Closed Bug 1476040 Opened 5 years ago Closed 8 months ago

thread 'WRWorker#4' panicked at 'attempt to multiply with overflow', gfx/webrender_bindings/src/moz2d_renderer.rs:431:29

Categories

(Core :: Graphics: WebRender, defect, P2)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox-esr78 --- disabled
firefox61 --- unaffected
firefox62 --- disabled
firefox63 --- disabled
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fix-optional
firefox81 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 4 open bugs)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(1 file)

testcase.html
350 bytes, text/html
Details 
The attached testcase causes an assertion in m-c 20180716-2ed1506d1dc7 with pref("gfx.webrender.all", true)

thread 'WRWorker#4' panicked at 'attempt to multiply with overflow', gfx/webrender_bindings/src/moz2d_renderer.rs:431:29
#0: mozalloc_abort
        at memory/mozalloc/mozalloc_abort.cpp:34
#1: abort
        at memory/mozalloc/mozalloc_abort.cpp:81
#2: panic_abort::__rust_start_panic::abort
        at src/libpanic_abort/lib.rs:61
#3: __rust_start_panic
        at src/libpanic_abort/lib.rs:56
#4: rust_panic
        at src/libstd/panicking.rs:559
#5: std::panicking::rust_panic_with_hook
        at src/libstd/panicking.rs:531
#6: std::panicking::continue_panic_fmt
        at src/libstd/panicking.rs:426
#7: rust_begin_unwind
        at src/libstd/panicking.rs:337
#8: core::panicking::panic_fmt
        at src/libcore/panicking.rs:92
#9: core::panicking::panic
        at src/libcore/panicking.rs:53
#10: <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
        at gfx/webrender_bindings/src/moz2d_renderer.rs:431
#11: std::panicking::try::do_call
        at src/libstd/panicking.rs:310
#12: __rust_maybe_catch_panic
        at src/libpanic_abort/lib.rs:39
#13: <rayon_core::job::HeapJob<BODY> as rayon_core::job::Job>::execute
        at src/libstd/panicking.rs:289
#14: rayon_core::registry::WorkerThread::wait_until_cold
        at third_party/rust/rayon-core/src/job.rs:60
#15: rayon_core::registry::main_loop
        at third_party/rust/rayon-core/src/registry.rs:543
#16: std::panicking::try::do_call
        at src/libstd/thread/mod.rs:409
#17: __rust_maybe_catch_panic
        at src/libpanic_abort/lib.rs:39
#18: <F as alloc::boxed::FnBox<A>>::call_box
        at src/libstd/panicking.rs:289
#19: std::sys_common::thread::start_thread
        at src/liballoc/boxed.rs:650
#20: std::sys::unix::thread::Thread::new::thread_start
        at src/libstd/sys/unix/thread.rs:90
I'm not sure if this is different from bug 1470439, but this signature is occurring much more frequently.
See Also: → 1470439
The attachment is missing.
Flags: needinfo?(jschwartzentruber)
Attached file testcase.html 
Sorry! Here is the testcase.
Flags: needinfo?(jschwartzentruber)
Crash Signature: [@ mozalloc_abort | abort | __rust_start_panic | rust_begin_unwind ]
Assignee: nobody → cpearce
Priority: -- → P2
The thread stack I see is:


