Closed Bug 1522667 Opened 5 years ago Closed 3 years ago

Assertion failure: [GFX1 28]: ImageRenderer::Draw problem 0, at src/gfx/2d/Logging.h:747

Categories

(Core :: Graphics: WebRender, defect, P3)

defect

Tracking

()

RESOLVED FIXED
91 Branch
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox66 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- fixed

People

(Reporter: tsmith, Assigned: jrmuizel)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [stockwell unknown][fuzzblocker])

Crash Data

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html

Assertion failure: [GFX1 28]: ImageRenderer::Draw problem 0, at src/gfx/2d/Logging.h:747

#0 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::string const&) src/gfx/2d/Logging.h:748:9
#1 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() src/gfx/2d/Logging.h:286:7
#2 mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::~Log() src/gfx/2d/Logging.h:279:12
#3 mozilla::nsImageRenderer::Draw(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsRect const&, nsPoint const&, nsSize const&, mozilla::gfx::IntRectTyped<mozilla::CSSPixel> const&, float) src/layout/painting/nsImageRenderer.cpp:441:7
#4 mozilla::nsImageRenderer::DrawLayer(nsPresContext*, gfxContext&, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, nsSize const&, float) src/layout/painting/nsImageRenderer.cpp:706:10
#5 nsCSSRendering::PaintStyleImageLayerWithSC(nsCSSRendering::PaintBGParams const&, gfxContext&, mozilla::ComputedStyle*, nsStyleBorder const&) src/layout/painting/nsCSSRendering.cpp:2607:38
#6 PaintMaskSurface(nsSVGIntegrationUtils::PaintFramesParams const&, mozilla::gfx::DrawTarget*, float, mozilla::ComputedStyle*, nsTArray<nsSVGMaskFrame*> const&, mozilla::gfx::BaseMatrix<float> const&, nsPoint const&) src/layout/svg/nsSVGIntegrationUtils.cpp:486:35
#7 nsSVGIntegrationUtils::PaintMask(nsSVGIntegrationUtils::PaintFramesParams const&) src/layout/svg/nsSVGIntegrationUtils.cpp:806:5
#8 nsDisplayMasksAndClipPaths::PaintMask(nsDisplayListBuilder*, gfxContext*, bool*) src/layout/painting/nsDisplayList.cpp:8805:18
#9 mozilla::layers::WebRenderCommandBuilder::BuildWrMaskImage(nsDisplayMasksAndClipPaths*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:2335:20
#10 CreateWRClipPathAndMasks(nsDisplayMasksAndClipPaths*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::wr::DisplayListBuilder&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:9058:60
#11 nsDisplayMasksAndClipPaths::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*) src/layout/painting/nsDisplayList.cpp:9082:51
#12 mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1638:38
#13 mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, mozilla::wr::TypedSize2D<float, mozilla::wr::LayoutPixel>&, nsTArray<mozilla::wr::FilterOp> const&) src/gfx/layers/wr/WebRenderCommandBuilder.cpp:1461:5
#14 mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, nsTArray<mozilla::wr::FilterOp> const&, mozilla::layers::WebRenderBackgroundData*) src/gfx/layers/wr/WebRenderLayerManager.cpp:277:30
#15 nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2631:18
#16 nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3788:12
#17 mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6079:5
#18 nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:461:19
#19 nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:396:33
#20 nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1030:5
#21 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1961:11
#22 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:305:7
#23 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:322:5
#24 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:647:16
#25 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:547:9
#26 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#27 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#28 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
#29 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2160:21
#30 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2087:9
#31 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1936:3
#32 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1967:13
#33 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1160:14
#34 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#35 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
#36 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#37 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#38 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#39 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
#40 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#41 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#42 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#43 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
#44 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#45 main src/browser/app/nsBrowserApp.cpp:265:184)
Flags: in-testsuite?

Looks like this "ImageRenderer::Draw problem" logging comes from bug 1279929 (a while back).

jwatt, do you know what this means?

Depends on: 1279929
Flags: needinfo?(jwatt)

It means that CreateSimilarDrawTarget failed to create the DrawTarget or else the DrawTarget is in error, and that attempts to use the DT will fail. I guess someone with WebRender knowledge may want to figure out why that is. Over to Matt to decide whether that's something someone on WR has time to look at right now.

(FWIW, regarding bug 1279929, the addition of the error checking there was a necessary expansion of the error checks below. If we were to revert that patch I'd expect it to fail on the pre-existing check that's below the current failing check.)

Flags: needinfo?(jwatt) → needinfo?(matt.woodrow)
Priority: -- → P3
Crash Signature: [@ mozilla::nsImageRenderer::Draw ]
Component: Layout → Graphics: WebRender
Flags: needinfo?(matt.woodrow) → needinfo?(aosmond)

I'm not surprised it fails to create a draw target. I reproduced and generated a crash report: https://crash-stats.mozilla.org/report/index/185ca04b-822f-4856-851d-b9c7d0190503#tab-metadata

From the crash log GraphicsCriticalError annotation:

|[C0][GFX1-]: Failed to allocate a surface due to invalid size (CDT) Size(2690,143352) (t=22.6599)
|[C1][GFX1 28]: ImageRenderer::Draw problem 0 (t=22.66)

It tries to allocate a giant surface, which would need a ton of memory, so it bails. I think it is reasonable to disable crashing in nightly due to scenarios like this.

Flags: needinfo?(aosmond)

(In reply to Andrew Osmond [:aosmond] from comment #3)

It tries to allocate a giant surface, which would need a ton of memory, so it bails.
I think it is reasonable to disable crashing in nightly due to scenarios like this.

Is this something you have cycles to address, aosmond?

Looks like we're still getting a trickle of crashes here (in terms of treeherder intermittent-failure reports, as well as in-the-wild crash reports with this signature).

(Not sure if "disable crashing in nightly due to scenarios like this" would mean softening the assertion, vs. switching something from infallible to fallible allocation, vs. something else.)

Flags: needinfo?(aosmond)

Softening the assertion. The real fix would need to come with a different way of handling SVG / masks I think. There will need to be a follow up bug I imagine.

Flags: needinfo?(aosmond)
Assignee: nobody → aosmond

This patch papers over a dev crash, where we fail to allocate a draw
target because the required draw target is too big and exceeds our
maximum size. Presumably non-WebRender does something smarter and is
able to avoid the large allocation. We should improve the WebRender
path in a follow up bug.

This looks like the same class of bug as bug 1524418, bug 1541113, bug 1513133, bug 1508822, bug 1508811 etc, and probably requires the same sort of fix (i.e. calling CanCreateXXXDrawTarget and aborting if it returns false).

Marking as a fuzzblocker[1] since the fuzzers are constantly tripping over this.
[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers

Andrew: Can you please have a look when you have a moment?

Flags: needinfo?(aosmond)
Whiteboard: [stockwell unknown] → [stockwell unknown][fuzzblocker]
Attachment #9152288 - Attachment is obsolete: true
Assignee: aosmond → nobody
Flags: needinfo?(aosmond)

Jeff, the fuzzers really like to trip over this.

A Pernosco session is available here: https://pernos.co/debug/1Bex-i9nlrXB8KRTDPxGtw/index.html

I think this may be fixed by the patch on bug 1711142

Depends on: 1711142
Flags: needinfo?(jmuizelaar)

The attached test case is no longer reproducible. Thanks!

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Assignee: nobody → jmuizelaar
Target Milestone: --- → 91 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: