Closed
Bug 1486810
Opened 6 years ago
Closed 6 years ago
Assertion failure: srcBlur.Size() == destBlur.Size(), at /builds/worker/workspace/build/src/gfx/thebes/gfxBlur.cpp:1319
Categories
(Core :: Graphics, defect, P3)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: jkratzer, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [gfx-noted])
Attachments
(2 files)
|
1.00 KB,
text/html
|
Details | |
|
1.08 KB,
patch
|
rhunt
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev 190b827aaa2b.
rax = 0x0000000000000000 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007ffdd6dd2970
rsi = 0x00007ff469e178b0 rdi = 0x00007ff469e16680
rbp = 0x00007ffdd6dd29c0 rsp = 0x00007ffdd6dd28b0
r8 = 0x00007ff469e178b0 r9 = 0x00007ff46af8f740
r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000
r12 = 0x00007ff44fc887c0 r13 = 0x00007ffdd6dd2a80
r14 = 0x00007ffdd6dd2910 r15 = 0x00007ffdd6dd28f8
rip = 0x00007ff459438ec7
OS|Linux|0.0.0 Linux 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|gfxAlphaBoxBlur::BlurInsetBox(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::Color const&, mozilla::gfx::RectCornerRadii const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxBlur.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1319|0x18
0|1|libxul.so|nsContextBoxBlur::InsetBoxBlur(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::Color&, int, int, int, bool, mozilla::gfx::RectCornerRadii&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRendering.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4756|0x14
0|2|libxul.so|nsCSSRendering::PaintBoxShadowInner(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsCSSRendering.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1974|0x34
0|3|libxul.so|nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|5602|0x16
0|4|libxul.so|mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|7080|0x1a
0|5|libxul.so|mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|7241|0x18
0|6|libxul.so|mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientPaintedLayer.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x2a
0|7|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|58|0xd
0|8|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|340|0xa
0|9|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|398|0x11
0|10|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2759|0x17
0|11|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3843|0x5
0|12|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|6350|0x17
0|13|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|480|0x28
0|14|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|412|0xd
0|15|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1102|0x11
0|16|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2042|0x8
0|17|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|324|0x8
0|18|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|317|0xc
0|19|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|755|0xc
0|20|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|571|0xc
0|21|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|78|0x9
0|22|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|23|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2239|0x6
0|24|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2166|0xb
0|25|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2012|0xb
0|26|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2045|0xc
0|27|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1167|0x15
0|28|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|519|0x11
0|29|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|125|0xd
0|30|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17
0|31|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8
0|32|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|158|0xd
0|33|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x11
0|34|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|269|0x5
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8
0|37|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|770|0x8
0|38|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|50|0x14
0|39|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|287|0x11
0|40|libc-2.27.so||||0x21b97
0|41|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x5
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
Looks like bug 1250947 and bug 1250037 created/moved this assert a while ago.
|
Assignee | |
Comment 2•6 years ago
|
||
I can't actually reproduce anything with the testcase at all, so at best this patch is a guess at what is going on.
When we generate the actual blur draw target (https://dxr.mozilla.org/mozilla-central/source/gfx/2d/Blur.cpp?q=Blur.cpp%3A467&redirect_type=direct#467), we round the size. So comparing the destination rect with the DT size directly is not quite correct. The sizes need to be rounded inside the assert, even though we don't necessarily want to round the destination rect when finally drawing it.
|
Reporter | |
Comment 3•6 years ago
|
||
(In reply to Lee Salzman [:lsalzman] from comment #2)
> Created attachment 9006334 [details] [diff] [review]
> round sizes in blur assertion
>
> I can't actually reproduce anything with the testcase at all, so at best
> this patch is a guess at what is going on.
>
> When we generate the actual blur draw target
> (https://dxr.mozilla.org/mozilla-central/source/gfx/2d/Blur.cpp?q=Blur.
> cpp%3A467&redirect_type=direct#467), we round the size. So comparing the
> destination rect with the DT size directly is not quite correct. The sizes
> need to be rounded inside the assert, even though we don't necessarily want
> to round the destination rect when finally drawing it.
So it looks like this bug is only reproducible when run via xvfb. This might be due to a difference in the resolution between xvfb and native.
|
||
Updated•6 years ago
|
Attachment #9006334 -
Flags: review?(rhunt) → review+
|
|
Reporter | |
Comment 5•6 years ago
|
||
(In reply to Lee Salzman [:lsalzman] from comment #4)
> Does my patch resolve the issue for you?
Sorry for the delay. It does resolve the issue.
Flags: needinfo?(jkratzer)
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1ed9a1e859b8
round sizes in blur assertion. r=rhunt
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Comment 8•6 years ago
|
||
Lee, this bug is marked as a regression for 63, should we consider uplifting the patch to beta or can it ride the trains? Thanks
Flags: needinfo?(lsalzman)
|
||
Comment 9•6 years ago
|
||
It's a debug-only issue, I think it can ride the trains.
status-firefox62:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(lsalzman)
Flags: in-testsuite?
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•