#0  0x0000000000425671 in mozalloc_abort(char const*) (msg=0x4851c1 "Redirecting call to abort() to mozalloc_abort\n")
    at /home/cpearce/src/firefox/memory/mozalloc/mozalloc_abort.cpp:35
#1  0x00000000004256fb in abort() () at /home/cpearce/src/firefox/memory/mozalloc/mozalloc_abort.cpp:82
#2  0x00007fafa0eac626 in panic_abort::__rust_start_panic::abort () at libpanic_abort/lib.rs:61
#3  0x00007fafa0eac616 in __rust_start_panic () at libpanic_abort/lib.rs:56
#4  0x00007fafa0e76548 in rust_panic () at libstd/panicking.rs:559
#5  0x00007fafa0e76464 in std::panicking::rust_panic_with_hook () at libstd/panicking.rs:531
#6  0x00007fafa0e7616a in std::panicking::continue_panic_fmt () at libstd/panicking.rs:426
#7  0x00007fafa0e75e86 in rust_begin_unwind () at libstd/panicking.rs:337
#8  0x00007fafa0ecc65c in core::panicking::panic_fmt () at libcore/panicking.rs:92
#9  0x00007fafa0ecc58b in core::panicking::panic () at libcore/panicking.rs:53
#10 0x00007faf9fb65734 in <core::option::Option<T>>::unwrap (self=...) at /checkout/src/libcore/macros.rs:20
#11 0x00007faf9f92a331 in webrender::resource_cache::ResourceCache::request_image (self=0x7faf805faf20, request=..., gpu_cache=0x7faf805fae00)
    at gfx/webrender/src/resource_cache.rs:916
#12 0x00007fafa1127518 in webrender::clip::ClipNode::update (self=0x7faf6c1e77e0, gpu_cache=0x7faf805fae00, resource_cache=0x7faf805faf20, device_pixel_scale=...)
    at gfx/webrender/src/clip.rs:265
#13 0x00007fafa1129366 in webrender::clip::ClipStore::build_clip_chain_instance (self=0x7faf7cf43390, clip_chain_id=..., local_prim_rect=..., local_prim_clip_rect=..., spatial_node_index=..., clip_scroll_tree=0x7faf7cf432f8, gpu_cache=0x7faf805fae00, resource_cache=0x7faf805faf20, device_pixel_scale=...) at gfx/webrender/src/clip.rs:567
#14 0x00007faf9fa311d3 in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805ef3d8, pic_context=0x7faf805ef798, pic_state=0x7faf805ef6d8, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1667
#15 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805ef798, pic_state=0x7faf805ef6d8, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805ef7c0) at gfx/webrender/src/prim_store.rs:1858
#16 0x00007faf9fa30d4e in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805f0068, pic_context=0x7faf805f0428, pic_state=0x7faf805f0368, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1613
#17 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805f0428, pic_state=0x7faf805f0368, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805f0450) at gfx/webrender/src/prim_store.rs:1858
#18 0x00007faf9fa30d4e in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805f0cf8, pic_context=0x7faf805f10b8, pic_state=0x7faf805f0ff8, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1613
#19 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805f10b8, pic_state=0x7faf805f0ff8, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805f10e0) at gfx/webrender/src/prim_store.rs:1858
#20 0x00007faf9fa30d4e in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805f1988, pic_context=0x7faf805f1d48, pic_state=0x7faf805f1c88, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1613
#21 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805f1d48, pic_state=0x7faf805f1c88, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805f1d70) at gfx/webrender/src/prim_store.rs:1858
#22 0x00007faf9fa30d4e in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805f2618, pic_context=0x7faf805f29d8, pic_state=0x7faf805f2918, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1613
#23 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805f29d8, pic_state=0x7faf805f2918, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805f2a00) at gfx/webrender/src/prim_store.rs:1858
#24 0x00007faf9fa30d4e in webrender::prim_store::PrimitiveStore::prepare_prim_for_render (self=0x7faf7cf43368, prim_index=..., prim_context=0x7faf805f32a8, pic_context=0x7faf805f35a0, pic_state=0x7faf805f3580, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, display_list=0x7faf6e92fc90, is_chased=false)
    at gfx/webrender/src/prim_store.rs:1613
#25 0x00007faf9fa32656 in webrender::prim_store::PrimitiveStore::prepare_prim_runs (self=0x7faf7cf43368, pic_context=0x7faf805f35a0, pic_state=0x7faf805f3580, frame_context=0x7faf805f34c8, frame_state=0x7faf805f3550, local_rect_builder=0x7faf805f35c8) at gfx/webrender/src/prim_store.rs:1858
#26 0x00007faf9fcac26e in webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers (self=0x7faf7cf43358, clip_scroll_tree=0x7faf7cf432f8, pipelines=0x7faf7cf43248, resource_cache=0x7faf805faf20, gpu_cache=0x7faf805fae00, render_tasks=0x7faf805f3c10, special_render_passes=0x7faf805f3c58, profile_counters=0x7faf805f3b60, device_pixel_scale=..., scene_properties=0x7faf7cf434f8, transform_palette=0x7faf805f3bd8) at gfx/webrender/src/frame_builder.rs:238
#27 0x00007faf9fcacbb3 in webrender::frame_builder::FrameBuilder::build (self=0x7faf7cf43358, resource_cache=0x7faf805faf20, gpu_cache=0x7faf805fae00, frame_id=..., clip_scroll_tree=0x7faf7cf432f8, pipelines=0x7faf7cf43248, device_pixel_scale=..., layer=0, pan=..., texture_cache_profile=0x7faf805fb5d8, gpu_cache_profile=0x7faf805fb638, scene_properties=0x7faf7cf434f8) at gfx/webrender/src/frame_builder.rs:334
#28 0x00007fafa1162488 in webrender::render_backend::Document::render (self=0x7faf7cf43248, resource_cache=0x7faf805faf20, gpu_cache=0x7faf805fae00, resource_profile=0x7faf805fb598, is_new_scene=true) at gfx/webrender/src/render_backend.rs:374
#29 0x00007fafa1167d78 in webrender::render_backend::RenderBackend::update_document (self=0x7faf805fad98, document_id=..., transaction_msg=..., blob_requests=..., frame_counter=0x7faf805f8fc8, profile_counters=0x7faf805fb578, initial_op=..., has_built_scene=true) at gfx/webrender/src/render_backend.rs:1113
#30 0x00007fafa11649bb in webrender::render_backend::RenderBackend::run (self=0x7faf805fad98, profile_counters=...) at gfx/webrender/src/render_backend.rs:770
#31 0x00007faf9fcbcd09 in webrender::renderer::Renderer::new::{{closure}} () at gfx/webrender/src/renderer.rs:1766
#32 0x00007fafa1198957 in std::sys_common::backtrace::__rust_begin_short_backtrace (f=...) at /checkout/src/libstd/sys_common/backtrace.rs:136
#33 0x00007fafa112e985 in std::thread::Builder::spawn::{{closure}}::{{closure}} () at /checkout/src/libstd/thread/mod.rs:409
#34 0x00007fafa1186c85 in <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once (self=..., _args=()) at /checkout/src/libstd/panic.rs:308
#35 0x00007fafa142f8ea in std::panicking::try::do_call (data=0x7faf805fc7e0 "") at /checkout/src/libstd/panicking.rs:310
#36 0x00007fafa0eac609 in __rust_maybe_catch_panic () at libpanic_abort/lib.rs:39
#37 0x00007fafa142f10f in std::panicking::try (f=...) at /checkout/src/libstd/panicking.rs:289
#38 0x00007fafa1186cc7 in std::panic::catch_unwind (f=...) at /checkout/src/libstd/panic.rs:392
#39 0x00007fafa112e30c in std::thread::Builder::spawn::{{closure}} () at /checkout/src/libstd/thread/mod.rs:408
#40 0x00007fafa112ea45 in <F as alloc::boxed::FnBox<A>>::call_box (self=0x7faf7ca5c800, args=()) at /checkout/src/liballoc/boxed.rs:640
#41 0x00007fafa0e70d5b in _$LT$alloc..boxed..Box$LT$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h75e539106a648d39 () at /checkout/src/liballoc/boxed.rs:650
#42 0x00007fafa0e70d5b in std::sys_common::thread::start_thread () at libstd/sys_common/thread.rs:24
#43 0x00007fafa0e77326 in std::sys::unix::thread::Thread::new::thread_start () at libstd/sys/unix/thread.rs:90
#44 0x00007fafaf6df6db in start_thread (arg=0x7faf805fe700) at pthread_create.c:463
#45 0x00007fafae8c088f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


