1496843 - Crash in <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect, P2)

Description

[Andrew McCreight [:mccr8]]

This bug was filed from the Socorro interface and is
report bp-c3cea662-176a-441e-876d-f12cb0181005.
=============================================================

Top 10 frames of crashing thread:

0 libmozglue.dylib mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:35
1 libmozglue.dylib abort memory/mozalloc/mozalloc_abort.cpp:82
2 XUL panic_abort::__rust_start_panic::abort src/libpanic_abort/lib.rs:61
3 XUL __rust_start_panic src/libpanic_abort/lib.rs:56
4 XUL std::panicking::rust_panic_with_hook src/libstd/panicking.rs:523
5 XUL std::panicking::begin_panic src/libstd/panicking.rs:409
6 XUL <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update gfx/webrender_bindings/src/moz2d_renderer.rs:329
7 XUL webrender::resource_cache::ResourceCache::pre_scene_building_update gfx/webrender/src/resource_cache.rs:827
8 XUL webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:941
9 XUL webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:685

=============================================================

moz crash reason is:
assertion failed: old_reader.cache.is_empty()

Another crash signature with this crash reason is: webrender_bindings::moz2d_renderer::{{impl}}::update

An example of that signature is: bp-202d2e0c-acfb-40c2-af25-20c350181001

Not a high volume of crashes. I only see 15 in the last few weeks with this crash reason.

Comment 1

[Andrew McCreight [:mccr8]]

Bug 1460441 was the same assertion failure but with a different signature.

Comment 2

[Panos Astithas (he/him) [:past] (please ni?)]

This has become very frequent today on the latest macOS for me:
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-6c67cefd-e95c-4f93-ab54-941ab0181107

Closing a tab seems to be the most sure fire way to cause it and twice the tab that was about to be displayed was the slide deck from the Wednesday cross-functional meeting, in case it's useful.

Comment 3

[Andrew McCreight [:mccr8]]

The first two of those crashes have a different assertion:
  assertion failed: old.bounds.contained_by(&dirty_rect)

Comment 4

[Brian Pitts]

I can reliably reproduce this by mousing over the counties on the map at https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/

My crash reports are

https://crash-stats.mozilla.com/report/index/a19a5067-5cb0-41be-a2a1-da8da0181107
https://crash-stats.mozilla.com/report/index/cd434cf5-8389-4e70-bee8-ba0150181107

Comment 5

[Jeff Muizelaar [:jrmuizel]]

This page seems to cause the "assertion failed: old_reader.cache.is_empty()"
 https://abcnews.go.com/Politics/fullpage/midterm-election-map-2018-live-results-58723598

Comment 6

[Bobby Holley (:bholley)]

CCing Joe, who hit this on an internal google slide deck.

Comment 7

[Andrew McCreight [:mccr8]]

top non-hang crash on the Nov 7 OSX Nightly, with 13 crashes

Comment 8

[Andrew McCreight [:mccr8]]

One of the comments says "Mousing over counties at https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/  ".  I couldn't repro, FWIW.

Comment 9

[:Atoll]

I have had this crash occur while selecting text, while doing nothing but staring at my Gmail index, and by loading drive.google.com in a fresh tab.

Note that my hardware isn't shown properly by Socorro — Graphics Adapter 0x8086 0x5927 is Apple's custom Intel Iris Pro 560 chip (iMac 2017 21.5" Retina) and I believe all 4 crashes listed for that chip are me:

https://crash-stats.mozilla.com/signature/?product=Firefox&signature=%3Cwebrender_bindings%3A%3Amoz2d_renderer%3A%3AMoz2dBlobImageHandler%20as%20webrender_api%3A%3Aimage%3A%3ABlobImageHandler%3E%3A%3Aupdate&date=%3E%3D2018-11-01T16%3A29%3A34.000Z&date=%3C2018-11-08T15%3A29%3A34.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#summary

Comment 10

[Jan Alexander Steffens [:heftig]]

I get this consistently by navigating to https://store.google.com/product/google_home_mini_specs (from https://store.google.com/product/google_home_mini).

Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)

Comment 11

[Mayank Bansal]

(In reply to Jan Alexander Steffens [:heftig] from comment #10)
> I get this consistently by navigating to
> https://store.google.com/product/google_home_mini_specs (from
> https://store.google.com/product/google_home_mini).
> 
> Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)

can confirm crash on loading https://store.google.com/product/google_home_mini_specs  with WR on Win10

https://crash-stats.mozilla.com/report/index/7408880f-d260-4e90-a720-4a99f0181109 (though the signature is different)

Comment 12

[Julien Cristau [:jcristau]]

This doesn't seem to show up on beta for some reason.

Comment 13

[Brian Pitts]

Huh. I can still repro on https://www.ajc.com/news/state--regional-govt--politics/how-georgia-counties-voted-the-2018-georgia-gubernatorial-election/l0zMPYUztPt9xV6idQDY1L/ with latest nightly. Crash report from today is https://crash-stats.mozilla.com/report/index/c8071109-2a72-4ce3-818f-216ba0181109 . This is OS X 10.13.6 on a 15-inch 2017 Macbook Pro.

Comment 14

[Julien Cristau [:jcristau]]

the crash in comment 13 is also "assertion failed: old.bounds.contained_by(&dirty_rect)"

Comment 15

[Kartikaya Gupta (email:kats@mozilla.staktrace.com)]

(In reply to Julien Cristau [:jcristau] from comment #12)
> This doesn't seem to show up on beta for some reason.

Probably because WR on beta is restricted to Windows, and these crashes seem to be on macOS/Linux. It's possible the Windows ones are under a different signature and bug somewhere else.

Comment 16

[Aria Beingessner [:Gankra]]

Spent the day debugging this, the issue is that when computing the dirty rect we intersect the old bounds of a changed item with mImageRect. This makes the bounds of that old item not-contained in the dirty rect, which during blob merging causes us to get confused, because deleted items are supposed to be contained inside the dirty rect.

log with `xxxx-` markers for relevant sections:

https://gist.github.com/Gankro/07d6c49be973fd69629ef9da8eeb7b26

Comment 17

[Aria Beingessner [:Gankra]]

This has likely gotten worse because Bug 1456555 introduce more aggressive shrinking of mImageRect.

Comment 18

[Jeff Muizelaar [:jrmuizel]]

It looks like the problem here is caused by us not updating BlobItemData when the mImageRect change happens.

Comment 19

[Jeff Muizelaar [:jrmuizel]]

Attachment: Completely untested patch

Here's an untested patch which I think should fix the problem.

Comment 20

[Jeff Muizelaar [:jrmuizel]]

Attachment: Bug 1496843. Make sure we update mRect when mImageBounds changes.

Comment 21

[Jeff Muizelaar [:jrmuizel]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=d6863cb27eae6bedd5a882d28138243408975333

Comment 22

[Jeff Muizelaar [:jrmuizel]]

Attachment: A mostly reduced test case dervied from google_home_mini_specs

Comment 23

[Jeff Muizelaar [:jrmuizel]]

Attachment: Reduced test case

The relationship between this test case and the patch is left as an exercise for the reader.

Comment 24

[Pulsebot]

Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/244e82052be1
Make sure we update mRect when mImageBounds changes. r=mattwoodrow

Comment 25

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/244e82052be1