Closed Bug 1642440 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at third_party/rust/euclid/src/point.rs:393

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox-esr68 --- unaffected
firefox76 --- unaffected
firefox77 --- unaffected
firefox78 --- verified
firefox79 --- verified

People

(Reporter: tsmith, Assigned: cbrewster)

References

(Blocks 3 open bugs, Regression)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Reduced with m-c 20200601-fca693218e52

Hit MOZ_CRASH(called Option::unwrap() on a None value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:393

18|0|libxul.so|RustMozCrash|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:fca693218e528ad68e3437f8b4d58299a7d0e34a|17|0x15
18|1|libxul.so|mozglue_static::panic_hook|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|89|0x9
18|2|libxul.so|core::ops::function::Fn::call|git:github.com/rust-lang/rust:src/libcore/ops/function.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|72|0xc
18|3|libxul.so|std::panicking::rust_panic_with_hook|git:github.com/rust-lang/rust:src/libstd/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|474|0x7
18|4|libxul.so|rust_begin_unwind|git:github.com/rust-lang/rust:src/libstd/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|378|0x2f
18|5|libxul.so|core::panicking::panic_fmt|git:github.com/rust-lang/rust:src/libcore/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|85|0x6
18|6|libxul.so|core::panicking::panic|git:github.com/rust-lang/rust:src/libcore/panicking.rs:4fb7144ed159f94491249e86d5bbd033b5d60550|52|0x49
18|7|libxul.so|webrender::prim_store::get_raster_rects|hg:hg.mozilla.org/mozilla-central:third_party/rust/euclid/src/rect.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|0|0xb
18|8|libxul.so|webrender::picture::PicturePrimitive::take_context|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/picture.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|4856|0x8
18|9|libxul.so|webrender::prim_store::PrimitiveStore::prepare_prim_for_render|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2667|0x21
18|10|libxul.so|webrender::prim_store::PrimitiveStore::prepare_primitives|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2831|0x2a
18|11|libxul.so|webrender::prim_store::PrimitiveStore::prepare_prim_for_render|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2712|0x2d
18|12|libxul.so|webrender::prim_store::PrimitiveStore::prepare_primitives|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/prim_store/mod.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|2831|0x2a
18|13|libxul.so|webrender::frame_builder::FrameBuilder::build|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/frame_builder.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|475|0x3c
18|14|libxul.so|webrender::render_backend::Document::build_frame|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|615|0x22
18|15|libxul.so|webrender::render_backend::RenderBackend::update_document|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|1522|0x1c
18|16|libxul.so|webrender::render_backend::RenderBackend::process_api_msg|hg:hg.mozilla.org/mozilla-central:gfx/wr/webrender/src/render_backend.rs:fca693218e528ad68e3437f8b4d58299a7d0e34a|1300|0x199
Flags: in-testsuite?
Crash Signature: [@ webrender::prim_store::get_raster_rects ]

A Pernosco session is available here: https://pernos.co/debug/1T3L8yInKYieJ-of7QB-Hg/index.html

good: mostly black page, depends on zoom level. (In Chrome, it's completely black with 25% zoom, otherwise completely white.)
bad: grey page > fallback to basic (you might need to switch tabs multiple times) > white page
mozregression --good 2020-04-28 --bad 2020-05-31 --pref gfx.webrender.all:true security.sandbox.content.level:0 -a https://bugzilla.mozilla.org/attachment.cgi?id=9153207 -a about:support

9:43.26 INFO: Last good revision: 6e5ab322dc4d0a68833dbd73e55a4657d0c219c2
9:43.26 INFO: First bad revision: a94271c84318acba14a63c52ba98afe512b071f7
9:43.26 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6e5ab322dc4d0a68833dbd73e55a4657d0c219c2&tochange=a94271c84318acba14a63c52ba98afe512b071f7

a94271c84318acba14a63c52ba98afe512b071f7 cbrewster — Bug 1559861: WR - Scale picture tasks based on their surface to parent transform scale factors r=gw,Bert

mozregression --repo autoland --launch a94271c84318acba14a63c52ba98afe512b071f7 --pref gfx.webrender.all:true -a https://bugzilla.mozilla.org/attachment.cgi?id=9153207 -B debug

0:41.83 INFO: b'Hit MOZ_CRASH(called Option::unwrap() on a None value) at /builds/worker/checkouts/gecko/third_party/rust/euclid/src/point.rs:393'

https://searchfox.org/mozilla-central/rev/8ccea36c4fb09412609fb738c722830d7098602b/third_party/rust/euclid/src/point.rs#393

Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: regression
Regressed by: 1559861

It looks like this is hitting a case where the surface scale factor is large enough that when we try to compute the raster rects, we hit an integer oveflow when casting the float rect to a DeviceIntRect.

Normally very large scaling factors get scaled down by our 4096x4096 max rect check, but that check occurs after we cast to DeviceIntRect.

A quick solution would be to put a maximum value on the scaling factor for a surface, but I don't really think this is the most elegant approach, and the maximum value would be somewhat arbitrary.

Maybe it would make sense to do a max surface size check & scale before attempting to cast to a DeviceIntRect?

Severity: -- → S2
Flags: needinfo?(jbonisteel)
Blocks: wr-stability
Flags: needinfo?(gwatson)
Flags: needinfo?(bpeers)

Your suggested solution sounds reasonable to me: we can construct arbitrary test cases to get arbitrary overflows, so clamping to the largest value we can support (float max) seems like good defensive programming.

Flags: needinfo?(bpeers)

S1 or S2 bugs need an assignee - could you find someone for this bug?

Assignee: nobody → connorbrewster
Flags: needinfo?(jbonisteel)

Yup, that sounds reasonable to me.

Flags: needinfo?(gwatson)
No longer blocks: gfx-triage
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e35471f49dcd
Wait to cast picture device rects to i32 until ensuring it won't overflow r=Bert
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

Comment on attachment 9154636 [details]
Bug 1642440: Wait to cast picture device rects to i32 until ensuring it won't overflow r=gw,Bert

Beta/Release Uplift Approval Request

  • User impact if declined: WebRender panics on the provided test case.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Open original test-case. Before this patch, WebRender panics.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a small patch which ensures we don't accidentally overflow i32 rects when casting from f32 rects. If this causes any breakage, it is easy to back out.
  • String changes made/needed: none
Attachment #9154636 - Flags: approval-mozilla-beta?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

This issue is verified as fixed in our latest Nightly build 79.0a1 (2020-06-09) on windows 10.

Comment on attachment 9154636 [details]
Bug 1642440: Wait to cast picture device rects to i32 until ensuring it won't overflow r=gw,Bert

approved for 78.0b6

Attachment #9154636 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

This issue is Verified as fixed in our latest Beta 78.0b6 on Windows 10.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.