Closed Bug 1513019 Opened 7 years ago Closed 6 years ago

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at libcore/option.rs:345

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase)

Attachments

(2 files)

testcase.html
150 bytes, text/html
Details
Bug 1513019 - Fix plane splitting with complex, axis-aligned transforms.
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Attached file testcase.html
Reduced with m-c: BuildID=20181210160334 SourceStamp=68151063d1c63ce445d67aa743a018d7f66fbb4d Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at libcore/option.rs:345 #0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 #1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5124:3 #2 gkrust_shared::panic_hook::h80f9b4ed5c0796b3 src/toolkit/library/rust/shared/lib.rs:234:8 #3 core::ops::function::Fn::call::hac0477c01f4e8ad0 src/libcore/ops/function.rs:78:4 #4 std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16 #5 std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4 #6 rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4 #7 core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13 #8 core::panicking::panic::haa57ffd51eb03b56 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:52:4 #9 _$LT$core..option..Option$LT$T$GT$$GT$::unwrap::h8f28ae9fbab073da src/libcore/macros.rs:20:8 #10 webrender::picture::PicturePrimitive::add_split_plane::hf13e74b4369553cb src/gfx/wr/webrender/src/picture.rs:1755 #11 webrender::prim_store::PrimitiveStore::prepare_prim_for_render::h83e1a567fc42d62b src/gfx/wr/webrender/src/prim_store/mod.rs:2558:24 #12 webrender::prim_store::PrimitiveStore::prepare_primitives::h908e5c4715fcffb9 src/gfx/wr/webrender/src/prim_store/mod.rs:2681:15 #13 webrender::prim_store::PrimitiveStore::prepare_prim_for_render::h83e1a567fc42d62b src/gfx/wr/webrender/src/prim_store/mod.rs:2352:16 #14 webrender::prim_store::PrimitiveStore::prepare_primitives::h908e5c4715fcffb9 src/gfx/wr/webrender/src/prim_store/mod.rs:2681:15 #15 webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::ha1834e6f5d8a1896 src/gfx/wr/webrender/src/frame_builder.rs:317:8 #16 webrender::frame_builder::FrameBuilder::build::hf51392b57845c8fe src/gfx/wr/webrender/src/frame_builder.rs:403 #17 webrender::render_backend::Document::build_frame::habd8b995b33bfbc6 src/gfx/wr/webrender/src/render_backend.rs:452:24 #18 webrender::render_backend::RenderBackend::update_document::hf81d6f0b29a2b8e1 src/gfx/wr/webrender/src/render_backend.rs:1291:40 #19 webrender::render_backend::RenderBackend::prepare_transaction::h8e33f2ac22571c2f src/gfx/wr/webrender/src/render_backend.rs:1148:12 #20 webrender::render_backend::RenderBackend::process_api_msg::h3d68a9e92dad4805 src/gfx/wr/webrender/src/render_backend.rs:1083 #21 webrender::render_backend::RenderBackend::run::h9745523df5a862a0 src/gfx/wr/webrender/src/render_backend.rs:858:20 #22 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hb5a5e44a298f1c68 src/gfx/wr/webrender/src/renderer.rs:1963:12 #23 std::sys_common::backtrace::__rust_begin_short_backtrace::h52306ce0db85680b src/libstd/sys_common/backtrace.rs:136 #24 std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hf190f06e7ae1328c src/libstd/thread/mod.rs:409:20 #25 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h943cb4428de85bf7 src/libstd/panic.rs:313 #26 std::panicking::try::do_call::h4ce4e739a5dd0632 (.llvm.7691925630118174454) src/libstd/panicking.rs:310 #27 __rust_maybe_catch_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libpanic_abort/lib.rs:41:4
Flags: in-testsuite?
Blocks: wr-fuzz
Blocks: stage-wr-next
Priority: -- → P3

This crash still happens, I just repro'd on the latest macOS nightly. It produced the report at https://crash-stats.mozilla.org/report/index/c0351dcd-a07b-4e84-a964-7bfe00190413 with the useless [@ GeckoCrash] signature. I've filed bug 1544246 to add that frame to the skiplist.

Glenn, since we have a testcase (attached above), could you take a look? The GeckoCrash signature was pretty high on the list of crashes for 67 beta, although there might be multiple different crashes lumped into that.

Flags: needinfo?(gwatson)

This is a fix for crash bug https://bugzilla.mozilla.org/show_bug.cgi?id=1513019.

Ideally I'd get Dzmitry to take a look over this, as I don't know this code too well, but he's on PTO right now. I think what this code tries to do is use a simpler / more accurate method of plane splitting when the transform is simple (e.g. the case of stacked planes on the z-axis). However, the simple path check was also passing for transforms that were failing to produce a reasonable inverted matrix. Instead, we now only run that simple path for matrices that are pure translations.

This fixes the crash and the try run looks good. I think this should be safe to merge, but we should probably wait until Dzmitry can take a look before uplift to beta, if time permits.

Try run looks good:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a3465dd26f6e455de2893d77be2db13eac79a574

Flags: needinfo?(gwatson)
Assignee: nobody → gwatson
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b4a7ea516329 Fix plane splitting with complex, axis-aligned transforms. r=emilio,kats

https://hg.mozilla.org/mozilla-central/rev/b4a7ea516329

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9058185 [details]
Bug 1513019 - Fix plane splitting with complex, axis-aligned transforms.

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: None
  • User impact if declined: Crashes when WebRender is enabled, on pages that contain transforms with very large scale values. These are fairly rare, but are one of the top crash bugs in the WebRender release experiment.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It's a small patch that only affects users enrolled in WebRender, and only a code path that is hit on a small number of pages. The patch has been in nightly for a couple days now. The patch itself is very small and easy to back out if any issues are caused.
  • String changes made/needed:
Attachment #9058185 - Flags: approval-mozilla-beta?

Comment on attachment 9058185 [details]
Bug 1513019 - Fix plane splitting with complex, axis-aligned transforms.

Fix for a webrender crash, uplift approved for 67 beta 12, thanks.

Attachment #9058185 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Regressions: 1557875
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: