla::gfx::SourceSurface, (mozilla::detail::RefCountAtomicity)0>> = { mRefCnt = {<mozilla::detail::AtomicBaseIncDec<unsigned long, (mozilla::MemoryOrdering)2>> = {<mozilla::detail::AtomicBase<unsigned long, (mozilla::MemoryOrdering)2>> = {mValue = {<std::__atomic_base<unsigned long>> = {static _S_alignment = 8, _M_i = 1}, <No data fields>}}, <No data fields>}, <No data fields>}}, <No data fields>}, _vptr.SourceSurface = 0xffffffffc32225e8 <vtable for mozilla::gfx::SourceSurfaceAlignedRawData+16>, mUserData = { count = 0, entries = 0x0}}, mIsMapped = false}, mArray = {mPtr = 0xffffffff9754c000 "", mStorage = 0xffffffff9754c000 "", mCount = 1024}, mStride = 64, mFormat = mozilla::gfx::SurfaceFormat::A8R8G8B8, mSize = {<mozilla::gfx::BaseSize<int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> >> = {{{width = 16, height = 16}, components = {16, 16}}}, <mozilla::gfx::UnknownUnits> = {<No data fields>}, <No data fields>}, mMapCount = {<mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2>> = {<mozilla::detail::AtomicBase<int, (mozilla::MemoryOrdering)2>> = {mValue = {<std::__atomic_base<int>> = {static _S_alignment = 4, _M_i = 0}, <No data fields>}}, <No data fields>}, <No data fields>}} (gdb) p aSrc->GetFormat() $3 = mozilla::gfx::SurfaceFormat::B8G8R8A8 (gdb) p aDest->GetFormat() $4 = mozilla::gfx::SurfaceFormat::A8R8G8B8 I guess this is related to bug 1269654.
See Also: → 1269654
I can reproduce it by going to https://github.com/rust-lang/rust/blob/master/src/librustc_back/target/mod.rs (or likely any src in there) and right-clicking on a soure line. When popping up the context menu, or if that happens to work, when closing it by clicking somewhere else, the assertion hits.
Or actually by right-clicking an empty page - it is trying to display the new navigation icons (back, forward, reload, bookmark) in the context menu. Any pointers where those graphic resources get loaded and why it is done wrong here, but not on the main toolbar?
Found the resource: it is svg (browser/themes/shared/content-contextmenu.svg), while the main toolbar is extracted from png.
Priority: -- → P5
Whiteboard: [gfx-noted]
Seeing this on PowerPC 64 (BE) with Firefox 52.9.0 ESR on Linux/musl as well. Assertion failure: aSrc->GetFormat() == aDest->GetFormat() (GFX: different surface formats), at /usr/src/packages/user/firefox-esr/src/firefox-52.9.0esr/gfx/2d/DataSurfaceHelpers.cpp:324 followed by the same segmentation fault reporter saw. This machine is also using a Radeon, and xdpyinfo matches: Extended renderer info (GLX_MESA_query_renderer): Vendor: X.Org (0x1002) Device: AMD CAICOS (DRM 2.50.0 / 4.14.48-mc8-easy, LLVM 4.0.0) (0x6779) Version: 18.1.3 Accelerated: yes Video memory: 2048MB Unified memory: no Preferred profile: core (0x1) Max core profile version: 3.2 Max compat profile version: 3.1 Max GLES1 profile version: 1.1 Max GLES[23] profile version: 3.1 screen #0: dimensions: 1920x1080 pixels (508x285 millimeters) resolution: 96x96 dots per inch depths (7): 24, 1, 4, 8, 15, 16, 32 root window id: 0x4d7 depth of root window: 24 planes number of colormaps: minimum 1, maximum 1 default colormap: 0x20 default number of colormap cells: 256 preallocated pixels: black 0, white 16777215 options: backing-store WHEN MAPPED, save-unders NO largest cursor: 64x64 current input event mask: 0xfa8031 KeyPressMask EnterWindowMask LeaveWindowMask ExposureMask StructureNotifyMask SubstructureNotifyMask SubstructureRedirectMask FocusChangeMask PropertyChangeMask ColormapChangeMask number of visuals: 504 default visual id: 0x21 visual: visual id: 0x21 class: TrueColor depth: 24 planes available colormap entries: 256 per subfield red, green, blue masks: 0xff0000, 0xff00, 0xff significant bits in color specification: 8 bits
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.