1677515 - Hit MOZ_CRASH(assertion failed: dimensions.height >= self.max_dynamic_size.height) at gfx/wr/webrender/src/render_target.rs:279

Status: RESOLVED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Testcase found while fuzzing mozilla-central rev e22423381bcd (built with --enable-debug).

Hit MOZ_CRASH(assertion failed: dimensions.height >= self.max_dynamic_size.height) at gfx/wr/webrender/src/render_target.rs:279

    #0 0x7f0e124eeda5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
    #1 0x7f0e124eeda5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #2 0x7f0e124eed54 in mozglue_static::panic_hook::h6e70bafc479dc06d /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
    #3 0x7f0e124ee67b in core::ops::function::Fn::call::h01fce3a141895069 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #4 0x7f0e134a9b77 in std::panicking::rust_panic_with_hook::haa1ed36ada4ffb03 /rustc/18bf6b4f01a6feaf7259ba7cdae58031af1b7b39/library/std/src/panicking.rs:573:17
    #5 0x7f0e11d8bcc5 in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h71d3c72cb12674fd /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:498:9
    #6 0x7f0e11d7e11f in std::sys_common::backtrace::__rust_end_short_backtrace::he845e1c15d2231ac /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:153:18
    #7 0x7f0e11d8bc8e in std::panicking::begin_panic::h7a8bb569a0f27d1b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:497:12
    #8 0x7f0e11fe832e in webrender::renderer::Renderer::draw_frame::hed5bd89c1afbb813 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs
    #9 0x7f0e11fbb2e8 in webrender::renderer::Renderer::render_impl::h8038a6dba1d0e58e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs:3668:17
    #10 0x7f0e11fb85ca in webrender::renderer::Renderer::render::hdfbc7af5f22bb73d /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer.rs:3419:30
    #11 0x7f0e11d1188c in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:614:11
    #12 0x7f0e0bd4730e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:193:8
    #13 0x7f0e0bd460a4 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:488:31
    #14 0x7f0e0bd45b0f in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:325:3
    #15 0x7f0e0bd4ec2e in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #16 0x7f0e0bd4ec2e in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #17 0x7f0e0bd4ec2e in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #18 0x7f0e0ad01c2f in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:465:9
    #19 0x7f0e0ad02775 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:473:5
    #20 0x7f0e0ad02a1a in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:548:13
    #21 0x7f0e0ad03400 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #22 0x7f0e0ad018f3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #23 0x7f0e0ad0180d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #24 0x7f0e0ad0180d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #25 0x7f0e0ad0fa97 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #26 0x7f0e0ad0b009 in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #27 0x7f0e20a45608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #28 0x7f0e2060e292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Mayank Bansal]

Got a crash : https://crash-stats.mozilla.org/report/index/e8be8ac2-a050-4ec0-9740-bc9af0201116#tab-bugzilla

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201116101121-e22423381bcd.
The bug appears to have been introduced in the following build range:

Start: 07b5def477f77911c23ca458daf5aa7d649c0452 (20200331093231)
End: e3f5c752e57fb82c03a9e8fb288907599b6d9489 (20200331093915)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=07b5def477f77911c23ca458daf5aa7d649c0452&tochange=e3f5c752e57fb82c03a9e8fb288907599b6d9489

Comment 3

[Darkspirit]

e3f5c752e57fb82c03a9e8fb288907599b6d9489 Nicolas Silva — Bug 1595768 - Don't track empty items in the texture cache. r=gw
f777b2dc12235eb7668fb639f629db1017ad39cc Nicolas Silva — Bug 1595768 - Don't evict blank glyphs to avoid re-rasterizing them continuously. r=gw
fbeb908b3513f23cb815b207622f492279eff175 Nicolas Silva — Bug 1625220 - Add autocfg to duplicate exceptions. r=gw
793808082134bce53a0066f55f86c4a470a463ba Nicolas Silva — Bug 1625220 - Remove a number of Foo::from_untyped(&bar.to_untyped()) casts. r=gw
17bf8121665a1b6fa9ce8de05b53c9067e9933f9 Nicolas Silva — Bug 1625220 - Use euclid 0.20.8. r=gw
da4563936652c0f91133871df477f99292fac33a Nicolas Silva — Bug 1617050 - Take shadow offsets into account when clipping a primitive. r=gw

From testcase:

scale: 19662 ! important;
height: 69em;
border-top: transparent medium inset !important;
filter: drop-shadow(15mm -46mm springgreen);

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: a0b52f4d44f2f583fb6a8033c47973737f713bb8 (20201206213246)
End: 1297d9265f7223e573536af9f3e5adbe79beec25 (20201206210400)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=a0b52f4d44f2f583fb6a8033c47973737f713bb8&tochange=1297d9265f7223e573536af9f3e5adbe79beec25
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 5

[Darkspirit]

(Bugmon [:jkratzer for issues] from comment #4)

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: a0b52f4d44f2f583fb6a8033c47973737f713bb8 (20201206213246)
End: 1297d9265f7223e573536af9f3e5adbe79beec25 (20201206210400)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=a0b52f4d44f2f583fb6a8033c47973737f713bb8&tochange=1297d9265f7223e573536af9f3e5adbe79beec25
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The crash was fixed by:

1297d9265f7223e573536af9f3e5adbe79beec25 Glenn Watson — Bug 1676559 - Pt 9 - Make clip mask sampler depend on explicit cache texture. r=nical
95c9143cca21adf342535ac5e7c08e34032b9cb4 Glenn Watson — Bug 1676559 - Pt 8 - Move render target pool from renderer to frame building. r=nical,jnicol

---

first good (bug 1676559 comment 33): no crash, but a warning:
mozregression --repo autoland --launch a4209b1f9fc5 -a file:///home/darkspirit/Downloads/testcase/testcase.html -B debug -P stdout

0:57.91 INFO: b'[ERROR webrender::device::gl] Attempting to allocate a texture of size 2816x8448 above the limit, trimming'

---

The warning is also gone now:
mozregression --find-fix --bad 2020-12-09 --good 2021-10-10 -a file:///home/darkspirit/Downloads/testcase/testcase.html -P stdout

9:46.00 INFO: First good revision: 7ede736ae56e80163f5a169007dbeefdaeeaf195
9:46.00 INFO: Last bad revision: 0fccc6a4922d97ecc341be5ba257e11bbbf5a509
9:46.00 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0fccc6a4922d97ecc341be5ba257e11bbbf5a509&tochange=7ede736ae56e80163f5a169007dbeefdaeeaf195

7ede736ae56e80163f5a169007dbeefdaeeaf195 Nicolas Silva — Bug 1701395 - Report the device's max texture size (up to 16k). r=jrmuizel