Closed Bug 1494062 Opened 6 years ago Closed 6 years ago

Crash in webrender_bindings::moz2d_renderer::{{impl}}::update

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Version:
64 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- wontfix
firefox64 --- disabled
firefox65 --- disabled
firefox66 --- fixed

People

(Reporter: jan, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Keywords: crash, nightly-community)

Crash Data

Attachments

(2 files)

Bug 1494062 - Part 2. Ensure blob image dirty rects are not clipped too small by containers.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1494062 - Part 1. Add new crashtest reproducing the blob image wraplist clipping crash.
47 bytes, text/x-phabricator-request
Details | Review
Nvidia, GM204 [GeForce GTX 970], build 20180923220427 This bug was filed from the Socorro interface and is report bp-37e401c1-ddc5-4ea2-b98a-e61830180925. > assertion failed: old.bounds.contained_by(&dirty_rect) Assertion was added in bug 1450162. https://crash-stats.mozilla.com/search/?moz_crash_reason=~assertion%20failed%3A%20old.bounds.contained_by%28%26dirty_rect%29&product=Firefox&date=%3E%3D2018-06-25T20%3A33%3A17.000Z&date=%3C2018-09-25T20%3A33%3A17.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports ============================================================= Top 10 frames of crashing thread: 0 xul.dll static void std::panicking::rust_panic_with_hook src/libstd/panicking.rs:485 1 xul.dll static <NoType> std::panicking::begin_panic<str*> src/libstd/panicking.rs:409 2 xul.dll static void webrender_bindings::moz2d_renderer::{{impl}}::update gfx/webrender_bindings/src/moz2d_renderer.rs:428 3 xul.dll static void webrender::resource_cache::ResourceCache::pre_scene_building_update gfx/webrender/src/resource_cache.rs:543 4 xul.dll static bool webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:856 5 xul.dll static void webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:639 6 xul.dll static void std::sys_common::backtrace::__rust_begin_short_backtrace<closure, src/libstd/sys_common/backtrace.rs:136 7 xul.dll static void alloc::boxed::{{impl}}::call_box< src/liballoc/boxed.rs:642 8 xul.dll static void std::sys::windows::thread::{{impl}}::new::thread_start src/libstd/sys/windows/thread.rs:55 9 kernel32.dll BaseThreadInitThunk =============================================================
Priority: P3 → P4
Jeff -- is this actionable?
Flags: needinfo?(jmuizelaar)
Not immediately actionable without a test case.
Flags: needinfo?(jmuizelaar)

Changing to the priority of the duplicate.

Could still work:
(Mayank Bansal from bug 1507637 comment #3)

STR from the dupe :

go to http://www.bloomberg.com/dataview/2014-04-17/how-americans-die.html
click on the page once. This will start the slideshow.
Let the first one play.
Put cursor over the "men" written in blue in the body of the slide. (This is
slide 1, just to make things clear)
Click on it.

CRASH

Crash Signature: [@ webrender_bindings::moz2d_renderer::{{impl}}::update] → [@ webrender_bindings::moz2d_renderer::{{impl}}::update] [@ <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update]
status-firefox64: affecteddisabled
status-firefox65: --- → disabled
status-firefox66: --- → affected
OS: Windows 10 → All
Priority: P4 → P3
Hardware: x86_64 → All

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #6)

Changing to the priority of the duplicate.

Could still work:
(Mayank Bansal from bug 1507637 comment #3)

STR from the dupe :

go to http://www.bloomberg.com/dataview/2014-04-17/how-americans-die.html
click on the page once. This will start the slideshow.
Let the first one play.
Put cursor over the "men" written in blue in the body of the slide. (This is
slide 1, just to make things clear)
Click on it.

CRASH

Reproduced this today, on my second attempt. So this still crashes.
You might need to let the animation of slide1 finish, and move mouse horizontally such that the points on the graph also move.
And then click on the "men" written in blue.