It looks to me that the problem is that the ResourceCache::request_image() is expecting the ImageRequest we pass in to have a tile [1] but we're creating the ImageRequest we call without one [2].

If I change request_image() to only unwrap the tile if its is_some() and follow the other arm otherwise, I get a panic on a rayon worker thread here:

#10 0x00007f908513c566 in <webrender_bindings::moz2d_renderer::Moz2dBlobRasterizer as webrender_api::image::AsyncBlobImageRasterizer>::rasterize::{{closure}}::{{closure}} (item=...) at gfx/webrender_bindings/src/moz2d_renderer.rs:368


The error I think is caused because the other arm in ResourceCache::request_image() that we then take uses the template descriptor size as the image size there, and it's width: 995328, height: 9961472 device pixels, so the calculation for buffer size at [3] is overflowing.

I'm not sure what we should be doing here? Should we be tiling this big image? How do ensure something is tiled?


[1] https://searchfox.org/mozilla-central/rev/55da592d85c2baf8d8818010c41d9738c97013d2/gfx/webrender/src/resource_cache.rs#916
[2] https://searchfox.org/mozilla-central/rev/55da592d85c2baf8d8818010c41d9738c97013d2/gfx/webrender/src/clip.rs#269
[3] https://searchfox.org/mozilla-central/rev/55da592d85c2baf8d8818010c41d9738c97013d2/gfx/webrender_bindings/src/moz2d_renderer.rs#368
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(gwatson)
Really large images should already be tiled. Nical do you have an idea what might be happening here?
Flags: needinfo?(jmuizelaar) → needinfo?(nical.bugzilla)
From the back trace, it looks like this is an issue where there is the image request is coming from an image mask in a clip node.

I think we don't currently support tiled image masks in clip nodes, which is why no tiling information is being passed along.

It's not clear to me right now (a) how much work this is and (b) if it's actually necessary (it seems likely that we could request just enough of the image mask to cover the visible region, rather than needing to support tiles for clip masks).
Flags: needinfo?(gwatson)
What Glenn said.

Although I'm not sure about (b): does this mean we'd re-upload the mask each frame if we scroll something with a very large image mask?
My mental model of how masks work is a bit simplistic but I sort of hope that rendering tiles in a mask would work the same as rendering tiles in a color target.
Flags: needinfo?(nical.bugzilla)
Blocks: wr-fuzz
I can reproduce this by loading [1] in a mac debug build and scrolling down.

[1] http://diana-adrianne.com/purecss-francine/
status-firefox63: affecteddisabled
See Also: → 1489644
(In reply to Bobby Holley (:bholley) from comment #9)
> I can reproduce this by loading [1] in a mac debug build and scrolling down.
> 
> [1] http://diana-adrianne.com/purecss-francine/

Ignore this - The panic I hit was different, filed bug 1489644.
Assignee: cpearce → nobody
Crash Signature: [@ mozalloc_abort | abort | __rust_start_panic | rust_begin_unwind ] → [@ mozalloc_abort | abort | __rust_start_panic | rust_begin_unwind ] [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook | std::alloc::rust_oom | webrender_bindings::moz2d_renderer::rasterize_blob ]
Keywords: crash
Blocks: wr-stability
status-firefox78: --- → wontfix
status-firefox79: --- → wontfix
status-firefox80: --- → fix-optional
status-firefox81: --- → affected
status-firefox-esr68: --- → disabled
status-firefox-esr78: --- → disabled
OS: Unspecified → All
Hardware: Unspecified → All

No longer seems to occur.

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.