Closed
Bug 1509123
Opened 6 years ago
Closed 5 years ago
Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084
Categories
(Core :: Graphics: WebRender, defect, P3)
Core
Graphics: WebRender
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | wontfix |
| firefox66 | --- | fixed |
People
(Reporter: tsmith, Assigned: kats)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase)
Crash Data
Attachments
(2 files)
Reduced with m-c: BuildID=20181120164749 SourceStamp=8eff0a4f5d8f4442ce233d492185a90c460846ef Hit MOZ_CRASH(attempt to multiply with overflow) at gfx/webrender/src/resource_cache.rs:1084 #0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:311:3 #1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5350:3 #2 gkrust_shared::panic_hook::h656ed0b38bd6bc6d src/toolkit/library/rust/shared/lib.rs:234:8 #3 core::ops::function::Fn::call::h7805ce02ed763bba src/libcore/ops/function.rs:78:4 #4 std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16 #5 std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4 #6 rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4 #7 core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13 #8 core::panicking::panic::haa57ffd51eb03b56 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:52:4 #9 webrender::resource_cache::ResourceCache::create_blob_scene_builder_requests::h109a143243ed5bdd src/gfx/webrender/src/resource_cache.rs:1084:22 #10 webrender::render_backend::RenderBackend::prepare_transaction::h30978dc788e61276 src/gfx/webrender/src/render_backend.rs:1079 #11 webrender::render_backend::RenderBackend::process_api_msg::h727535a692239dd9 src/gfx/webrender/src/render_backend.rs:1025 #12 webrender::render_backend::RenderBackend::run::hc7c3f13760f6d726 src/gfx/webrender/src/render_backend.rs:800:20 #13 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h118322e7a5f57d4f src/gfx/webrender/src/renderer.rs:1951:12 #14 std::sys_common::backtrace::__rust_begin_short_backtrace::h4690b5b93940c612 src/libstd/sys_common/backtrace.rs:136 #15 std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h60b4a4c67de8111a src/libstd/thread/mod.rs:409:20 #16 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h0a79177324334219 src/libstd/panic.rs:313 #17 std::panicking::try::do_call::hac5779da819c8173 src/libstd/panicking.rs:310 #18 __rust_maybe_catch_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libpanic_abort/lib.rs:41:4
Flags: in-testsuite?
|
Assignee | |
Comment 1•6 years ago
|
||
tiles.size is 490961×446328 so the multiply is overflowing. Looks like an easy fix.
Assignee: nobody → kats
|
|
Assignee | |
Comment 2•6 years ago
|
||
So I can fix the overflow crash but it would really just be papering over a gecko-side problem where we're requesting a giant blob. The scale at [1] is massive, so the dtSize ends up massive. It might be that using ChooseScaleAndSetTransform will helper here by giving us more sane scale values, so let's wait until that's in. [1] https://searchfox.org/mozilla-central/rev/876022232b15425bb9efde189caf747823b39567/gfx/layers/wr/WebRenderCommandBuilder.cpp#1913
Assignee: kats → nobody
Depends on: 1415987
|
||
Updated•6 years ago
|
Priority: -- → P3
|
|
||
Updated•5 years ago
|
Blocks: stage-wr-next
|
|
Assignee | |
Comment 3•5 years ago
|
||
Bug 1415987 didn't help here, this still crashes for me.
|
|
Assignee | |
Comment 4•5 years ago
|
||
In non-debug builds we actually don't crash (because no overflow checks) but instead it tries to allocate all the memory and freezes the browser. I think this is worth fixing, and isn't particularly hard.
Assignee: nobody → kats
|
||
Comment 5•5 years ago
|
||
bp-293d33bf-89c7-457d-b950-340590181227
Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | gkrust_shared::oom_hook::hook ]
status-firefox66:
--- → affected
|
|
Assignee | |
Comment 6•5 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=b3e1f1e97f16943e4cfc41834371ccb6c00a39c0
|
|
Assignee | |
Updated•5 years ago
|
See Also: → https://github.com/servo/webrender/pull/3449
|
|
Assignee | |
Comment 7•5 years ago
|
||
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/060057e8d0eb Add crashtest. r=kvark
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/060057e8d0eb
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
||
Updated•5 years ago
|
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•