Closed Bug 1654901 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(assertion failed: `(left == right)` left: `FrameId(0)`, right: `FrameId(36)`) at gfx/wr/webrender/src/batch.rs:880

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- verified

People

(Reporter: tsmith, Assigned: kvark)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords)

Crash Data

Attachments

(5 files)

testcase.html
316 bytes, text/html
Details
prefs.js
8.92 KB, application/x-javascript
Details
Bildschirmfoto von 2020-07-24 00-31-33.png
2.37 MB, image/png
Details
ff_asan_log.46029
10.89 KB, text/plain
Details
Make WR primitives invisible when failing to prepare for rendering
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c 20200723-138e7b575614

#0 0x7ff8c22c8e44 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7ff8c22c8e44 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:331:3
#2 0x7ff8c22c8e44 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#3 0x7ff8c22c8df4 in mozglue_static::panic_hook::h718309d1c883b225 src/mozglue/static/rust/lib.rs:89:8
#4 0x7ff8c22c86eb in core::ops::function::Fn::call::hff608039b849de82 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
#5 0x7ff8c3690b54 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
#6 0x7ff8c369066a in rust_begin_unwind /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:378:4
#7 0x7ff8c36905da in std::panicking::begin_panic_fmt::h82e7fee729e9f5fb /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:332:4
#8 0x7ff8c1d2149d in webrender::batch::BatchBuilder::add_prim_to_batch::h82115e7295f6c62c src/gfx/wr/webrender/src/render_task_graph.rs
#9 0x7ff8c1d16a1c in webrender::batch::BatchBuilder::add_pic_to_batch::hcd1d35bcf8e52a95 src/gfx/wr/webrender/src/batch.rs:775:16
#10 0x7ff8c1e107e4 in _$LT$webrender..render_target..ColorRenderTarget$u20$as$u20$webrender..render_target..RenderTarget$GT$::build::h9224b0d038051a2a src/gfx/wr/webrender/src/render_target.rs:413:20
#11 0x7ff8c1d7b59e in webrender::render_target::RenderTargetList$LT$T$GT$::build::h4c27a271a6017b98 src/gfx/wr/webrender/src/render_target.rs:214:12
#12 0x7ff8c1d7b59e in webrender::frame_builder::build_render_pass::ha40f43ab093df2b0 src/gfx/wr/webrender/src/frame_builder.rs:971:12
#13 0x7ff8c1d7b59e in webrender::frame_builder::FrameBuilder::build::h7aabb6f4113eb687 src/gfx/wr/webrender/src/frame_builder.rs:604:16
#14 0x7ff8c1ded12c in webrender::render_backend::Document::build_frame::h44512d514e5d2c4a src/gfx/wr/webrender/src/render_backend.rs:649:24
#15 0x7ff8c1e02182 in webrender::render_backend::RenderBackend::update_document::h196a4214ebf4c562 src/gfx/wr/webrender/src/render_backend.rs:1609:40
#16 0x7ff8c1dfe822 in webrender::render_backend::RenderBackend::prepare_transactions::h557da448843cbaa5 src/gfx/wr/webrender/src/render_backend.rs:1446:31
#17 0x7ff8c1dfe822 in webrender::render_backend::RenderBackend::process_api_msg::hcb87cd7500bcc3f4 src/gfx/wr/webrender/src/render_backend.rs:1389:16
#18 0x7ff8c1df1503 in webrender::render_backend::RenderBackend::run::h4fc7fec56b498a1c src/gfx/wr/webrender/src/render_backend.rs:1013:20
#19 0x7ff8c1c125ba in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h1d1771a6b4a93222 src/gfx/wr/webrender/src/renderer.rs:2636:12
#20 0x7ff8c1c125ba in std::sys_common::backtrace::__rust_begin_short_backtrace::h296d5f0cf6829c52 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/sys_common/backtrace.rs:130:4
#21 0x7ff8c1c2fee2 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hc59e0588a605a91f /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/thread/mod.rs:475:16
#22 0x7ff8c1c2fee2 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha38e7ec64cf5e7b1 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panic.rs:318:8
#23 0x7ff8c1c2fee2 in std::panicking::try::do_call::hab091676fbf173e7 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:303:39
#24 0x7ff8c36a1b78 in __rust_maybe_catch_panic /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libpanic_abort/lib.rs:30:4
Flags: in-testsuite?
Attached file prefs.js
Keywords: bugmon

bp-4fdbe9c4-23ad-429e-92c5-c3f7a0200723

MOZ_CRASH Reason (Sanitized) handle not requested or allocated!
GraphicsCriticalError |[G0][GFX1-]: Unable to set glyph size and transform: 23 (t=3236.27) |[G1][GFX1-]: Unable to set glyph size and transform: 23 (t=12478.5) |[G2][GFX1-]: Unable to set glyph size and transform: 23 (t=13630.6) |[G3][GFX1-]: Unable to set glyph size and transform: 23 (t=14179.8) |[G4][GFX1-]: Unable to set glyph size and transform: 23 (t=15000.3) |[G5][GFX1-]: Unable to set glyph size and transform: 23 (t=15000.3) |[G6][GFX1-]: Unable to set glyph size and transform: 23 (t=15840.1)

Blocks: 1654302, wr-stability
Crash Signature: [@ core::option::expect_failed | webrender::gpu_cache::GpuCache::get_address ]
OS: Unspecified → All
Hardware: Unspecified → All

Gnome Xwayland, Debian Testing, Intel HD Graphics 630 (KBL GT2), 2560x1440

With good and bad, resizing is slow and sometimes you can see some glitches.
bad: Resize window until it crashes. ("Process exited with code 11")

mozregression --good 2020-07-01 --bad 2020-07-22 --pref gfx.webrender.all:true layers.gpu-process.enabled:false gfx.webrender.panic-on-gl-error:true widget.disable-native-theme-for-content:true layout.css.backdrop-filter.enabled:true -a https://bug1654901.bmoattachments.org/attachment.cgi?id=9165761

10:48.27 INFO: Last good revision: 3baa645a131c9e9ea987a843af5e04fcc7b46570
10:48.27 INFO: First bad revision: 270edd51781f90cd532edbf9c6dbcfe588d71242
10:48.27 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3baa645a131c9e9ea987a843af5e04fcc7b46570&tochange=270edd51781f90cd532edbf9c6dbcfe588d71242

270edd51781f90cd532edbf9c6dbcfe588d71242 Mark Striemer — Bug 1652627 - Setup a pref for tab modal print UI r=Gijs,sfoster
c19d6d6768688fb627256cf2b871052f6dd7e9e2 Dzmitry Malyshau — Bug 1647918 - Refactor the clip task assignment logic in WR r=gw

mozregression --repo autoland --launch 270edd51781f90cd532edbf9c6dbcfe588d71242 -B debug --pref layers.gpu-process.enabled:false gfx.webrender.panic-on-gl-error:true widget.disable-native-theme-for-content:true layout.css.backdrop-filter.enabled:true -a https://bug1654901.bmoattachments.org/attachment.cgi?id=9165761

0:40.41 INFO: b'Hit MOZ_CRASH(assertion failed: (left == right)'
0:40.41 INFO: b' left: FrameId(0),'
0:40.41 INFO: b' right: FrameId(54)) at gfx/wr/webrender/src/batch.rs:880'

status-firefox78: --- → unaffected
status-firefox79: --- → unaffected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected
Flags: needinfo?(dmalyshau)
Keywords: regression
Regressed by: 1647918
Has Regression Range: --- → yes

I'm unsure about this observation, but it seemed creepy to me:
During running mozregression my regular (minimized) Nightly crashed/closed without report - multiple times.

Running this I can now reliably crash minimized Chromiums' uBlock Origin. ?!
mozregression --repo autoland --launch 270edd51781f90cd532edbf9c6dbcfe588d71242 --pref layers.gpu-process.enabled:false gfx.webrender.panic-on-gl-error:true widget.disable-native-theme-for-content:true layout.css.backdrop-filter.enabled:true -a https://bug1654901.bmoattachments.org/attachment.cgi?id=9165761

Restricting because creepy.

Group: core-security

A Pernosco session is available here: https://pernos.co/debug/IJ7L-geUb0_70l64BzP75A/index.html

Group: core-security → gfx-core-security
Attached file ff_asan_log.46029

==46029==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe97768abeb bp 0x7fe953aacb30 sp 0x7fe953aac6f0 T27)
==46029==The signal is caused by a WRITE memory access.

From googling it doesn't sound wild as long it's a null pointer(?). Memory usage just shortly explodes to the maximum available 7.7 GB RAM. Were my Nightly and Chromium's uBlock Origin just OOMing?

Attachment #9165785 - Attachment mime type: application/octet-stream → text/plain
Assignee: nobody → dmalyshau
Status: NEW → ASSIGNED
Flags: needinfo?(dmalyshau)

the problem was that paths that determined visibility were not switching it off
on the primitive instance. Now it's moved one level higher.

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #4)

I'm unsure about this observation, but it seemed creepy to me:
During running mozregression my regular (minimized) Nightly crashed/closed without report - multiple times.

That seems like a separate issue?
I don't think the original debug assertion should be considered a security problem.

https://hg.mozilla.org/integration/autoland/rev/5e5b664a9b5ecba443472c38b1100bae3ab55c9e
https://hg.mozilla.org/mozilla-central/rev/5e5b664a9b5e

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

(In reply to Dzmitry Malyshau [:kvark] from comment #10)

I don't think the original debug assertion should be considered a security problem.

Verified as fixed. Thanks! Please unhide this bug then. I'm just a bot in this regard.

Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
No longer blocks: 1654302
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: