Closed Bug 1498385 Opened 6 years ago Closed 5 years ago

Crash Report [@ webrender::image::compute_tile_range ]

Categories

(Core :: Graphics: WebRender, defect, P2)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: jrmuizel, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase)

Crash Data

Attachments

(1 file)

Priority: -- → P3
Blocks: wr-stability
https://github.com/servo/webrender/pull/3192 will help with diagnosing this.
I can reproduce this with tiled blob images: https://treeherder.mozilla.org/#/jobs?repo=try&revision=9e2e5b4d7eb112055060a6d606fc0e01487f4bdf&selectedJob=204993161

(lldb) p *visible_area
(euclid::rect::TypedRect<u32, webrender_api::units::DevicePixel>) $10 = {
  origin = {
    x = 113250
    y = 26843548
  }
  size = {
    width = 1601
    height = 2001
  }
}

Dividing y by the tile_size (256) gives us a number that's still too big for a u16 (104857), and then we panic.
This issue has also been found by a fuzzer. Would a testcase be useful at this point? I ask because I'll need to do it locally.
(In reply to Tyson Smith [:tsmith] from comment #3)
> This issue has also been found by a fuzzer. Would a testcase be useful at
> this point? I ask because I'll need to do it locally.

Yes, a test case would be useful.  Thanks.
Priority: P3 → P2
Flags: needinfo?(twsmith)
Attached file testcase.html
Here is a reduced test case. It only reproduces on older builds. FWIW our fuzzers have not hit this issues since Oct 29.
Flags: needinfo?(twsmith)
Flags: in-testsuite?
Keywords: testcase
With blob tiling enabled, this is covered by the existing crashtest xpcom/string/crashtests/1113005.html, and is now fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: