Open Bug 1651258 Opened 1 year ago Updated 7 days ago

backdrop-filter: stack-overflow in [@ webrender::prepare::prepare_prim_for_render]

Categories

(Core :: Graphics: WebRender, defect, P3)

Desktop
Linux
defect

Tracking

()

Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox-esr91 --- disabled
firefox78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox83 --- disabled
firefox84 --- disabled
firefox85 --- disabled
firefox92 --- disabled
firefox93 --- disabled
firefox94 --- affected

People

(Reporter: tsmith, Assigned: gw)

References

(Blocks 4 open bugs)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Attached file testcase.html
==222263==ERROR: AddressSanitizer: stack-overflow on address 0x7f2dc2db6ff8 (pc 0x7f2de417b05c bp 0x7f2dc2db7020 sp 0x7f2dc2db7000 T14)
    #0 0x7f2de417b05b in webrender::space::SpaceMapper$LT$F$C$T$GT$::map::h67ab817b1bbd57b0 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/space.rs:112
    #1 0x7f2de41a6b8e in webrender::picture::get_raster_rects::hdfff1b96a2876a80 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:7130:32
    #2 0x7f2de4147597 in webrender::picture::PicturePrimitive::take_context::h2521a7d68bbd93a6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/picture.rs:4823:57
    #3 0x7f2de4152438 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:144:22
    #4 0x7f2de4152438 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #5 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    #6 0x7f2de41525e1 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #7 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    #8 0x7f2de41525e1 in webrender::prepare::prepare_primitives::h00884481759e1d47 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:95:15
    #9 0x7f2de41525e1 in webrender::prepare::prepare_prim_for_render::hfea3b496acb78c4c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/prepare.rs:190:12
    ...
Flags: in-testsuite?
Attached file prefs.js

Gnome X11, GTX1060, Debian Testing
The GPU process crashes without report.

good: no crash
bad: crash
mozregression --good 2019-12-01 --bad 2020-01-15 --pref gfx.webrender.all:true layout.css.backdrop-filter.enabled:true layers.gpu-process.enabled:false -a https://bug1651258.bmoattachments.org/attachment.cgi?id=9162033

5:42.57 INFO: Last good revision: 08056399677f857d6f2b8189532cb28cde666a81
5:42.57 INFO: First bad revision: b5c8349e4e351559e92ff2704b0f36033395b24a
5:42.57 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=08056399677f857d6f2b8189532cb28cde666a81&tochange=b5c8349e4e351559e92ff2704b0f36033395b24a

b5c8349e4e351559e92ff2704b0f36033395b24a Mats Palmgren — Bug 1602430 - Apply min/max-height correctly for fragmented boxes with no height specified. r=TYLin
44689b5ff306b9ebee413c4e0f0a32f88204ae5c Mats Palmgren — Bug 1574046 - Wallpaper the effect of this bug in nsBlockFrame::ComputeFinalSize. r=TYLin

Has STR: --- → yes
Keywords: regression
Summary: stack-overflow in [@ webrender::prepare::prepare_prim_for_render] → backdrop-filter: stack-overflow in [@ webrender::prepare::prepare_prim_for_render]

We should be able to fix this by removing the recursion from https://searchfox.org/mozilla-central/source/gfx/wr/webrender/src/prepare.rs#46.
Adding this to triage so we can discuss priority.

Blocks: gfx-triage
Severity: -- → S3
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → Desktop
Flags: needinfo?(ktaeleman)
Blocks: wr-80
No longer blocks: gfx-triage
Assignee: nobody → ktaeleman
Flags: needinfo?(ktaeleman)
Blocks: wr-81
No longer blocks: wr-80
Assignee: ktaeleman → nobody
No longer blocks: wr-81
No longer blocks: gfx-82
No longer blocks: gfx-83

This still crashes without generating a crash report.

Assignee: nobody → gwatson
No longer blocks: gfx-triage

Reproduced, we do not seem to hit any display list building asserts.

Debian Testing, Macbook Pro: Does not seem to crash anymore, but the whole browser hangs for seconds.

Setting firefox94 to affected due to bug 1578503 comment 14.

You need to log in before you can comment on or make changes to this bug.