Closed
Bug 1449575
Opened 6 years ago
Closed 2 years ago
Assertion failure: (pixel & 0xff000000) == 0xff000000, at /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1570
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Tracking
()
RESOLVED
FIXED
100 Branch
People
(Reporter: jkratzer, Assigned: jgilbert)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [gfx-noted][fuzzblocker])
Attachments
(3 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 5bf126434fac. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x00007fc3ecb442dd rbx = 0x00007fc3cc1e7000 rsi = 0x00007fc3ece13770 rdi = 0x00007fc3ece12540 rbp = 0x00007ffe5918d1c0 rsp = 0x00007ffe5918d190 r8 = 0x00007fc3ece13770 r9 = 0x00007fc3edede740 r10 = 0x0000000000000039 r11 = 0x0000000000000000 r12 = 0x00007fc3c1e7b901 r13 = 0x00007fc3c1fb4f90 r14 = 0x00007fc3cc1e75b8 r15 = 0x00007fc3c1ee7000 rip = 0x00007fc3dc3a851b OS|Linux|0.0.0 Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::WebGLContext::PresentScreenBuffer|hg:hg.mozilla.org/mozilla-central:gfx/gl/GLContext.h:5bf126434fac78a31256c994b9dbf4b1031b0350|845|0x37 0|1|libxul.so|mozilla::WebGLContext::BeginComposition|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContext.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|1601|0x5 0|2|libxul.so|mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient|hg:hg.mozilla.org/mozilla-central:gfx/layers/CanvasRenderer.h:5bf126434fac78a31256c994b9dbf4b1031b0350|146|0x6 0|3|libxul.so|mozilla::layers::ClientCanvasLayer::RenderLayer|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientCanvasLayer.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|29|0x8 0|4|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:5bf126434fac78a31256c994b9dbf4b1031b0350|58|0xd 0|5|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|359|0xa 0|6|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|423|0x11 0|7|libxul.so|nsDisplayList::PaintRoot|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|2751|0x17 0|8|libxul.so|nsLayoutUtils::PaintFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|4012|0x5 0|9|libxul.so|mozilla::PresShell::Paint|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|6348|0x17 0|10|libxul.so|nsViewManager::ProcessPendingUpdatesPaint|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|480|0x12 0|11|libxul.so|nsViewManager::ProcessPendingUpdatesForView|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|412|0xd 0|12|libxul.so|nsViewManager::ProcessPendingUpdates|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|1102|0x11 0|13|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|2055|0x8 0|14|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|308|0xf 0|15|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|330|0x12 0|16|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|771|0x5 0|17|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|585|0xc 0|18|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|68|0x9 0|19|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:668ae60ab945c9f59521cbd54f26b8fa229f96b8af45937bd735d86a432f1cf35482c0014090f530c334ca11ea7389383a8632cd0e23daddc7575da11217aca5/ipc/ipdl/PVsyncChild.cpp:|156|0xf 0|20|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|2135|0x6 0|21|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|2065|0xb 0|22|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|1911|0xb 0|23|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|1944|0xc 0|24|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|1096|0x15 0|25|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|519|0x11 0|26|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|97|0xa 0|27|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5bf126434fac78a31256c994b9dbf4b1031b0350|326|0x17 0|28|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5bf126434fac78a31256c994b9dbf4b1031b0350|319|0x8 0|29|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|157|0xd 0|30|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|893|0x11 0|31|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|269|0x5 0|32|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5bf126434fac78a31256c994b9dbf4b1031b0350|326|0x17 0|33|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5bf126434fac78a31256c994b9dbf4b1031b0350|319|0x8 0|34|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|719|0x8 0|35|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|50|0x14 0|36|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:5bf126434fac78a31256c994b9dbf4b1031b0350|280|0x11 0|37|libc-2.23.so||||0x20830 0|38|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:5bf126434fac78a31256c994b9dbf4b1031b0350|164|0x5
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [gfx-noted]
|
|
||
Updated•6 years ago
|
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
|
Assignee | |
Comment 1•6 years ago
|
||
This doesn't reproduce for me. Which versions does this reproduce on? If it repros for you on moz-central near tip, please attach about:support.
Flags: needinfo?(jkratzer)
|
Reporter | |
Comment 2•6 years ago
|
||
This only appears to trigger when run inside of xvfb. Possibly due to the default resolution of the xvfb runner?
Flags: needinfo?(jkratzer)
|
||
Comment 3•3 years ago
|
||
Attachment #8963125 -
Attachment is obsolete: true
|
|
||
Comment 4•3 years ago
|
||
The fuzzers are hitting this frequently, marking as fuzzblocker.
status-firefox93:
--- → wontfix
status-firefox94:
--- → affected
status-firefox95:
--- → affected
status-firefox-esr91:
--- → affected
Whiteboard: [gfx-noted] → [gfx-noted][fuzzblocker]
|
|
||
Comment 5•3 years ago
•
|
||
I was also only able to reproduce this while running with xvfb. I'm not sure if there are other scenarios that would trigger this issue but this is how the fuzzers are run on Linux.
The issue can be reproduced on Linux using Grizzly:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 06e67beeafc2 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
|
|
||
Comment 6•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/zQMVGrD5GQBBD7EvChkMbA/index.html
|
|
Assignee | |
Updated•2 years ago
|
Priority: P3 → P1
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
This could be related to some unexpected-alpha bugs we're seeing.
|
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → jgilbert
|
||
Comment 8•2 years ago
|
||
Set release status flags based on info from the regressing bug 1726265
|
|
Assignee | |
Comment 9•2 years ago
|
||
- Remove mention of --enable-address-sanitizer, since it's not at all sufficient on its own. (Leave link to asan docs though)
- Clarify that ./mach gtest dontruntests is only needed for gtests. (I didn't need it for grizzly replays)
|
|
Assignee | |
Comment 10•2 years ago
|
||
- Always use DoColorMask(u32?, u8) in webgl code.
- Handle OES_draw_buffers_indexed ColorMaski in GLBlitHelper.
|
|
Assignee | |
Comment 11•2 years ago
|
||
Well, that timeline doesn't work at all, but rather fixing this will fix the regressions that bug 1726265 caused.
|
||
Comment 13•2 years ago
|
||
Pushed by jgilbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7317ade3916d Update fuzzing build docs. - r=jkratzer https://hg.mozilla.org/integration/autoland/rev/40e73d26d430 Don't attempt ColorMask elision in WebGL. r=gfx-reviewers,aosmond
|
|
||
Updated•2 years ago
|
Keywords: regression
|
|
||
Comment 14•2 years ago
|
||
Pushed by imoraru@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1eff375a0a81 fix file-whitespace lint failures on WebGLContext.cpp. r=fix CLOSED TREE
|
||
Comment 15•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7317ade3916d
https://hg.mozilla.org/mozilla-central/rev/40e73d26d430
https://hg.mozilla.org/mozilla-central/rev/1eff375a0a81
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•