Closed Bug 1423311 Opened 2 years ago Closed 5 months ago

blob-images: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image]

Categories

(Core :: Graphics: WebRender, defect, P3, critical)

Unspecified
All
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox57 --- disabled
firefox58 --- disabled
firefox59 --- disabled
firefox60 --- disabled
firefox61 --- disabled
firefox62 --- disabled

People

(Reporter: truber, Unassigned)

References

(Blocks 4 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [wr-mvp] [triage])

Crash Data

Attachments

(1 file)

Attached file testcase.html
The attached testcase caused a panic while fuzzing m-c rev 20171205-b4cef8d1dff0 with these prefs:

    user_pref("layers.acceleration.force-enabled", true);
    user_pref("gfx.webrender.enabled", true);
    user_pref("gfx.webrender.blob-images", true);


thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value', /checkout/src/libcore/option.rs:335:20
stack backtrace:
   0:     0x7f45b10abda3 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::h8ed7485deb8ab958
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x7f45b10aa43c - std::panicking::default_hook::{{closure}}::h0088fe51b67c687c
                               at /checkout/src/libstd/sys_common/backtrace.rs:69
                               at /checkout/src/libstd/sys_common/backtrace.rs:58
                               at /checkout/src/libstd/panicking.rs:381
   2:     0x7f45b10a9e6d - std::panicking::default_hook::hf425c768c5ffbbad
                               at /checkout/src/libstd/panicking.rs:397
   3:     0x7f45b10a9941 - std::panicking::rust_panic_with_hook::h25b934bb4484e9e0
                               at /checkout/src/libstd/panicking.rs:577
   4:     0x7f45b10a982b - std::panicking::begin_panic::h59483e27e93d7bc6
                               at /checkout/src/libstd/panicking.rs:538
   5:     0x7f45b10a97b9 - std::panicking::begin_panic_fmt::h5f221297e8a3dbdb
                               at /checkout/src/libstd/panicking.rs:522
   6:     0x7f45b10b9662 - core::panicking::panic_fmt::h4d1ab9bae1f32475
                               at /checkout/src/libstd/panicking.rs:498
   7:     0x7f45b10bb226 - core::panicking::panic::h8ce57b1f932a0889
                               at /checkout/src/libcore/panicking.rs:51
   8:     0x7f45b0d477ad - webrender::resource_cache::ResourceCache::request_image::h5a2149daef161431
                               at /checkout/src/libcore/macros.rs:20
                               at /builds/worker/workspace/build/src/gfx/webrender/src/resource_cache.rs:561
   9:     0x7f45b0d45d3d - webrender::clip::ClipSources::update::h2232fd80dfbbd1d4
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip.rs:240
  10:     0x7f45b0d4ef63 - webrender::clip_scroll_node::ClipScrollNode::update::h18c220158e01d49d
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_node.rs:349
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_node.rs:286
  11:     0x7f45b0d28a46 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:400
  12:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  13:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  14:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  15:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  16:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  17:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  18:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  19:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  20:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  21:     0x7f45b0d28b40 - webrender::clip_scroll_tree::ClipScrollTree::update_node::hbfe493ec5fe33ba0
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:414
  22:     0x7f45b0d22d5a - webrender::render_backend::Document::render::hbca4070b23c51ce7
                               at /builds/worker/workspace/build/src/gfx/webrender/src/clip_scroll_tree.rs:368
                               at /builds/worker/workspace/build/src/gfx/webrender/src/frame_builder.rs:1702
                               at /builds/worker/workspace/build/src/gfx/webrender/src/frame.rs:1182
                               at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:117
  23:     0x7f45b0d16340 - webrender::render_backend::RenderBackend::process_document::hcc8ad1271fe1f961
                               at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:419
  24:     0x7f45b0d07345 - webrender::render_backend::RenderBackend::run::ha1b0869f3e969d22
                               at /builds/worker/workspace/build/src/gfx/webrender/src/render_backend.rs:491
  25:     0x7f45b0d05957 - std::sys_common::backtrace::__rust_begin_short_backtrace::h0aa9d3d182377cab
                               at /builds/worker/workspace/build/src/gfx/webrender/src/renderer.rs:1988
                               at /checkout/src/libstd/sys_common/backtrace.rs:134
  26:     0x7f45b0d04f66 - <F as alloc::boxed::FnBox<A>>::call_box::hab3e6d66a857965e
                               at /checkout/src/libstd/thread/mod.rs:400
                               at /checkout/src/libstd/panic.rs:296
                               at /checkout/src/libstd/panicking.rs:480
                               at /checkout/src/libpanic_abort/lib.rs:38
                               at /checkout/src/libstd/panic.rs:361
                               at /checkout/src/libstd/thread/mod.rs:399
                               at /checkout/src/liballoc/boxed.rs:726
  27:     0x7f45b10b6ab3 - std::sys::imp::thread::Thread::new::thread_start::hbaf1b5aa1ca8e3ea
                               at /checkout/src/liballoc/boxed.rs:736
                               at /checkout/src/libstd/sys_common/thread.rs:24
                               at /checkout/src/libstd/sys/unix/thread.rs:90
  28:     0x7f45c2663089 - start_thread
  29:     0x7f45c16a447e - __clone
  30:                0x0 - <unknown>
Flags: in-testsuite?
See Also: → 1422600
https://bugzilla.mozilla.org/attachment.cgi?id=8934650

