Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Paint() is not implemented!), at layout/painting/nsDisplayList.h:3232
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])
Attachments
(5 files, 1 obsolete file)
|
115 bytes,
text/html
|
Details | |
|
7.64 KB,
application/x-javascript
|
Details | |
|
1.34 MB,
text/plain
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta-
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta-
|
Details | Review |
Reduced with m-c 20200520-855249e545c3 and it seems to also require --enable-fuzzing (not sure why)
Test case requires pref gfx.webrender.all=true
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Paint() is not implemented!), at layout/painting/nsDisplayList.h:3232
0|0|libxul.so|nsPaintedDisplayItem::Paint(nsDisplayListBuilder*, gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.h:855249e545c361516a65bcba8f5bc6b423e2d131|3232|0x29
0|1|libxul.so|mozilla::layers::PaintItemByDrawTarget(nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayListBuilder*, RefPtr<mozilla::layers::BasicLayerManager> const&, mozilla::gfx::SizeTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderCommandBuilder.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2064|0x4e
0|2|libxul.so|mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderCommandBuilder.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2285|0x18
0|3|libxul.so|mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, nsDisplayListBuilder*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderCommandBuilder.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2592|0x10
0|4|libxul.so|mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(nsDisplayList*, nsDisplayItem*, nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderCommandBuilder.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1757|0x26
0|5|libxul.so|mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, nsDisplayList*, nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderCommandBuilder.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1578|0x24
0|6|libxul.so|mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(nsDisplayList*, nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/wr/WebRenderLayerManager.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|322|0x26
0|7|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2382|0xb
0|8|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|4142|0x1b
0|9|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|6264|0x1d
0|10|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|460|0x13
0|11|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|395|0x13
0|12|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1018|0x11
0|13|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2203|0xd
0|14|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|373|0xb
0|15|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|367|0x12
0|16|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|745|0x17
0|17|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|644|0xf
0|18|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|55|0x13
0|19|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:27495909b8eb16a2f6224f9af7a0c052f58ac4a1f37ddd12d240b8b6a62795d131a51db23214bbde8ed61a33c6a97d727ae972f588d3f35141a1a66f3aadceeb/ipc/ipdl/PVsyncChild.cpp:|187|0x8
0|20|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:75695bbbf1ec93aad4718f03c359901f1be9ae34cba79945a5c42f3e8a2da054cc4ed1a56d373be9953080b82b366a6cd792a7b5323cd7f0d62bfa3c3b040098/ipc/ipdl/PBackgroundChild.cpp:|6083|0x24
0|21|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2186|0x1c
0|22|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|2110|0x18
0|23|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1958|0xb
0|24|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1989|0x12
0|25|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|1211|0x11
0|26|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|501|0xc
0|27|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|87|0x7
0|28|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:855249e545c361516a65bcba8f5bc6b423e2d131|315|0x17
0|29|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:855249e545c361516a65bcba8f5bc6b423e2d131|290|0x8
0|30|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|137|0xd
0|31|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|909|0xe
0|32|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|237|0x5
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:855249e545c361516a65bcba8f5bc6b423e2d131|315|0x17
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:855249e545c361516a65bcba8f5bc6b423e2d131|290|0x8
0|35|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|740|0x5
0|36|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|56|0x11
0|37|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:855249e545c361516a65bcba8f5bc6b423e2d131|303|0x20
0|38|libc.so.6|__libc_start_main|/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c|291|0x1a
0|39|firefox-bin|_start|||0x29
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
Assignee | |
Comment 3•4 years ago
|
||
Can you reduce the prefs file? I tried reproducing with webrender enabled and couldn't.
|
|
Reporter | |
Comment 4•4 years ago
•
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #3)
Can you reduce the prefs file? I tried reproducing with webrender enabled and couldn't.
The only required pref is gfx.webrender.all=true (attached file is for bisection). I don't know why this is so flaky. We are seeing it very frequently while fuzzing. I can repro locally with a debug-fuzzing build but not with a regular debug build. I also cannot reproduce this in a machine in the lab. jkratzer is currently running bisection so hopefully that helps point to the issue.
|
|
Assignee | |
Comment 5•4 years ago
|
||
The output from a reproduction with MOZ_DUMP_PAINT=1 set might be enough to figure it out.
|
|
Reporter | |
Comment 6•4 years ago
|
||
|
||
Comment 7•4 years ago
|
||
Testcase bisects to the following range:
Start: 6a0ecf432b788c654d6a243257c53ddc1e909906 (20200420153711)
End: 272e82616218411bfb0b89ef7c710cd65830ece1 (20200420214939)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6a0ecf432b788c654d6a243257c53ddc1e909906&tochange=272e82616218411bfb0b89ef7c710cd65830ece1
|
|
Assignee | |
Comment 8•4 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #7)
Testcase bisects to the following range:
Start: 6a0ecf432b788c654d6a243257c53ddc1e909906 (20200420153711)
End: 272e82616218411bfb0b89ef7c710cd65830ece1 (20200420214939)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6a0ecf432b788c654d6a243257c53ddc1e909906&tochange=272e82616218411bfb0b89ef7c710cd65830ece1
Not sure what might have caused this in that range.
|
|
Assignee | |
Comment 9•4 years ago
•
|
||
Thanks for the log. This is the context of the assert
Painting --- before optimization (dirty 0,0,69120,50820):
SolidColor p=0x560e6892f028 f=0x560e688bf170(Viewport(-1)) key=54 bounds(0,0,69120,50820) layerBounds(0,0,69120,50820) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip() asr() clipChain() uniform ref=0x560e688bf170 agr=0x560e688bf170 (opaque 0,0,69120,50820) (rgba 255,255,255,255)
CompositorHitTestInfo p=0x560e6892eaf0 f=0x560e688bf2f8(HTMLScroll(html)(-1)) key=27 bounds(0,0,0,0) layerBounds(0,0,0,0) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip() asr() clipChain() ref=0x560e688bf170 agr=0x560e688bf170 hitTestInfo(0x1) hitTestArea(0,0,69120,50820)
CompositorHitTestInfo p=0x560e6892ebe0 f=0x560e688bf218(Canvas(html)(-1)) key=283 bounds(0,0,0,0) layerBounds(0,0,0,0) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip() asr(<0x560e688bf398>) clipChain(0x560e6892ecd0 <0,0,69120,50820> [root asr]) ref=0x560e688bf170 agr=0x560e688bf218 hitTestInfo(0x1) hitTestArea(0,0,69120,50820)
CompositorHitTestInfo p=0x560e6892eda8 f=0x560e688bf218(Canvas(html)(-1)) key=27 bounds(0,0,0,0) layerBounds(0,0,0,0) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip(0,0,69120,50820) asr(<0x560e688bf398>) clipChain(0x560e6892ed60 <0,0,69120,50820> [0x560e688bf398], 0x560e6892ecd0 <0,0,69120,50820> [root asr]) ref=0x560e688bf170 agr=0x560e688bf218 hitTestInfo(0x1) hitTestArea(0,0,69120,50820)
CanvasBackgroundColor p=0x560e6892ee98 f=0x560e688bf218(Canvas(html)(-1)) key=17 bounds(0,0,69120,50820) layerBounds(0,0,69120,50820) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip(0,0,69120,50820) asr(<0x560e688bf398>) clipChain(0x560e6892ed60 <0,0,69120,50820> [0x560e688bf398], 0x560e6892ecd0 <0,0,69120,50820> [root asr]) uniform ref=0x560e688bf170 agr=0x560e688bf218 (opaque 0,0,69120,50820) (rgba 255,255,255,255)
nsDisplayCanvas p=0x560e6892ef60 f=0x560e688c0050(HTMLCanvas(canvas)(0)) key=16 bounds(480,480,18000,9000) layerBounds(480,480,18000,9000) visible(0,0,69120,50820) building(0,0,69120,50820) componentAlpha(0,0,0,0) clip(0,0,69120,50820) asr(<0x560e688bf398>) clipChain(0x560e6892ed60 <0,0,69120,50820> [0x560e688bf398], 0x560e6892ecd0 <0,0,69120,50820> [root asr]) ref=0x560e688bf170 agr=0x560e688bf218
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Paint() is not implemented!), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:3232
This seems to point to nsDisplayCanvas as the item without an implemented Paint. Because we are calling PushItemAsImage we know that CreateWebRenderCommands returned false, the only way that happens is if the context type of the canvas element is none.
|
|
Assignee | |
Comment 10•4 years ago
|
||
The reason it is hard to reproduce is that the canvas context type
is not initialized in the constructors of the objects that subclass CanvasRenderingContextHelper (which does not have a constructor defined in the file afaict). So the context type is random and we don't hit any of the cases in the select in nsDisplayCanvas::CreateWebRenderCommands and so we return true. If we fix that then we always hit the NoContext case and return false and then hit this assert 100% of the time. With that fix all we need to do to hit the assert is <canvas>.
|
|
Assignee | |
Comment 11•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 12•4 years ago
|
||
Depends on D76438
|
|
||
Updated•4 years ago
|
|
|
||
Comment 13•4 years ago
•
|
||
Edited to removed duplicate bisection.
|
||
Comment 14•4 years ago
|
||
Pushed by tnikkel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c60409cd0710 Make sure CanvasRenderingContextHelper::mCurrentContextType is initialized. r=nical https://hg.mozilla.org/integration/autoland/rev/4c53c244dba1 Handle a canvas with no context with webrender by doing nothing, instead of trying to paint it as fallback. r=nical
|
|
Assignee | |
Comment 15•4 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #7)
Testcase bisects to the following range:
Start: 6a0ecf432b788c654d6a243257c53ddc1e909906 (20200420153711)
End: 272e82616218411bfb0b89ef7c710cd65830ece1 (20200420214939)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6a0ecf432b788c654d6a243257c53ddc1e909906&tochange=272e82616218411bfb0b89ef7c710cd65830ece1
https://hg.mozilla.org/mozilla-central/rev/6cac3798d4e55540ef98573afde2bc698769e7cc
Bug 1608849 - Switch Linux Fuzzing Debug build to use clang. r=froydnj
looks like it could be the reason that bisection found this range, a change of compiler could change what uninitialized memory is.
|
||
Comment 16•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c60409cd0710
https://hg.mozilla.org/mozilla-central/rev/4c53c244dba1
|
||
Comment 17•4 years ago
|
||
The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 18•4 years ago
|
||
Comment on attachment 9150960 [details]
Bug 1639975. Make sure CanvasRenderingContextHelper::mCurrentContextType is initialized. r?nical
Beta/Release Uplift Approval Request
- User impact if declined: not much?
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): initalize a field that went unitialized
- String changes made/needed:
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 19•4 years ago
|
||
Comment on attachment 9150960 [details]
Bug 1639975. Make sure CanvasRenderingContextHelper::mCurrentContextType is initialized. r?nical
Given that we already shipped with this defect and that we are past betas, it doesn't seem a good fit to include in a RC2, thanks.
|
|
||
Updated•4 years ago
|
Description
•