I was able to reproduce a couple of times in nightly following the STR. I'll see if I can catch in a local build...

I could not catch it in a debugger, but it was reproducible with some persistence in an opt build with logging turned on:

dirty rect: Box2d { x1: 0, y1: 182, x2: 2556, y2: 933 }
old:
Box2d { x1: 0, y1: 557, x2: 2556, y2: 914 } *
Box2d { x1: 0, y1: 770, x2: 2556, y2: 994 }
Box2d { x1: 0, y1: 271, x2: 2556, y2: 890 } *
new:
Box2d { x1: 0, y1: 480, x2: 2556, y2: 850 } *
Box2d { x1: 0, y1: 701, x2: 2556, y2: 933 } *
Box2d { x1: 0, y1: 182, x2: 2556, y2: 825 } *
bounds: 836 844 Box2d { x1: 0, y1: 480, x2: 2556, y2: 850 }
bounds: 1644 1652 Box2d { x1: 0, y1: 701, x2: 2556, y2: 933 }
bounds: 2452 2460 Box2d { x1: 0, y1: 182, x2: 2556, y2: 825 }
new bounds: 836 844 Box2d { x1: 0, y1: 557, x2: 2556, y2: 914 }
new bounds: 1644 1652 Box2d { x1: 0, y1: 770, x2: 2556, y2: 994 }

Putting together a patch to fix this after getting jrmuizel's help on log interpretation.

Assignee: nobody → aosmond
If an item in a blob image gets a new parent container which clips it to a smaller area than it was previously, we need to ensure the dirty rect does not take into account the new clip when determining the old intersection area. Instead now all old rects for an image are clipped to the image bounds, rather than the image bounds clipped to the aggregate of the ancestor containers.

I haven't had much luck in making a crashtest yet for this...

Attachment #9037256 - Attachment description: Bug 1494062 - Ensure blob image dirty rects are not clipped too small by containers. → Bug 1494062 - Part 2. Ensure blob image dirty rects are not clipped too small by containers.
Pushed by aosmond@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/23b890a3fc78 Part 1. Add new crashtest reproducing the blob image wraplist clipping crash. r=jrmuizel https://hg.mozilla.org/integration/mozilla-inbound/rev/50f859a24037 Part 2. Ensure blob image dirty rects are not clipped too small by containers. r=jrmuizel

Backed out 2 changesets (bug 1494062) for failing at /tests/gfx/tests/crashtests/1494062.html on a CLOSED TREE

Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/8ae1a19800b4018ab6526242bc83c365216df579

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=222541556&revision=50f859a240370db9ab237aa3ac4a3341e904a019

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222541556&repo=mozilla-inbound&lineNumber=16487

Log snippet:

[task 2019-01-17T20:20:33.623Z] 20:20:33 INFO - REFTEST TEST-START | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:20:33.624Z] 20:20:33 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html | 1238 / 3670 (33%)
[task 2019-01-17T20:25:33.631Z] 20:25:33 INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html | load failed: timed out after 300000 ms waiting for 'load' event for file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.633Z] 20:25:33 INFO - REFTEST INFO | Saved log: START file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.634Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.638Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.639Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.640Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E
[task 2019-01-17T20:25:33.640Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html
[task 2019-01-17T20:25:33.641Z] 20:25:33 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/gfx/tests/crashtests/1494062.html

Flags: needinfo?(aosmond)
Pushed by aosmond@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3167fee85c59 Part 1. Add new crashtest reproducing the blob image wraplist clipping crash. r=jrmuizel https://hg.mozilla.org/integration/mozilla-inbound/rev/c82870227fa5 Part 2. Ensure blob image dirty rects are not clipped too small by containers. r=jrmuizel

I renamed the test but forgot about the crashtests.list. Ugh.

Flags: needinfo?(aosmond)

https://hg.mozilla.org/mozilla-central/rev/3167fee85c59
https://hg.mozilla.org/mozilla-central/rev/c82870227fa5

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

yes, this is fixed. Cant repro anymore

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: