Closed Bug 1582975 Opened 2 years ago Closed 2 years ago

Crash in [@ webrender::prim_store::PrimitiveStore::update_visibility]

Categories

(Core :: Graphics: WebRender, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: emilio, Assigned: aosmond)

References

(Regression)

Details

(Keywords: crash, regression, regressionwindow-wanted)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-0b64084b-fec2-4ad9-9319-a54380190921.

Top 10 frames of crashing thread:

0 libxul.so gkrust_shared::panic_hook mfbt/Assertions.h:313
1 libxul.so core::ops::function::Fn::call src/libcore/ops/function.rs:69
2 libxul.so std::panicking::rust_panic_with_hook src/libstd/panicking.rs:481
3 libxul.so std::panicking::begin_panic src/libstd/panicking.rs:411
4 libxul.so webrender::prim_store::PrimitiveStore::update_visibility gfx/wr/webrender/src/image.rs:229
5 libxul.so webrender::prim_store::PrimitiveStore::update_visibility gfx/wr/webrender/src/prim_store/mod.rs:1974
6 libxul.so webrender::prim_store::PrimitiveStore::update_visibility gfx/wr/webrender/src/prim_store/mod.rs:1974
7 libxul.so webrender::frame_builder::FrameBuilder::build_layer_screen_rects_and_cull_layers gfx/wr/webrender/src/frame_builder.rs:340
8 libxul.so webrender::frame_builder::FrameBuilder::build gfx/wr/webrender/src/frame_builder.rs:478
9 libxul.so webrender::render_backend::Document::build_frame gfx/wr/webrender/src/render_backend.rs:543

I'm crashing all the time with this when scrolling treeherder, so something like opening this link and scrolling down.

For some reason the url in the crash report is about:newtab. That looks bad.

Message is:

assertion failed: tile_offset.y < self.y.tile_range.end

Maybe the recent snapping changes?

Flags: needinfo?(aosmond)
Has STR: --- → yes
Keywords: regression
OS: Linux → All
Priority: -- → P2
Hardware: Unspecified → All

I'm hitting this all the time on Treeherder and it's becoming really annoying (I know I can turn off WebRender..). If we can't fix this week, is there a regressing patch we should consider backing out?

Nical, this is your assert. Thoughts?

Flags: needinfo?(nical.bugzilla)

Looks like the uptick began on September 18/19th, around when bug 1570081 landed, and I see that changed the tile calculations.

Flags: needinfo?(aosmond)

Crash reports suggest 20190918100042 is the exact build where the uptick began, same as bug 1570081. Looks like the most likely candidate from the pushlog:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9596d7f4a745&tochange=ce04e402c705c8ee9d491c3cef11a3876af2680f

Priority: P2 → P1
Regressed by: 1570081
Priority: P1 → P2

I'm guessing https://hg.mozilla.org/mozilla-central/rev/32951c9cc186 specifically is the part that introduced the problem.

This line should prevent the y tile offset from overflowing:

https://searchfox.org/mozilla-central/rev/23f836a71cfe961373c8bd0d0219ec60a64b3c8f/gfx/wr/webrender/src/image.rs#191

The fact that it didn't save us suggests that the initial current tile is outside the bounds.

The updated visible rect feeds into this calculation:

https://searchfox.org/mozilla-central/rev/f1e99da78fe6c3c68696358dac06aed90f8112d3/gfx/wr/webrender/src/image.rs#374

Maybe the new start/end don't result in a contiguous range.

I managed to reproduce in a CI build with a new assert to confirm my suspicion:

https://crash-stats.mozilla.org/report/index/5022e9b5-8d00-4e80-92cb-bbd4a0190927

Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c64546d80cf8
Ensure that we don't attempt to iterate over image tiles outside the range. r=jrmuizel
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → aosmond
Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.