Crash in webrender_bindings::moz2d_renderer::{{impl}}::update

RESOLVED FIXED in Firefox 66

Status

()

P3
critical
RESOLVED FIXED
6 months ago
2 months ago

People

(Reporter: darkspirit, Assigned: aosmond)

Tracking

(Blocks: 2 bugs, {crash, nightly-community})

64 Branch
mozilla66
crash, nightly-community
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox63 wontfix, firefox64 disabled, firefox65 disabled, firefox66 fixed)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 months ago
Nvidia, GM204 [GeForce GTX 970], build 20180923220427

This bug was filed from the Socorro interface and is
report bp-37e401c1-ddc5-4ea2-b98a-e61830180925.
> assertion failed: old.bounds.contained_by(&dirty_rect)

Assertion was added in bug 1450162.

https://crash-stats.mozilla.com/search/?moz_crash_reason=~assertion%20failed%3A%20old.bounds.contained_by%28%26dirty_rect%29&product=Firefox&date=%3E%3D2018-06-25T20%3A33%3A17.000Z&date=%3C2018-09-25T20%3A33%3A17.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports
=============================================================

Top 10 frames of crashing thread:

0 xul.dll static void std::panicking::rust_panic_with_hook src/libstd/panicking.rs:485
1 xul.dll static <NoType> std::panicking::begin_panic<str*> src/libstd/panicking.rs:409
2 xul.dll static void webrender_bindings::moz2d_renderer::{{impl}}::update gfx/webrender_bindings/src/moz2d_renderer.rs:428
3 xul.dll static void webrender::resource_cache::ResourceCache::pre_scene_building_update gfx/webrender/src/resource_cache.rs:543
4 xul.dll static bool webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:856
5 xul.dll static void webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:639
6 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure,  src/libstd/sys_common/backtrace.rs:136
7 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/boxed.rs:642
8 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/thread.rs:55
9 kernel32.dll BaseThreadInitThunk 

=============================================================
Priority: P3 → P4
Jeff -- is this actionable?
Flags: needinfo?(jmuizelaar)
Duplicate of this bug: 1477571
Not immediately actionable without a test case.
Flags: needinfo?(jmuizelaar)
status-firefox63: --- → wontfix
(Reporter)

Updated

2 months ago
Duplicate of this bug: 1507637
(Reporter)

Comment 6

2 months ago

Changing to the priority of the duplicate.

Could still work:
(Mayank Bansal from bug 1507637 comment #3)

STR from the dupe :

go to http://www.bloomberg.com/dataview/2014-04-17/how-americans-die.html
click on the page once. This will start the slideshow.
Let the first one play.
Put cursor over the "men" written in blue in the body of the slide. (This is
slide 1, just to make things clear)
Click on it.

CRASH

Crash Signature: [@ webrender_bindings::moz2d_renderer::{{impl}}::update] → [@ webrender_bindings::moz2d_renderer::{{impl}}::update] [@ <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update]
status-firefox64: affected → disabled
status-firefox65: --- → disabled
status-firefox66: --- → affected
OS: Windows 10 → All
Priority: P4 → P3
Hardware: x86_64 → All

Comment 7

2 months ago

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #6)

Changing to the priority of the duplicate.

Could still work:
(Mayank Bansal from bug 1507637 comment #3)

STR from the dupe :

go to http://www.bloomberg.com/dataview/2014-04-17/how-americans-die.html
click on the page once. This will start the slideshow.
Let the first one play.
Put cursor over the "men" written in blue in the body of the slide. (This is
slide 1, just to make things clear)
Click on it.

CRASH

Reproduced this today, on my second attempt. So this still crashes.
You might need to let the animation of slide1 finish, and move mouse horizontally such that the points on the graph also move.
And then click on the "men" written in blue.

(Assignee)

Comment 8

2 months ago

I was able to reproduce a couple of times in nightly following the STR. I'll see if I can catch in a local build...

(Assignee)

Comment 9

2 months ago

I could not catch it in a debugger, but it was reproducible with some persistence in an opt build with logging turned on:

dirty rect: Box2d { x1: 0, y1: 182, x2: 2556, y2: 933 }
old:
Box2d { x1: 0, y1: 557, x2: 2556, y2: 914 } *
Box2d { x1: 0, y1: 770, x2: 2556, y2: 994 }
Box2d { x1: 0, y1: 271, x2: 2556, y2: 890 } *
new:
Box2d { x1: 0, y1: 480, x2: 2556, y2: 850 } *
Box2d { x1: 0, y1: 701, x2: 2556, y2: 933 } *
Box2d { x1: 0, y1: 182, x2: 2556, y2: 825 } *
bounds: 836 844 Box2d { x1: 0, y1: 480, x2: 2556, y2: 850 }
bounds: 1644 1652 Box2d { x1: 0, y1: 701, x2: 2556, y2: 933 }
bounds: 2452 2460 Box2d { x1: 0, y1: 182, x2: 2556, y2: 825 }
new bounds: 836 844 Box2d { x1: 0, y1: 557, x2: 2556, y2: 914 }
new bounds: 1644 1652 Box2d { x1: 0, y1: 770, x2: 2556, y2: 994 }

(Assignee)

Comment 10

2 months ago

Putting together a patch to fix this after getting jrmuizel's help on log interpretation.

Assignee: nobody → aosmond
(Assignee)

Comment 12

2 months ago
If an item in a blob image gets a new parent container which clips it to
a smaller area than it was previously, we need to ensure the dirty rect
does not take into account the new clip when determining the old
intersection area. Instead now all old rects for an image are clipped to
the image bounds, rather than the image bounds clipped to the aggregate
of the ancestor containers.
(Assignee)

Comment 13

2 months ago

I haven't had much luck in making a crashtest yet for this...

Attachment #9037256 - Attachment description: Bug 1494062 - Ensure blob image dirty rects are not clipped too small by containers. → Bug 1494062 - Part 2. Ensure blob image dirty rects are not clipped too small by containers.

Comment 16

2 months ago
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/23b890a3fc78
Part 1. Add new crashtest reproducing the blob image wraplist clipping crash. r=jrmuizel
https://hg.mozilla.org/integration/mozilla-inbound/rev/50f859a24037
Part 2. Ensure blob image dirty rects are not clipped too small by containers. r=jrmuizel

Backed out 2 changesets (bug 1494062) for failing at /tests/gfx/tests/crashtests/1494062.html on a CLOSED TREE

Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/8ae1a19800b4018ab6526242bc83c365216df579

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=222541556&revision=50f859a240370db9ab237aa3ac4a3341e904a019

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222541556&repo=mozilla-inbound&lineNumber=16487

Log snippet:

[task 2019-01-17T20:20:33.623Z] 20:20:33 INFO - REFTEST TEST-START | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:20:33.624Z] 20:20:33 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html | 1238 / 3670 (33%)
[task 2019-01-17T20:25:33.631Z] 20:25:33 INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html | load failed: timed out after 300000 ms waiting for 'load' event for file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.633Z] 20:25:33 INFO - REFTEST INFO | Saved log: START file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.634Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.638Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.639Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.640Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.640Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.641Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html

Flags: needinfo?(aosmond)

Comment 18

2 months ago
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3167fee85c59
Part 1. Add new crashtest reproducing the blob image wraplist clipping crash. r=jrmuizel
https://hg.mozilla.org/integration/mozilla-inbound/rev/c82870227fa5
Part 2. Ensure blob image dirty rects are not clipped too small by containers. r=jrmuizel
(Assignee)

Comment 19

2 months ago

I renamed the test but forgot about the crashtests.list. Ugh.

Flags: needinfo?(aosmond)

Comment 20

2 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 2 months ago
status-firefox66: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

Comment 22

2 months ago

yes, this is fixed. Cant repro anymore

status-firefox-esr60: --- → unaffected
You need to log in before you can comment on or make changes to this bug.