(main profile)
Meldungs-ID 	Sendedatum
bp-59969c38-b8bb-4eb6-8aab-a69170171205	05.12.17 20:45 [@ @0x408388 ]
> called `Option::unwrap()` on a `None` value
bp-b6e23d93-f6ed-4b5d-9a90-5c2ff0171205	05.12.17 20:45 [@ nsObserverService::RemoveObserver ]
> MOZ_CRASH(Using observer service off the main thread!)
bp-9af04407-a0a0-482c-ae1b-ceeec0171205	05.12.17 20:45 [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ]
> called `Option::unwrap()` on a `None` value
bp-41709944-c799-497c-bb08-5fde10171205	05.12.17 20:45 [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ]
> called `Option::unwrap()` on a `None` value
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ]
Does the testcase reliably reproduce the crash for you? What platform did you see this on? Did your build have anything special in the mozconfig (or did you use a stock build from treeherder)?
Flags: needinfo?(jschwartzentruber)
Yes, it is 100% reliable for me. This reproduces on the latest linux x86-64 builds (asan-opt & debug) and macosx64 builds (opt & debug) from taskcluster. It did not reproduce for me on windows 10.
Flags: needinfo?(jschwartzentruber)
I could reproduce the crash.
On debug build on linux, I saw the following log. It seems like a similar problem to  Bug 1391255 Comment 13.

> [GFX3-]: Surface size too large (exceeds extent limit)!
(In reply to Sotaro Ikeda [:sotaro] from comment #4)
> I could reproduce the crash.

When gfx.webrender.blob-images was not true, I did not saw the crash.
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] → [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ]
https://bug1423311.bmoattachments.org/attachment.cgi?id=8934650

bp-6769afc9-a998-4606-9c12-d0c610180425
bp-93392446-67e7-41c4-ac59-307360180425
bp-76972dfe-f63c-4d5a-8d71-1a6a60180425

layers.acceleration.force-enabled;true
gfx.webrender.enabled;true
gfx.webrender.blob-images;TRUE
gfx.webrender.hit-test;true
gfx.webrender.blob.invalidation;false
gfx.webrender.async-scene-build;0 
-> bp-3ee67036-9482-4f26-961a-ed1c50180425

layers.acceleration.force-enabled;true
gfx.webrender.enabled;true
gfx.webrender.blob-images;FALSE
gfx.webrender.hit-test;true
gfx.webrender.blob.invalidation;false
gfx.webrender.async-scene-build;0
-> does not crash without blob-images

bug 1455743 comment 3 has the same crash signature, but is only reproducible if gfx.webrender.async-scene-build is enabled.
Severity: normal → critical
Has STR: --- → yes
OS: Unspecified → All
See Also: → 1455743
Summary: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image] → blob-images: thread 'WRRenderBackend#1' panicked at 'called `Option::unwrap()` on a `None` value' in [@ webrender::resource_cache::ResourceCache::request_image]
Crash Signature: [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ] → [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image ] [@ @0x408388 ] [@ mozalloc_abort | abort | webrender::resource_cache::{{impl}}::request_image ] [@ static void webrender::resource_cache::ResourceCache::request_image…
Crash Signature: webrender::resource_cache::ResourceCache::request_image ] → webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ]
Crash Signature: webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ] → webrender::resource_cache::ResourceCache::request_image ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::ha39c875c886d8c35 ] [@ mozalloc_abort | abort | webrender::resource_cache::ResourceCache::request_image::hb69…
Looks like the symbols aren't getting demangled, and so the step that's supposed to filter out the rust panic boilerplate stack frames out of the signature isn't getting triggered.
See Also: → 1474871
Blocks: wr-fuzz
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
My god.

(In reply to Jesse Schwartzentruber (:truber) from comment #0)
> Created attachment 8934650 [details]
> testcase.html

bp-e153490b-b6bd-4170-bdc0-3824a0181001
> called `Option::unwrap()` on a `None` value
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

The fuzzers last hit this issue in November 2018. Can we close this?

Not a problem anymore.

Status: REOPENED → RESOLVED
Closed: 2 years ago5 months ago
Resolution: --- → FIXED

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.