Closed Bug 1563609 Opened 5 years ago Closed 5 years ago

Crash in [@ webrender::clip::ClipChainStack::push_clip]

Categories

(Core :: Graphics: WebRender, defect, P3)

69 Branch
x86_64
Windows 10
defect

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox69 --- fix-optional
firefox70 --- fix-optional

People

(Reporter: jan, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Seen on Socorro.

This bug is for crash report bp-69cb0da8-60d5-48f0-a45e-da3880190702.

index out of bounds: the len is 754 but the index is 4026531839

Top 10 frames of crashing thread:

0 xul.dll GeckoCrash toolkit/xre/nsAppRunner.cpp:5164
1 xul.dll static void gkrust_shared::panic_hook toolkit/library/rust/shared/lib.rs:246
2 xul.dll static void core::ops::function::Fn::call<fn src/libcore/ops/function.rs:69
3 xul.dll static void std::panicking::rust_panic_with_hook src/libstd/panicking.rs:478
4 xul.dll static void std::panicking::continue_panic_fmt src/libstd/panicking.rs:381
5 xul.dll static void std::panicking::rust_begin_panic src/libstd/panicking.rs:308
6 xul.dll static void core::panicking::panic_fmt src/libcore/panicking.rs:85
7 xul.dll void core::panicking::panic_bounds_check src/libcore/panicking.rs:61
8 xul.dll static void webrender::clip::ClipChainStack::push_clip gfx/wr/webrender/src/clip.rs
9 xul.dll static union core::option::Option<euclid::rect::TypedRect<f32, webrender_api::units::PicturePixel>> webrender::prim_store::PrimitiveStore::update_visibility gfx/wr/webrender/src/prim_store/mod.rs:2025

8 xul.dll static void webrender::clip::ClipChainStack::push_clip gfx/wr/webrender/src/clip.rs

https://hg.mozilla.org/mozilla-central/log/0176f11e448f372c7d45dcff967d6773efda9ed5/gfx/wr/webrender/src/clip.rs
This file was last touched by bug 1558106.

9 xul.dll static union core::option::Option<euclid::rect::TypedRect<f32, webrender_api::units::PicturePixel>> webrender::prim_store::PrimitiveStore::update_visibility gfx/wr/webrender/src/prim_store/mod.rs:2025

https://hg.mozilla.org/mozilla-central/annotate/0176f11e448f372c7d45dcff967d6773efda9ed5/gfx/wr/webrender/src/prim_store/mod.rs#l2025
This line was last touched by bug 1558106.

There is one other occurence of this signature with 67, but from the date of first occurence within 69 this could be a regression from bug 1558106.
(Does this make sense or is this some unactionable crash that didn't deserve to be reported?)

Keywords: regression
Regressed by: 1558106
See Also: → 1563615
Crash Signature: [@ webrender::clip::ClipChainStack::push_clip] → [@ webrender::clip::ClipChainStack::push_clip] [@ webrender::clip::ClipSpaceConversion::new]
Crash Signature: [@ webrender::clip::ClipChainStack::push_clip] [@ webrender::clip::ClipSpaceConversion::new] → [@ webrender::clip::ClipChainStack::push_clip] [@ webrender::clip::ClipSpaceConversion::new]

The priority flag is not set for this bug.
:jbonisteel, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jbonisteel)
Flags: needinfo?(jbonisteel) → needinfo?(gwatson)
Blocks: wr-69
Priority: -- → P3

Do we have any URLs / repro steps for this one?

If I'm reading the crash details above correctly, we typically see 1-2 crashes / day with this, so it seems rare enough that we'll need a reliable URL / repro to fix this (although it's likely to be a simple fix once we can repro).

Flags: needinfo?(gwatson)
No longer blocks: wr-69

Mostly youtube.com

Nical, are you able to reproduce this crash?

Flags: needinfo?(nical.bugzilla)

I wasn't able to reproduce this on youtube or anywhere else, and looking at the crash volume, it's unlikely I'll be able to without a specific testcase.

From the crash reports, the invalid value of the ClipChainId is often very large, to a point that it's very unlikely (impossible really) that the array of clip chain nodes ever got big enough for such values to be generated in add_clip_chain_node.
From a look at the code, I couldn't see other places where we initialize the value, other than the few places where we create ClipChainId::INVALID and ClipChainId::NONE values, but the invalid values aren't close to these two.
Also I couldn't find a place where we do any kind of arithmetic on these ids.

All crashes appear to be on AMD CPUs.

Flags: needinfo?(nical.bugzilla)

Volume is too low.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.