Open Bug 1610395 Opened 5 years ago Updated 2 years ago

Hit MOZ_CRASH(GFX: ToSurfaceDescriptor) at /src/gfx/gl/SharedSurfaceGL.h:69

Categories

(Core :: Graphics: CanvasWebGL, defect, P3)

defect

Tracking

()

Tracking Status
firefox74 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash)

Attachments

(2 files)

Report from m-c 20200120-59873ee30955

The test case is currently being reduced and will be attached once complete.

Hit MOZ_CRASH(GFX: ToSurfaceDescriptor) at /src/gfx/gl/SharedSurfaceGL.h:69

#0 mozilla::gl::SharedSurface_Basic::ToSurfaceDescriptor(mozilla::layers::SurfaceDescriptor*) /src/gfx/gl/SharedSurfaceGL.h:69:5
#1 mozilla::WebGLContext::Present() /src/dom/canvas/WebGLContext.cpp:1119:28
#2 FirePreTransactionCallback /src/gfx/layers/CanvasRenderer.h:130:7
#3 mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient(mozilla::wr::RenderRoot) /src/gfx/layers/ShareableCanvasRenderer.cpp:202:3
#4 mozilla::layers::ClientCanvasLayer::RenderLayer() /src/gfx/layers/client/ClientCanvasLayer.cpp:25:19
#5 mozilla::layers::ClientContainerLayer::RenderLayer() /src/gfx/layers/client/ClientContainerLayer.h:53:29
#6 mozilla::layers::ClientContainerLayer::RenderLayer() /src/gfx/layers/client/ClientContainerLayer.h:53:29
#7 mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /src/gfx/layers/client/ClientLayerManager.cpp:352:13
#8 mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /src/gfx/layers/client/ClientLayerManager.cpp:415:3
#9 nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /src/layout/painting/nsDisplayList.cpp:3291:19
#10 nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /src/layout/base/nsLayoutUtils.cpp:4133:13
#11 mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) /src/layout/base/PresShell.cpp:6052:5
#12 nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /src/view/nsViewManager.cpp:461:18
#13 nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /src/view/nsViewManager.cpp:396:22
#14 nsViewManager::ProcessPendingUpdates() /src/view/nsViewManager.cpp:1019:5
#15 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:2178:11
#16 TickDriver /src/layout/base/nsRefreshDriver.cpp:374:13
#17 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:351:7
#18 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:368:5
#19 RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:820:5
#20 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:740:16
#21 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:538:20
#22 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1220:14
#23 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#24 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:87:21
#25 RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#26 RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#27 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#28 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
#29 nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:272:30
#30 XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4603:22
#31 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4740:8
#32 XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4821:21
#33 do_main /src/browser/app/nsBrowserApp.cpp:217:22
#34 main /src/browser/app/nsBrowserApp.cpp:339:16
Attached file testcase.html
Attached file prefs.js

The test case seems to require this prefs.js file. Since that test is very simple maybe there is something that should be set while fuzzing?

Could you reduce the number of modified prefs? The testcase is basically "basic webgl creation crashes", so the pref list is suspect. (but long, and it looks like even has no-longer-existent prefs)

Flags: needinfo?(twsmith)
Priority: -- → P3

Looks like the culprit is browser.tabs.remote.autostart=false

Flags: needinfo?(twsmith)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: