Closed Bug 1496843 Opened 2 years ago Closed 1 year ago

Crash in <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update

Categories

(Core :: Graphics: WebRender, defect, P2, critical)

Unspecified
All
defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- disabled
firefox64 --- disabled
firefox65 --- fixed

People

(Reporter: mccr8, Assigned: jrmuizel)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 2 obsolete files)

This bug was filed from the Socorro interface and is
report bp-c3cea662-176a-441e-876d-f12cb0181005.
=============================================================

Top 10 frames of crashing thread:

0 libmozglue.dylib mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:35
1 libmozglue.dylib abort memory/mozalloc/mozalloc_abort.cpp:82
2 XUL panic_abort::__rust_start_panic::abort src/libpanic_abort/lib.rs:61
3 XUL __rust_start_panic src/libpanic_abort/lib.rs:56
4 XUL std::panicking::rust_panic_with_hook src/libstd/panicking.rs:523
5 XUL std::panicking::begin_panic src/libstd/panicking.rs:409
6 XUL <webrender_bindings::moz2d_renderer::Moz2dBlobImageHandler as webrender_api::image::BlobImageHandler>::update gfx/webrender_bindings/src/moz2d_renderer.rs:329
7 XUL webrender::resource_cache::ResourceCache::pre_scene_building_update gfx/webrender/src/resource_cache.rs:827
8 XUL webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:941
9 XUL webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:685

=============================================================

moz crash reason is:
assertion failed: old_reader.cache.is_empty()

Another crash signature with this crash reason is: webrender_bindings::moz2d_renderer::{{impl}}::update

An example of that signature is: bp-202d2e0c-acfb-40c2-af25-20c350181001

Not a high volume of crashes. I only see 15 in the last few weeks with this crash reason.
Bug 1460441 was the same assertion failure but with a different signature.
OS: Mac OS X → All
Priority: -- → P4
This has become very frequent today on the latest macOS for me:
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-22008f08-e2c6-40bb-920e-1f52f0181107
bp-6c67cefd-e95c-4f93-ab54-941ab0181107

Closing a tab seems to be the most sure fire way to cause it and twice the tab that was about to be displayed was the slide deck from the Wednesday cross-functional meeting, in case it's useful.
The first two of those crashes have a different assertion:
  assertion failed: old.bounds.contained_by(&dirty_rect)
This page seems to cause the "assertion failed: old_reader.cache.is_empty()"
 https://abcnews.go.com/Politics/fullpage/midterm-election-map-2018-live-results-58723598
Priority: P4 → P2
CCing Joe, who hit this on an internal google slide deck.
Assignee: nobody → a.beingessner
top non-hang crash on the Nov 7 OSX Nightly, with 13 crashes
I have had this crash occur while selecting text, while doing nothing but staring at my Gmail index, and by loading drive.google.com in a fresh tab.

Note that my hardware isn't shown properly by Socorro — Graphics Adapter 0x8086 0x5927 is Apple's custom Intel Iris Pro 560 chip (iMac 2017 21.5" Retina) and I believe all 4 crashes listed for that chip are me:

https://crash-stats.mozilla.com/signature/?product=Firefox&signature=%3Cwebrender_bindings%3A%3Amoz2d_renderer%3A%3AMoz2dBlobImageHandler%20as%20webrender_api%3A%3Aimage%3A%3ABlobImageHandler%3E%3A%3Aupdate&date=%3E%3D2018-11-01T16%3A29%3A34.000Z&date=%3C2018-11-08T15%3A29%3A34.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#summary
I get this consistently by navigating to https://store.google.com/product/google_home_mini_specs (from https://store.google.com/product/google_home_mini).

Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)
(In reply to Jan Alexander Steffens [:heftig] from comment #10)
> I get this consistently by navigating to
> https://store.google.com/product/google_home_mini_specs (from
> https://store.google.com/product/google_home_mini).
> 
> Firefox Nightly, Arch Linux, GNOME, GDK_SCALE=2 (HiDPI)

can confirm crash on loading https://store.google.com/product/google_home_mini_specs  with WR on Win10

https://crash-stats.mozilla.com/report/index/7408880f-d260-4e90-a720-4a99f0181109 (though the signature is different)
This doesn't seem to show up on beta for some reason.
the crash in comment 13 is also "assertion failed: old.bounds.contained_by(&dirty_rect)"
(In reply to Julien Cristau [:jcristau] from comment #12)
> This doesn't seem to show up on beta for some reason.

Probably because WR on beta is restricted to Windows, and these crashes seem to be on macOS/Linux. It's possible the Windows ones are under a different signature and bug somewhere else.
Spent the day debugging this, the issue is that when computing the dirty rect we intersect the old bounds of a changed item with mImageRect. This makes the bounds of that old item not-contained in the dirty rect, which during blob merging causes us to get confused, because deleted items are supposed to be contained inside the dirty rect.

log with `xxxx-` markers for relevant sections:

https://gist.github.com/Gankro/07d6c49be973fd69629ef9da8eeb7b26
This has likely gotten worse because Bug 1456555 introduce more aggressive shrinking of mImageRect.
It looks like the problem here is caused by us not updating BlobItemData when the mImageRect change happens.
Attached patch Completely untested patch (obsolete) — Splinter Review
Here's an untested patch which I think should fix the problem.
Attachment #9024209 - Attachment is obsolete: true
Assignee: a.beingessner → jmuizelaar
Attached file Reduced test case
The relationship between this test case and the patch is left as an exercise for the reader.
Attachment #9024247 - Attachment is obsolete: true
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/244e82052be1
Make sure we update mRect when mImageBounds changes. r=mattwoodrow
https://hg.mozilla.org/mozilla-central/rev/244e82052be1
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Depends on: 1506676
See Also: → 1507637
See Also: → 1533411
You need to log in before you can comment on or make changes to this bug.