Closed
Bug 1565039
Opened 5 years ago
Closed 5 years ago
Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) in [@ webrender::picture::PicturePrimitive::take_context]
Categories
(Core :: Graphics: WebRender, defect, P2)
Core
Graphics: WebRender
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | disabled |
| firefox68 | --- | wontfix |
| firefox69 | --- | fixed |
| firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(2 files)
|
125 bytes,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Reduced with m-c:
BuildID=20190710154620
SourceStamp=241af4dbb96483e0b9371681d2f19e4f28e5d6ed
Hit MOZ_CRASH(called Option::unwrap() on a None value) at src/libcore/option.rs:347
#0 MOZ_Crash(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:313:3
#1 GeckoCrash src/toolkit/xre/nsAppRunner.cpp:5154
#2 gkrust_shared::panic_hook::hb1570719fda3f15d src/toolkit/library/rust/shared/lib.rs:246:8
#3 core::ops::function::Fn::call::h34680b1931d9c950 /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libcore/ops/function.rs:69:4
#4 std::panicking::rust_panic_with_hook::h057ff03eb4c8000f /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/panicking.rs:478:16
#5 std::panicking::continue_panic_fmt::ha6d6ae144369025b /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/panicking.rs:381:4
#6 rust_begin_unwind /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/panicking.rs:308:4
#7 core::panicking::panic_fmt::hc4f83bfed80aeabd /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libcore/panicking.rs:85:13
#8 core::panicking::panic::h62fdcfa056e70982 /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libcore/panicking.rs:49:4
#9 webrender::picture::PicturePrimitive::take_context::hd089a5fd68a1bb0e /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libcore/option.rs
#10 webrender::prim_store::PrimitiveStore::prepare_prim_for_render::hf714d92facd3f82f src/gfx/wr/webrender/src/prim_store/mod.rs:2605:26
#11 webrender::prim_store::PrimitiveStore::prepare_primitives::ha35cf90b02de4491 src/gfx/wr/webrender/src/prim_store/mod.rs:2751
#12 webrender::prim_store::PrimitiveStore::prepare_prim_for_render::hf714d92facd3f82f src/gfx/wr/webrender/src/prim_store/mod.rs:2648:16
#13 webrender::prim_store::PrimitiveStore::prepare_primitives::ha35cf90b02de4491 src/gfx/wr/webrender/src/prim_store/mod.rs:2751
#14 webrender::prim_store::PrimitiveStore::prepare_prim_for_render::hf714d92facd3f82f src/gfx/wr/webrender/src/prim_store/mod.rs:2648:16
#15 webrender::prim_store::PrimitiveStore::prepare_primitives::ha35cf90b02de4491 src/gfx/wr/webrender/src/prim_store/mod.rs:2751
#16 webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers::h9e84a108a9783407 src/gfx/wr/webrender/src/frame_builder.rs:473:12
#17 webrender::frame_builder::FrameBuilder::build::h6fbe3ac63d9af2c6 src/gfx/wr/webrender/src/frame_builder.rs:553
#18 webrender::render_backend::Document::build_frame::h04742c3342080226 src/gfx/wr/webrender/src/render_backend.rs:527:24
#19 webrender::render_backend::RenderBackend::update_document::hc1d7e26eeeb8fde3 src/gfx/wr/webrender/src/render_backend.rs:1483:40
#20 webrender::render_backend::RenderBackend::prepare_transactions::h24efcdcae2180b08 src/gfx/wr/webrender/src/render_backend.rs:1311:16
#21 webrender::render_backend::RenderBackend::process_api_msg::h9a3d0833e0916ee0 src/gfx/wr/webrender/src/render_backend.rs:1203
#22 webrender::render_backend::RenderBackend::run::h8abf772c9c918bbc src/gfx/wr/webrender/src/render_backend.rs:960:20
#23 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h30dc8c035e1490a5 src/gfx/wr/webrender/src/renderer.rs:2116:12
#24 std::sys_common::backtrace::__rust_begin_short_backtrace::hcfc60e8bf3f43e65 /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/sys_common/backtrace.rs:136
#25 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha855a0ac1607394a /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/thread/mod.rs:470:16
#26 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hc6f23eba7438d81c /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/panic.rs:315
#27 std::panicking::try::do_call::h349c9fa07c5ad162 (.llvm.12029418400563263698) /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libstd/panicking.rs:293
#28 __rust_maybe_catch_panic /rustc/a53f9df32fbb0b5f4382caaad8f1a46f36ea887c/src/libpanic_abort/lib.rs:29:4
Flags: in-testsuite?
|
Reporter | |
Updated•5 years ago
|
Summary: Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at src/libcore/option.rs:347 → Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) in [@ webrender::picture::PicturePrimitive::take_context]
|
||
Comment 1•5 years ago
|
||
bp-914139f1-c99e-4c62-bc53-baf340190710
bug 1520682 had the same crash signature.
Crash Signature: [@ webrender::picture::PicturePrimitive::take_context ]
See Also: → 1520682
|
Assignee | |
Comment 2•5 years ago
|
||
Looks like we are crashing on this line
because unclipped is bigger than an int 32 can hold.
|
|
Assignee | |
Comment 3•5 years ago
|
||
The final clipped result should hopefully not overflow.
|
||
Updated•5 years ago
|
Priority: -- → P3
|
|
||
Updated•5 years ago
|
Priority: P3 → P2
|
||
Updated•5 years ago
|
Attachment #9077568 -
Attachment description: Bug 1565039. In PicturePrimitive::take_context do calculation in float in case the unclipped rect is too big for int. r?gw → Bug 1565039. In PicturePrimitive::take_context do calculation in float in case the unclipped rect is too big for int. r=gw
Pushed by tnikkel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1eccd466e641 In PicturePrimitive::take_context do calculation in float in case the unclipped rect is too big for int. r=gw
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Assignee: nobody → tnikkel
|
||
Comment 6•5 years ago
|
||
Is this something we should consider for Beta uplift for Fx69 or can it ride with Fx70 to release?
status-firefox68:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → disabled
Flags: needinfo?(tnikkel)
Flags: in-testsuite?
Flags: in-testsuite+
|
|
Assignee | |
Comment 8•5 years ago
|
||
Comment on attachment 9077568 [details]
Bug 1565039. In PicturePrimitive::take_context do calculation in float in case the unclipped rect is too big for int. r=gw
Beta/Release Uplift Approval Request
- User impact if declined: crash with webrender sometimes (only specially crafted page would trigger the crash)
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just handles a case of a float rect overflowing valid values of int32 similarly to how other invalid inputs are handled when drawing drop shadows and blurs
- String changes made/needed:
Attachment #9077568 -
Flags: approval-mozilla-beta?
|
|
||
Comment 9•5 years ago
|
||
Comment on attachment 9077568 [details]
Bug 1565039. In PicturePrimitive::take_context do calculation in float in case the unclipped rect is too big for int. r=gw
Fixes a WebRender crash. Approved for 69.0b10.
Attachment #9077568 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 10•5 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•