Closed Bug 1428946 Opened 2 years ago Closed 2 years ago

Assertion failure: mIsMapped, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/2D.h:530

Categories

(Core :: Graphics, defect, P3)

59 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: jkratzer, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [gfx-noted])

Attachments

(3 files, 1 obsolete file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev ca379fcca95b.

OS|Linux|0.0.0 Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::gfx::DataSourceSurface::Unmap|hg:hg.mozilla.org/mozilla-central:gfx/2d/2D.h:ca379fcca95b|530|0x5
0|1|libxul.so|mozilla::gfx::DataSourceSurface::ScopedMap::~ScopedMap|hg:hg.mozilla.org/mozilla-central:gfx/2d/2D.h:ca379fcca95b|470|0x6
0|2|libxul.so|mozilla::gfx::ApplyBlending_SIMD<__vector(2) long long int, __vector(2) long long int, __vector(2) long long int, (mozilla::gfx::BlendMode)1u>|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterProcessingSIMD-inl.h:ca379fcca95b|300|0xc
0|3|libxul.so|mozilla::gfx::FilterProcessing::ApplyBlending_SSE2|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterProcessingSIMD-inl.h:ca379fcca95b|356|0x5
0|4|libxul.so|mozilla::gfx::FilterProcessing::ApplyBlending|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterProcessing.cpp:ca379fcca95b|61|0x8
0|5|libxul.so|mozilla::gfx::FilterNodeBlendSoftware::Render|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|997|0x16
0|6|libxul.so|mozilla::gfx::FilterNodeSoftware::GetOutput|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|618|0x13
0|7|libxul.so|mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|719|0x28
0|8|libxul.so|mozilla::gfx::FilterNodeCropSoftware::Render|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|3131|0x30
0|9|libxul.so|mozilla::gfx::FilterNodeSoftware::GetOutput|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|618|0x13
0|10|libxul.so|mozilla::gfx::FilterNodeSoftware::Draw|hg:hg.mozilla.org/mozilla-central:gfx/2d/FilterNodeSoftware.cpp:ca379fcca95b|571|0x1a
0|11|libxul.so|mozilla::gfx::FilterSupport::RenderFilterDescription|hg:hg.mozilla.org/mozilla-central:gfx/src/FilterSupport.cpp:ca379fcca95b|1361|0x1c
0|12|libxul.so|nsFilterInstance::Render|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:ca379fcca95b|524|0x5
0|13|libxul.so|nsFilterInstance::PaintFilteredFrame|hg:hg.mozilla.org/mozilla-central:layout/svg/nsFilterInstance.cpp:ca379fcca95b|100|0x12
0|14|libxul.so|nsSVGIntegrationUtils::PaintFilter|hg:hg.mozilla.org/mozilla-central:layout/svg/nsSVGIntegrationUtils.cpp:ca379fcca95b|1100|0x1d
0|15|libxul.so|nsDisplayFilter::PaintAsLayer|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:ca379fcca95b|9850|0x5
0|16|libxul.so|mozilla::FrameLayerBuilder::PaintItems|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:ca379fcca95b|3685|0x19
0|17|libxul.so|mozilla::FrameLayerBuilder::DrawPaintedLayer|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:ca379fcca95b|6202|0x18
0|18|libxul.so|mozilla::layers::ClientPaintedLayer::PaintThebes|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientPaintedLayer.cpp:ca379fcca95b|164|0x24
0|19|libxul.so|mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientPaintedLayer.cpp:ca379fcca95b|314|0xb
0|20|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:ca379fcca95b|58|0xd
0|21|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:ca379fcca95b|362|0xa
0|22|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:ca379fcca95b|426|0x11
0|23|libxul.so|nsDisplayList::PaintRoot|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:ca379fcca95b|2650|0x17
0|24|libxul.so|nsLayoutUtils::PaintFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:ca379fcca95b|3948|0x5
0|25|libxul.so|mozilla::PresShell::Paint|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:ca379fcca95b|6486|0x17
0|26|libxul.so|nsViewManager::ProcessPendingUpdatesPaint|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:ca379fcca95b|480|0x12
0|27|libxul.so|nsViewManager::ProcessPendingUpdatesForView|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:ca379fcca95b|412|0xd
0|28|libxul.so|nsViewManager::ProcessPendingUpdates|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:ca379fcca95b|1102|0x11
0|29|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:ca379fcca95b|2046|0x8
0|30|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:ca379fcca95b|306|0xf
0|31|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:ca379fcca95b|328|0x12
0|32|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:ca379fcca95b|769|0x5
0|33|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:ca379fcca95b|583|0xc
0|34|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:ca379fcca95b|68|0x9
0|35|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:06086093ccb59dd5a99cf8c9f9fb7f4860fd8ddbfd516af5e5b3508be62029679421dcf2abdf6b1c945b6a054050bd403c9574aad49f857cb4a31d3f4cf56b9a/ipc/ipdl/PVsyncChild.cpp:|155|0xf
0|36|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:ca379fcca95b|2110|0x6
0|37|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:ca379fcca95b|2040|0xb
0|38|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:ca379fcca95b|1886|0xb
0|39|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:ca379fcca95b|1919|0xc
0|40|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ca379fcca95b|1040|0x15
0|41|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:ca379fcca95b|517|0x11
0|42|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ca379fcca95b|97|0xa
0|43|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ca379fcca95b|326|0x17
0|44|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ca379fcca95b|319|0x8
0|45|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:ca379fcca95b|157|0xd
0|46|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:ca379fcca95b|875|0x11
0|47|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ca379fcca95b|269|0x5
0|48|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ca379fcca95b|326|0x17
0|49|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ca379fcca95b|319|0x8
0|50|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:ca379fcca95b|701|0x8
0|51|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:ca379fcca95b|63|0x14
0|52|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:ca379fcca95b|280|0x11
0|53|libc-2.23.so||||0x20830
0|54|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:ca379fcca95b|165|0x5
Flags: in-testsuite?
It appears aInput1 and aInput2 surfaces are actually the same DataSourceSurfaceWrapper object, which wraps a SourceSurfaceSkia object (on Linux). I see a couple of problems:

1) DataSourceSurfaceWrapper doesn't forward its Map/Unmap calls to the underlying surface.
2) Even if the above was fixed, SourceSurfaceSkia doesn't support multiple read-only mappings (deadlock on the mutex).

While the test case uses ApplyBlending_SIMD, I suspect ApplyArithmeticCombine_SIMD also needs to be fixed. A possibly naive approach would be just to implement one input variants of the methods (it could save on the loads at the very least) and thus only have one mapping.
Priority: -- → P3
Whiteboard: [gfx-noted]
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Fix try failures. DataSourceSurfaceWrapper::Equals was insufficient and nsDOMWindowUtils::CompareCanvases suffers a similar problem to the SIMD methods, which was only uncovered after changing DataSourceSurfaceWrapper::Map to delegate.
Attachment #8941171 - Attachment is obsolete: true
Attachment #8941407 - Flags: review?(bas)
Attachment #8941172 - Flags: review?(bas)
Comment on attachment 8941407 [details] [diff] [review]
0001-Bug-1428946-Part-1.-Make-comparing-and-mapping-DataS.patch, v2

Review of attachment 8941407 [details] [diff] [review]:
-----------------------------------------------------------------

Ewl. Oh well, it will have to do I suppose.
Attachment #8941407 - Flags: review?(bas) → review+
Comment on attachment 8941172 [details] [diff] [review]
0002-Bug-1428946-Part-2.-Make-ApplyBlending_SIMD-and-Appl.patch

Review of attachment 8941172 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/2d/FilterProcessingSIMD-inl.h
@@ +287,5 @@
>  }
>  
>  template<typename i32x4_t, typename i16x8_t, typename u8x16_t, BlendMode mode>
> +inline void
> +ApplyBlending_SIMD(DataSourceSurface::ScopedMap& aInputMap1,

nit: Should these be const?
Attachment #8941172 - Flags: review?(bas) → review+
(In reply to Bas Schouten (:bas.schouten) from comment #7)
> Comment on attachment 8941172 [details] [diff] [review]
> 0002-Bug-1428946-Part-2.-Make-ApplyBlending_SIMD-and-Appl.patch
> 
> Review of attachment 8941172 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: gfx/2d/FilterProcessingSIMD-inl.h
> @@ +287,5 @@
> >  }
> >  
> >  template<typename i32x4_t, typename i16x8_t, typename u8x16_t, BlendMode mode>
> > +inline void
> > +ApplyBlending_SIMD(DataSourceSurface::ScopedMap& aInputMap1,
> 
> nit: Should these be const?

Err yes, they should. Will fix before landing.
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/779a3a7cd1fd
Part 1. Make comparing and mapping DataSourceSurfaceWrapper objects work consistently. r=bas
https://hg.mozilla.org/integration/mozilla-inbound/rev/68e0118f11a2
Part 2. Make ApplyBlending_SIMD and ApplyArithmeticCombine_SIMD support the same surface for both inputs. r=bas
https://hg.mozilla.org/mozilla-central/rev/779a3a7cd1fd
https://hg.mozilla.org/mozilla-central/rev/68e0118f11a2
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Can we land the attached testcase as a crashtest?
Flags: needinfo?(aosmond)
Flags: needinfo?(aosmond)
You need to log in before you can comment on or make changes to this bug.