Open Bug 1651258 Opened 4 years ago Updated 6 months ago

backdrop-filter: stack-overflow in [@ webrender::prepare::prepare_prim_for_render]

Categories

(Core :: Graphics: WebRender, defect, P3)

Desktop
Linux
defect

Tracking

()

REOPENED
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox-esr91 --- disabled
firefox78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox83 --- disabled
firefox84 --- disabled
firefox85 --- disabled
firefox92 --- disabled
firefox93 --- disabled
firefox94 --- disabled
firefox95 --- disabled

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 4 open bugs)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Attached file testcase.html
==222263==ERROR: AddressSanitizer: stack-overflow on address 0x7f2dc2db6ff8 (pc 0x7f2de417b05c bp 0x7f2dc2db7020 sp 0x7f2dc2db7000 T14)
    #0 0x7f2de417b05b in webrender::space::SpaceMapper$LT$F$C$T$GT$::map::h67ab817b1bbd57b0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/space.rs:112
    #1 0x7f2de41a6b8e in webrender::picture::get_raster_rects::hdfff1b96a2876a80 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:7130:32
    #2 0x7f2de4147597 in webrender::picture::PicturePrimitive::take_context::h2521a7d68bbd93a6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:4823:57
    #3 0x7f2de4152438 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:144:22
    #4 0x7f2de4152438 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #5 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    #6 0x7f2de41525e1 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #7 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    #8 0x7f2de41525e1 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #9 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    ...
Flags: in-testsuite?
Attached file prefs.js

Gnome X11, GTX1060, Debian Testing
The GPU process crashes without report.

good: no crash
bad: crash
mozregression --good 2019-12-01 --bad 2020-01-15 --pref gfx.webrender.all:true layout.css.backdrop-filter.enabled:true layers.gpu-process.enabled:false -a https://bug1651258.bmoattachments.org/attachment.cgi?id=9162033

5:42.57 INFO: Last good revision: 08056399677f857d6f2b8189532cb28cde666a81
5:42.57 INFO: First bad revision: b5c8349e4e351559e92ff2704b0f36033395b24a
5:42.57 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=08056399677f857d6f2b8189532cb28cde666a81&tochange=b5c8349e4e351559e92ff2704b0f36033395b24a

b5c8349e4e351559e92ff2704b0f36033395b24a Mats Palmgren — Bug 1602430 - Apply min/max-height correctly for fragmented boxes with no height specified. r=TYLin
44689b5ff306b9ebee413c4e0f0a32f88204ae5c Mats Palmgren — Bug 1574046 - Wallpaper the effect of this bug in nsBlockFrame::ComputeFinalSize. r=TYLin

Has STR: --- → yes
Keywords: regression
Summary: stack-overflow in [@ webrender::prepare::prepare_prim_for_render] → backdrop-filter: stack-overflow in [@ webrender::prepare::prepare_prim_for_render]

We should be able to fix this by removing the recursion from https://searchfox.org/mozilla-central/source/gfx/wr/webrender/src/prepare.rs#46.
Adding this to triage so we can discuss priority.

Blocks: gfx-triage
Severity: -- → S3
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → Desktop
Flags: needinfo?(ktaeleman)
Blocks: wr-80
No longer blocks: gfx-triage
Assignee: nobody → ktaeleman
Flags: needinfo?(ktaeleman)
Blocks: wr-81
No longer blocks: wr-80
Assignee: ktaeleman → nobody
No longer blocks: wr-81
No longer blocks: gfx-82
No longer blocks: gfx-83

This still crashes without generating a crash report.

Assignee: nobody → gwatson
No longer blocks: gfx-triage

Reproduced, we do not seem to hit any display list building asserts.

Debian Testing, Macbook Pro: Does not seem to crash anymore, but the whole browser hangs for seconds.

Setting firefox94 to affected due to bug 1578503 comment 14.

For what it's worth, I cannot reproduce this crash trying the attached test case with gfx.webrender.all, layout.css.backdrop-filter.enabled set to true and layers.gpu-process.enabled set to false. I've tested this using Nightly 102.0a1 (2022-05-30) on Windows 11.

I've also run mozregression, which only spit out that the crash stopped occurring after bug 1741779, of course. Though obviously it didn't re-occur after re-enabling the feature.

Tyson, can you confirm that?

Sebastian

Flags: needinfo?(twsmith)

I am also unable to reproduce the issue with the attached test case. It was last reported by fuzzers targeting m-c 20211121-dfb1c3b5cd6d which seems to track with the timeline.

Flags: needinfo?(twsmith)

So I guess we can close this bug then, right?

Sebastian

Yes :)

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

This testcase crashes Firefox (and often the whole machine) for me. I am reopening this bug, but please close as appropriate.
https://crash-stats.mozilla.org/report/index/378624a9-aaa8-4158-8727-cd8530240317

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: needinfo?(gwatson)
Flags: needinfo?(gwatson)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: